Philippe Courtot is more than just Chairman and CEO of Qualys, Inc. He’s one of the pioneers of the IT industry. Philippe has repeatedly turned innovative companies into industry leaders while creating significant customer and investor value. Prior to Qualys, Philippe was the Chairman and CEO of Signio (acquired by VeriSign in 2000 for more than a $1 billion); President and CEO of Verity (a company he took public in November 1995); and CEO of cc:Mail (acquired by Lotus in 1991).

I had a chance recently to chat with Philippe and thought I might share that here:

Q. As a thought-leader for a long time on the Software as a Service industry, you must be pleased that many of your predictions have seen the light of day over the last couple of years?

PC: Since 1999, I have been advocating that the Software as a Service model (delivering complex enterprise software applications) will be very disruptive to the high-tech industry. This is so for a number of reasons: a) it reduces costs drastically for organisations, and, b) it flips the balance of power between the high-tech vendors and their customers. It is certainly always nice to be right, but what really matters is to try to continue anticipating what’s next and it is now very clear that the Web 2.0 evolution will drastically change the way we interact and do business.

Q. You’ve been recently quoted as saying that you believe Vista will be the last operating system that Microsoft develops. What prompts this belief?

PC: The simple facts are that we are clearly now, and quite quickly, moving from a desktop environment to a Webtop environment. With a very good secure browser that could do caching, windowing etc, and with AJAX technology, the only thing missing is a more ubiquitous and cheaper access to broadband wireless – and then we will be always on.

Furthermore technology like Google GEAR demonstrates disconnected usage. All of this is coming fast and Vista is around 60 million line of code which is obviously more than what we need for a Webtop.

Q. What are your predictions for SaaS in the next couple of years?

PC: The burst of the Internet Bubble in 2001 halted a lot of investment by the venture community. This explains why there are still only relatively few large SaaS companies at the moment despite the power of the model. Only the likes of Salesforce.com, Postini, NetSuite and Qualys could find the required capital to build the necessary infrastructure. Given the model, this is most critical but it also takes time and sizeable funds to build data-centres to a scale to leverage the Internet delivery model.

However, there is now a second wave coming, and we will see in the next couple of years a flurry of new companies and mergers between companies.

Also every “traditional”, (previously non-SaaS) established player is now touting their SaaS strategy. Interesting given they opposed these models initially but realise that to survive now, the must adopt such models themselves.

The old high-tech industry, like the mainframe industry did, is now consolidating, and only a handful of those companies will survive. Google is looking more and more everyday like the company Bill Gates was afraid would be the next technology leader supplanting Microsoft.

Q. QualysGuard has established itself as the world’s leading Vulnerability Assessment and Management solution. How tough was it in the early days to battle the likes of ISS, Retina, Foundstone and Nessus with not only being a new competitor but also coming from what was then a radically new way to deliver a solution to the client?

PC: Indeed it was very hard, but, the battle was not so much against the Foundstones and the like. Rather, it was against the engrained mentally at the time, that security should not be outsourced, and that security was all about securing the perimeter to protect the data which was kept inside.

Now we all know of course, that this mentally was quite primitive, especially at a time when the challenge is to open up the network so the data can better flow. Because of the increased business need of sharing data, the real security challenge in front of us is to protect the data at the “data level itself” and not at the perimeter. This is very difficult to do with the current computing infrastructure, but, much easier to do with SaaS solutions.

We were fortunate to find many early adopters who understood the value our model could bring. They helped us, and encouraged us to continue building our model, at a time when companies like Foundstone abandoned their On-demand solution for the “safer grounds of enterprise software”. Today, at a time when you need to secure your entire network and not just the perimeter and a few critical servers, the SaaS model is the only model that can achieve this cost effectively, and with the degree of scanning accuracy required.

We are now performing more than 150 million IP scans per year with more than 3,000 customers. 30 of the Forbes global 100 have deployed QualysGuard. Our largest single client that we provide the service for has 180 appliances in 52 countries, scanning over 500,000 IPs – all connecting back to the Qualys Secure Data Centre across the Internet.

Q. Did you find it funny or frustrating that organisations were adopting the likes of Salesforce.com with relatively little question about corporate security, yet Qualys was continually having to battle the question of company information being stored offsite? I assume that shows the difference between a business decision and one made by the IT Department?

PC: Not really. In fact Salesforce.com had to overcome the resistance of both IT and IT security people. It had IT people feeling threatened by the fact that there was no need for anymore to install and manage software. It had IT Security asking questions, and rightfully so, about the security of such a model. The normal human attitude is to resist something we do not understand but I always knew that it was just a question of time. We knew we had a better model and we knew that we had to be persistent and relentlessly continuing to make our application better. This would win new advocates.

Q. QualysGuard is seen as the industry benchmark now by most. Is that (from last question) still a battle for Qualys?

PC: We never looked at it as a battle except for being a battle against ourselves i.e;making sure that we understood what our customers wanted and to make sure we were delivering it.

Q. What’s the future hold for QualysGuard and what can existing and new clients expect?

PC: We still have a lot of work to do. On the Vulnerability Management side, our application has very high scanning accuracy (six sigma) and non-intrusiveness. It is as you know the easiest also to use and to deploy. We are working to provide better and more actionable reports.

Now that we have delivered our new Ajax based user interface, we have the ability to create a more powerful application and working with many of our customers, we are well on the way of achieving this. Our next frontier is to bring security and compliance together through our Policy Compliance solution at the end of the year. We are also working at delivering a Web Application certification service and a few other cool things. You’ll like what you see!

Since the talk with Philippe, it’s been interesting see a few stories like this one: http://www.softwareexpo.com.au/content/view/80/45/



  1. D says:

    Welcome to my model and solution for SME/SMB, digital signage and classroom/education etc! All I need now is my angel investors to fund the client builds, platform, glue, minimal kit and marketing/sales ;)

    The tech and architecture is in the bag, scalable as hell, secure and all mapped out! *grin*

  2. As PC mentioned, most good ideas were killed in 2000/2001 so the market is open!