Shaping the Future of Cyber Risk Management: QSC Evolves to ROCon

Over the last year, I’ve had the privilege of meeting with thousands of CIOs, CISOs, and security leaders across the globe. What I hear repeatedly is clear: managing cyber risk is more complex than ever, driven by the evolving digital, threat, and regulatory landscape. The number of vulnerabilities is exploding—last year alone, over 40,000 CVEs were published, a 39% increase. Yet less than 1% have weaponized exploit code. At the same time, attackers are weaponizing critical flaws in just 18.5 days on average, while the industry’s remediation time still sits above 30 days. That gap is where risk lives. And it’s more than just vulnerabilities, it’s exposures that include misconfigurations, missing security controls, identities, and data.

At Qualys, we’ve always built by listening to our customers’ challenges. It’s how we evolved from a cloud-based vulnerability management pioneer into a cyber risk management platform trusted by organizations worldwide. Our customers push us to think bigger, to move faster, and to keep innovating. They don’t want another dashboard—they want outcomes: reduced risk, operational efficiency, and security that’s aligned with business goals.

A New Paradigm: The Risk Operations Center

From those conversations, one theme has stood out: the need to operationalize risk. Not just find it. Not just visualize it. But bring people, processes, and platforms together in a way that measures cyber risk in business terms and drives real action.

That’s what the Risk Operations Center (ROC) is all about. It’s a framework for turning cyber risk into a language the board understands—dollars, impact, and ROI. And it’s a model for helping IT and security teams act with precision: eliminating the risks that matter most, much faster.

The truth is: everything we do in cybersecurity is about risk management. The ROC is not just for security. It connects CISOs, CIOs, CFOs, business unit leaders, and boards around a single view of risk—bridging priorities, aligning decisions, and creating accountability across the business.

From QSC to ROCon

For more than two decades, the Qualys Security Conference (QSC) has been our annual stage to bring customers and partners together with our team. Across global locations, QSC has served as a trusted space for networking, exchanging ideas, and exploring new innovations. But the momentum around the ROC has shown us the industry is ready for more. That’s why I’m excited to introduce ROCon—the Risk Operations Conference.

ROCon builds on QSC’s foundation but expands it into a broader industry event. The conference will still have the familiar elements that past attendees have come to love—like two days of free hands-on training, opportunities to mingle with Qualys leaders and meet product experts at the Q&A Bar, and, of course, the chance to challenge fellow attendees in the always-popular Risk Busters event. But it will also go further—bringing together security leaders, IT teams, executives, and partners who share the same mission: managing cyber risk as a business risk, not just a technical problem. Sessions will include technical topics that cover solutions to build the ROC, as well as topics covering the business and process aspects of risk management, like:

• Continuous Threat Exposure Management (CTEM)
• Agentic AI for Cyber Risk Management
• Risk Quantification
• Board Risk Reporting
• CFO Risk Communication
• Risk Remediation Beyond Patching
• Cyber Insurance

The Premier Event in Houston

We’ll begin this journey in Houston with the first-ever ROCon. It will be the place where the community comes together to chart the next phase of cyber risk management—sharing best practices, operational models, and innovations that move us beyond fragmented, tactical firefighting.

The time has come to replace whack-a-mole with true risk operations. ROCon will be the forum where we make that shift together.

I invite you to join us in Houston and help shape the future of cyber risk management.