Richard Seiersen, Chief Risk Technology Officer at Qualys, introduces the concept of a Risk Operations Center—a transformative shift from traditional threat-focused security operations to a model centered on managing business value and reducing risk at scale. In this episode, he explains how organizations can move beyond detection to strategic risk mitigation, automation, and board-level alignment.
In this episode, Sean Martin speaks with Richard Seiersen, Chief Risk Technology Officer at Qualys, about a new way to think about cybersecurity—one that puts value and business resilience at the center, not just threats.
Richard shares the thinking behind Qualys’ Risk Operations Center, a new approach that responds directly to a common pain point: organizations struggling to manage vast amounts of telemetry from dozens of security tools without clear direction on how to act. Instead of forcing companies to build and maintain massive internal platforms just to piece together asset, vulnerability, and threat data, Qualys is creating a system to operationalize risk as a real-time, measurable business function.
With a background that includes serving as Chief Risk Officer at a cyber insurance firm and co-authoring foundational books like How to Measure Anything in Cybersecurity Risk and The Metrics Manifesto, Richard frames the conversation in practical business terms. He emphasizes that success is not just about detecting threats, but about understanding where value exists in the business, and how to protect it efficiently.
From Security Operations to Risk Operations
While a traditional SOC focuses on attack surface and compromise detection, the Risk Operations Center is designed to understand, prioritize, and mitigate value at risk. Richard describes how this involves normalizing data across environments, connecting asset identities—including ephemeral and composite digital assets—and aligning technical activity to business impact.
The Risk Operations Center enables teams to think in terms of risk surface, not just threat surface, by giving security leaders visibility into what matters most—and the tools to act accordingly. And importantly, it does so without increasing headcount.
A CISO’s Role in the Business of Risk
Richard challenges security leaders to break away from purely tactical work and lean into business alignment. He argues that boards want CISOs who think strategically—who can talk about capital reserves, residual risk, and how mitigation and transfer can be measured against business outcomes. In his words, “A successful business is in the business of exposing more value to more people… security must understand and support that mission.”
This episode is packed with ideas worth listening to and sharing. What would your version of a Risk Operations Center look like?
Learn more about Qualys: https://itspm.ag/qualys-908446
Note: This story contains promotional content. Learn more.
Guest:
Rich Seiersen, Chief Risk Technology Officer, Qualys | https://www.linkedin.com/in/richardseiersen/
Resources
Learn more and catch more stories from Qualys: https://www.itspmagazine.com/directory/qualys
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25
______________________
Keywords:
sean martin, richard seiersen, risk, cybersecurity, data, resilience, telemetry, automation, ciso, soc, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
This is what Happens When Security Stops Chasing Threats and Starts Managing Risk | A Brand Story with Rich Seiersen from Qualys | An On Location RSAC Conference 2025 Brand Story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] You've been busy. I have been, been busy. Yes. Tell us, uh, we're gonna get into all the fun stuff you're doing at Qualys and some, I'm a risk nerd, so this, this topic excites me.
You probably don't understand why I'm a risk nerd, but, uh, you need to get out more. That's, that's very true. Absolutely. So we're gonna nerd out on risk, but, um, you've, you've had a lot in your career that I think is important to touch on here. So maybe kind of a Hi, a brief history of some of the things you've worked on that led you to Qualys.
Sure.
Richard Seiersen: First of all, this is my second stint at Qualys, so I was here 20 years ago. I was a Midland engineer, as was Summed, who was, who was our CEO, right? I left Beco to become a serial recovering cso. He stayed at Qualys. Obviously. If I would've stayed, I would be CEO. Now everybody knows that. That's right. We just,
Sean Martin: that's
Richard Seiersen: a joke by the way.
Make
Sean Martin: that statement out.
Richard Seiersen: Yes. But, uh. So, uh, most recently I was a chief risk officer for a [00:01:00] cyber insurance company by the name of Resilience, still an advisor there. Um, prior to that, a variety of CSO gigs. Um, started out as an engineer building security solutions. Actually, my first security gig was building vulnerability management stuff and IDS stuff that's now getting off 25 plus years ago.
Right. Um, and along the way I happened to author or a couple books, actually, the first one I co-authored with Doug Hubbard. Called how to measure anything in cybersecurity risk, right? Despite the long gangly title and P green cover, it's become a very popular book. We didn't realize this, but we wrote the equivalent of Stairway to Heaven for risk management.
We did, you know, we didn't plan that. Um, but I'll just say on that, that book, it's the, the main curriculum for the Department of Defense CSO program here in the us. It's curriculum graduates, graduates, a lot of our
Sean Martin: universities too,
Richard Seiersen: Harvard, brown, Berkeley, several others. Um, it was required reading by the Society of Actuaries, exam Prep and, you know, actuaries [00:02:00] off, off the hook parties there.
Um, yeah. And so I wrote a, a second book, uh, called The Metrics Manifesto. Mm-hmm. Confronting Security Data. I'm in the process right now of writing a third book called the Risk Therapist's Handbook.
Sean Martin: That's, that's a, a mouthful and I'm sure lots of stuff inside. Yeah.
Richard Seiersen: So that's Ryan, more you want to know about me, but that's kind of background.
No, that, that's
Sean Martin: good. I think it, it paints a good picture for folks. Um, some of the things you've been up to, let's, um, let's just jump right in. So when, when we were, we had a quick call to kind of talk through some of the things we're gonna cover and you describe the risk operations center. Yes. And I was like, that sounds cool.
I like risk. Yeah. I like, I like the topic. I don't like taking on risk. But, um, just the idea that, that there's a program and a team coming together, looking at risk [00:03:00] presum in real time is exciting to me because I think organizations need to have that, that view. So tell us what, what's going on? This, this is the Qualys Yes.
Solution. Tell us more about it.
Richard Seiersen: Sure. So I suppose I'll, I'll make a couple of epiphanies of the obvious here on the Ritz Operations Center. So, um, we started as, as a company, you know, we've got 12,000, 13,000 customers. We've got a, a lot of the fortune level companies. And what we started observing and what we started hearing is requests was, look, we're bringing all this asset data in into our data warehouse.
Be it snowflake, you know, be it into Databricks or whatever it is. You know, you pick your poison. They're bringing in threat data. They're bringing in asset data, they're bringing in vulnerability data, full stack data, and it's so crushing, do it yourself work. It's incredibly expensive. You have to have pretty, uh, talented staff, right?
You're essentially building a software organization when your job actually is to do security. Right? Right. Not to say that that's not [00:04:00] security work, but it just, it becomes unsustainable for these companies. So we are observing them for the last decade doing this. They're asking for help, and lo and behold, we realized, gosh.
We're actually pretty good at that. You know, why don't we, uh, open up to, we already had some third party integrations. Why don't we open that up to whatever our customers need? Average customer has 70 different sorts of security sources. Why not bring that in? We're, we're really good at, we're already really good at rationalizing assets or normalizing assets.
We're already very good with the scoring thing. How do you sort normalize assets, rationalize scores so that together so that our customers can be more effective and more efficient at actually buying down that risk. Not just observing it, but actually taking remedial action. Taking mitigation action, or be able to say, Hey, if we take this action, would that plausibly be destructive?
Destructive so that we can actually be thoughtful as we go about. And make change the environment. So the risk and [00:05:00] Operation center is a concept of bringing in massive amounts of data, sewing it together. And I'm gonna tell you more about it, but I wanna stop there and let me give you a chance to react.
Yeah. My
Sean Martin: mind's going a million miles an hour here. So you described it just now leading with pulling in data. Yes. And I'm wondering is that the starting points. To what you're offering with the risk operations center, or is it we have a strategy and we know where we want to be, what do we need and what do we need to look at to achieve our strategy?
Or is it both directions or what, what, talk to me about how that engagement looks like.
Richard Seiersen: So I, again, going back I think to what I mentioned before is, you know, making an observation about. The challenges our customer and the broader industry was were having like, okay, you, they already have the, you need, you need this, you want this, you're [00:06:00] spending the big ones, multimillions of dollars.
And then when you have an employer, two or three or four leave or churn, all of a sudden, you know this, do it yourself. I call it death march, just to be, I suppose, dramatic and exciting, um, becomes, it's just not sustainable, right? And so they're asking for help. And then for us it became, it was a tactical driver.
Yeah. Well, it's just like there's this, there's this a need and we're, this is our business is to help our customers, obviously. But part of that too was this, and I'll, I'm be, you know, the industry calls it CRQI might have been responsible, but I don't know, not my favorite turn of phrase, but the reality is that, hey, look, we not only need to bring all this telemetry in, we need to be able to focus on those things that really matter to the business.
My term is supposed to. Asset. Asset, I suppose, is a proxy for value. Your, your digital assets are, they're both persisting and moving value, you know, through the business. Um, and so that became really important. And now, I guess [00:07:00] I'll just say this, going back again to the telemetry that we really see the need for a, a kind of a fungible data plane.
I don't mean to get overly nerdy from the audience, but. We realized that customers, they had, uh, sort of stream data, stream analytics necessary. We were already doing kaka stuff. A lot of people are, we were doing it at mass scale. We already had a petabyte scale data lake, so we were already doing OLTD and OLA online onli processing, um, time series, so for change and making forecasting.
We're already doing that. And then I'll add add graph in there too. Graph, like, not just for attack now, but understanding how, you know, how does identity, by the way, which we treat as an asset. Right, right. So by the way, I'll just say on assets, you know, this is maybe obvious to you, it may be obvious to a lot of listeners.
The only thing that modern assets really have in common is they're all nouns, right? They're all nouns. I I'll, and I'll add one more piece of sauce, that is another thing assets have in common is they typically have a start state and a last known stamp. So you have these two, two timestamps. [00:08:00] I know it's getting really nerdy, but it's important when you think about how you wanna persist data.
And so you're dealing with like, you know, e femoral assets that a modern asset can be more like an event, but it has a begin state and an end state in terms of change. It might, that change might be, it goes away, spins down, or it might, there might be some other change that state in terms of identities that are provisioned, who knows what.
So you need a a claim, or we call it data plane, that's able to accommodate all that. So again, when we think about the risk operations center, I think there is a necessity to have an expressive and powerful. Data plan allows you to accommodate what I'd call a rich concept of value. Again, our industry calls it asset, but it's really value because then you can start talking about how do I prioritize, right?
You know that, you know, let's say for example, an agent is, an agent is an asset, an agent workflow is an A asset ag workflow that's doing retrieval, augmented generation to a bunch of SaaS services. That's all an asset composed of [00:09:00] assets. Composed of assets, right? Then there's the identities that are associated with that.
Both, uh, machine oriented identities and the human identities. Yes, there's the committing of code, and then there's the third party, you know, Python libraries and all that stuff. You're getting into a large, large set of assets and then associated heuristic. So that's just an observation of reality, observing what the customers needed, and then just observing where the world is.
It became, it became absolutely incumbent upon us to be able to respond to that. We couldn't just sit there and say, okay, well. That seems complex. So hence the creation of the risk operations center. We can talk more about, uh, cyber risk quantification adds in there as well. Yeah, we'll get to that in a minute.
I wanna talk about, sorry that was a lot by the way. Sorry about that.
Sean Martin: I think it's, it's important to lay that, that that framework groundwork there, the, let's talk about this data plane because as you're describing, I'm trying to think of who's sitting in front of what or who's being. [00:10:00] Alerted or triggered to some change of state.
Yeah. That, that says something has to be done, a business decision has to be made, or we're about to hit the threshold of something, we, we have a chance to get ahead of it now if we do something right, um, the data plane in mind, and I don't, maybe I'm overcomplicating or oversimplifying or neither. Well, I
Richard Seiersen: already, I already,
Sean Martin: I already did that apparently.
So I think I'm gonna help you then. All right. So what. I guess I'm trying to figure out what, who's doing what, right. In this, in this world of, of risk operations center, I think people probably have a pretty good sense of the, the SOC analysts and the different levels and, and what they do. And they might write some code and they might do some hunting and they certainly responsible for response and perhaps even angled up in the recovery.
So what, what does that risk offer state operations center world look like in terms of roles and who's looking at what? Responding. Who's hunting? I dunno.
Richard Seiersen: [00:11:00] So there are, there are people who will make a distinction between a soc mm-hmm. And a risk operations center. I'm gonna go at your question starting there.
Okay. I perhaps even some people in my own company will do that. But a SOC is purely attack surface oranges. We have this $250 billion industry, whatever it's called, security. It's very attack surface oriented. Right. Um, so idea with a SOC is, hey, we're trying to find out if there's compromise. You can have compromise all day long.
If there's no value at risk of associated that compromise, it means nothing. So if there is, if there is value at risk with compromise, you have some sort of impact, but there's still more to the story. If you've transferred that risk with OID, either through insurance or capital reserves or otherwise, again, you can take that hit to the groin, that hit to the throat, and.
Punch the solar plex and still be able to deliver value to your stakeholders. Right? So that, so now you're getting into this area called risk service. Now I wanna make an, uh, okay. [00:12:00] I guess I'm gonna make an epiphany of the, obviously say it, a lot of obvious things. Bad guys are interested in treasure.
Mm-hmm. Bad guys are treasure hunters. Your CFO, your board, your CEO by the way, they are also interested in treasure. The bad guys love it that we in security practice are exclusively though focused on a tax service owner. We're not concerned with value at risk. We're not thinking enough about that. But that's what the bad guys, that's all they think about.
I mean, yes, you have some of the folks who just wanna do pay, I get that, but, you know, bad guys who have to still send their kids to college and pay rent, they're looking to make a living to fund their 401k whatnot. So, you know, they, they are interested in treasure as is your business. So there's this area called risk surface, which is just an observation of reality that you have to understand what the actual value of these assets.
Again, I've got a very fungible concept of asset. Now, given that data point, so the people who are, you'd say looking at it, you can still have your SOC responding to angry [00:13:00] packets. They're, some of 'em are flapping against your firewall. Some of 'em are leading to compromise. But the question then is who's ensuring that we are understand as the, you know, again.
This what? What is a successful business? Is it digitally and AI transforming business? But that business, successful business is in the business of exposing more value to more people, to more channels at Higher loc for the hopes of more revenue, more profits. I'll say it again, Ali even say it faster.
'cause it's fun to say that successful business is in the business of exposing more value to more people, to more challenge with her. Losses, the hopes of more revenue, more profits. So a successful business is rapidly changing, particularly now in light of ai. So your SOC people aren't involved in thinking about that at all.
They can respond again to the, you know, the time series, you know, change that's associated with threatening. But we have this broader context now that we want to be, we wanna be aware of. And what we are looking to do with the risk operations center, by the way, by and large, is not increase. The number of people have to be looking at that.
So to the extent possible, [00:14:00] we want to be able to eliminate as much of that risk surface as humanly possible. That includes, by the way, concepts of mitigation, remediation, mitigation, and transfer. I know that's a lot. Read my book. Read the book.
Sean Martin: How does. Risk meant you, you listed off the five things of a successful business.
I, I, it's the last one, so it stuck with me as well. But profits, I can easily see a connection of unmanaged risk or poorly managed risk taking a huge hit at profit. Um, what other, is that the main one that companies focus on? Or, and or do they can risk, impact some of the other things and do they think about
Richard Seiersen: that?
So this is getting into like. CISO boardroom kind of thing. But so again, bad guys would love nothing more than for CISOs and their teams to focus exclusively on attack surface. That means they're not focused on treasure. The inference is if you're good at co controlling your attack surface, you're good at protecting your treasure.
But you actually haven't done that [00:15:00] yet. Right. You've, you've done all the security things. We haven't looked at risk and, and I'm in a privileged position. I travel around the world and talk to CISOs and others about this all day long, and. It it is, it get it. This whole event is a tax. Get it? This whole I say thing is a
Sean Martin: tax service focused, right?
Are, are CISOs being trained and guided by things like this event to stay focused on a SM and well,
Richard Seiersen: I be, I believe your CEO, your board or your CFO wants the CISOs to be strategic and think about what matters to the business. Right? I mean your CFO and your CEO, they wake up and eat risk for breakfast.
They're thinking about m and a. They're thinking about losses. They're thinking about profitability. They're thinking about forecast. They're thinking about real business. They're, they eat real risk for breakfast all day long, so don't see, so don't think you're the only one that does that. It, it's far more complex, and the stakes are much higher.
What they're dealing with typically on a day in and day out basis, they really want you to think that way. They want you to be able to think [00:16:00] about lying down risk. Yes, with controls, they want you to think about transfer to insurance as an option. Your CFO would be surprised. We probably welcome you talking about the growth of residual risk and what that might mean on your capital reserves.
If you had risks that perhaps somehow exceeded your limit in insurance, now you may think, oh, I can never think about that. Your business wants you to think that way. They don't know how to tell you or ask me. One of my, it's my second publicly traded CISO gig. They said they wanted a strategic ciso. I said, I think I'm that.
But let me tell you, what would you see occurring that let you know I'm being strategic? You know what they said? Literally, this is like people on the board. Oh, we'd see you doing strategy. I. I said, well, alright, you know, what do you mean by that? Well, you'd be strategic. They, they knew they wanted something, something.
They wanted something. They just didn't know how to articulate it. But it's certainly what they're saying is, I don't want you, I mean, yes, patch the machines do that stuff. There's a bigger, it's 10 years ago, by the way. There's a bigger world out there, publicly traded company. We need you. Locking the elbows with the [00:17:00] gc, with the CFO and looking at the business and ensuring that we're resilient in the broader sense of resilient and plausible future loss.
I mean, we can, if we take a hit, we can still service our various stakeholders.
Sean Martin: Let me ask, this is the, by the way, you're gonna edit this stuff up, right? Make it all fancy. Oh, it's gonna be down, like down to two minutes. I, all this? Good. Good. No, we're giving, we're leaving it as it is my friend. Um, let me ask you this, the.
Is the goal of the risk operations Center to enable these conversations take place. And I know we're gonna ultimately kind of bridge the gap between the, the technical and the control based and that back to the leadership team, back to the business and board. But is, is, is one of the goals to.
Richard Seiersen: Conversations are good. Mm-hmm. We wanna have conversations. The goal is, so I'll say this, and this is gonna make a lot of you [00:18:00] hard and see sos and risk people vomit in your mouth. You are you ready? The goal is to eliminate business risk. Now, lemme tell you why people just right, act up some stuff. 'cause the word eliminate sounds very deterministic, right?
Mm-hmm. And risk the, the, the definition of risk hinges in part. On uncertainty, right? So risk is a state of uncertainty where some of the possibilities could lead to loss, catastrophe or some other undesirable outcome. That's a textbook. Well, I wrote that book, and that's a quote from it. But that is, that's the definition of, of risk.
And so then you have eliminate, eliminate. Actually, by the way, it's interesting, it's a Latin word. Um, L means al eliminate means limit out to a limit. So the idea actually, originally that word meant pushing something bad out to a limit. It's definitely not a, not a to zero. It's No, I've never meant that.
Yeah. We just, you know, we, we take good things and turn them into meaningless blather. So, but anyways, the idea is though, to push to, and to the extent possible, automate as much as this, as [00:19:00] humanly and computationally possible. So to be able to do automated patching, to do the, uh, mitigation maybe in terms of, uh, memory control, uh, dynamic configurations, things like that.
And or if there's gonna be a human in, in the middle, make that workflow as AI and whatnot. Make that as easy as possible for, there has to be a check or verifier to reduce the amount of effort to do that. To keep the, so, to keep the, the, the overarching risk system in check. Right?
Sean Martin: All right, so let me ask this thing.
Conversations are good. Action is better driven by information. Um. Where does what, what does success look like? 'cause I wanna talk metrics here a little bit as well. Um, who defines success? What does it look like and how do we know that we're running our risk operations center to actually,
Richard Seiersen: so, you know, eliminate so business.
That, [00:20:00] that's a great question. So what is success? People typically think something's a good decision if there's a good outcome. The reality is people make bad decisions, have great outcomes all day long. People drive home incredibly drunk and are successful, make it home. Oh, therefore that must have been a good decision.
But there's, there's all kinds of business examples just like that. Yep. Just series of awful, awful decisions that ended up being tremendously great outcomes. The question is are have you taken into consideration what the business actually stands to lose? And have you been both capitally operationally efficient in protecting them?
My argument is that's what a risk operations center really does. It's about balancing. It's balancing your need for accuracy and precision in terms of telemetry, really lots of telemetry. Trying to get certainty given data that's expensive, trying to get as much accuracy, precision, called relative certainty in buying down the risk that could be negatively impactful to business objectives.
I want to be able to say, okay, have we spent the appropriate amount of money on controls, on [00:21:00] transfer in the form of insurance and even capital reserve to ensure that if there was one or more concurrent, plausible, negative events, that we would still be able to fulfill our obligations to our multiple stakeholders?
And so that's what I want to understand. It was the plan effectively implemented. Now if you say, well, but we still got hacked. Well, that's going back to the idea. Well, I drove home. Drunken made it therefore, yeah. You know, or I didn't make it, therefore that was a bad decision. Right. So that's ultimately, how do we know it's successful?
Are you being both capitally and operationally efficient in protecting business objectives? Okay. And again, security people don't think this way 'cause there are focused on attack service only. Well, we need to focus on treasure.
Sean Martin: That's
Richard Seiersen: actually where I was gonna go. So who, who is
Sean Martin: driving? The need to have a risk operations sector.
Richard Seiersen: Well go. Going back to my original salvo is our customers, we're seeing them already do this. They're already And who
Sean Martin: in, who in the
Richard Seiersen: [00:22:00] organization.
Sean Martin: So is it typically, typically saying, we need, we need to have a different view of this, or we're running blind. Is it ciso? My next question, so you know, is if the CISO wants to have better control or strategic.
Over their own programs and the, the risk that they carry on their own shoulders, right? What can they, who, who do they talk to about this and, and who, who, who are the key stakeholders and who's driving
Richard Seiersen: things
Sean Martin: at the moment?
Richard Seiersen: A board member, unless they're a recovering c of themselves, would not, would never ask for a risk operation center.
They wouldn't know to ask that. Again, the ciso CFO and Board, they want the CISO to be more, I say more strategic. They don't know how to act like a example. Well just do more strategy. What's that look like being strategic, right? It's a circular conversation. What we're observing again is that we have double digit percentage of companies, typically the well-funded ones, who are, have these massive do it yourself projects where they're [00:23:00] bringing in all this data to try to do this.
And you might say, well, how do you know that I, I'm here doing two community workshops sold out. I'm, I'm dropping on the road. I have CISOs from Fortune 100 companies and others showing up to get training to learn this. They, they want this stuff. They're, they're recognizing the need for it. It's just very difficult, right?
So again, they're investing millions of dollars in data warehouse, data lakes, or data lake houses. Whatever cool kids are calling in these days, they're, they're hiring tons of staff to, to try to answer these questions. Where's my value at risk? How do I, what's the value of my inline versus my host base controls as a sign of very boring.
Sean Martin: No, that, that's the sign that we were being kicked out of this podcast. We here in a moment. But, um, we're very, we're bottom line, we're very customer driven. Yeah. No, and I, that's very obvious and very clear, but also, um, very thoughtful in how you [00:24:00] certainly look at it. And I'm sure they, they would say very thoughtful in how you engage with them on this topic.
And um, I feel like we just scratch the surface. Yeah. But, uh, so maybe. Maybe there's more, more chats ahead with you. Check again, I love nerding out on this and I, I asked my questions out of pure curiosity and hopefully, hopefully the nuggets came through and, and others are thinking, how do I manage my risk and am I doing it in a way that makes sense for my business?
So, and saving, saving some money perhaps of blowing it on huge data lakes.
Richard Seiersen: Well, they're doing it. Yeah. The empirical evidence is there. So
Sean Martin: Richard. Fantastic to see you, man. Thank you. Likewise. Thanks you so much for the chat, everybody. Uh, stay connected to Qualys. Pay attention to what they're doing with the Risk Operations Center that Richard grab some of his books while you're at it and uh, we'll save everybody on the next one.