Sumedh: “The best products I think are the ones that really can understand the end goal of the customer and the ecosystem that they have and where this product can seamlessly fit in the ecosystem to make things much easier and simpler for them end to end.”    


Neelima: Hello, everyone! Welcome to another episode of ZeroToExit. This is Neelima and Ankur, your hosts. In today’s show, we are excited to have Sumedh Thakar, President and CEO of Qualys. Qualys is a cybersecurity company focused on cloud security and compliance. Sumedh  joined Qualys about two decades ago as a software engineer.

And over the years, he has been instrumental in growing and navigating the company through multiple transformations. In today’s show, we’ll talk to Sumedh about all things, products, How to get from product to platform? What to measure? How to prioritize? and more. Hi, Sumedh! Welcome to the show. 

Sumedh: Hi Neelima. Hi Ankur! Thanks for having me..

Ankur: Hi Sumedh. Good to have you.

Neelima: First of all, so many dark condolences on the passing up of Phillipe. He was a chairman and CEO of Qualys for many years. And we know he’s a giant in the security industry. You work with him for many, many years. What have you learned from him? 


Sumedh: Oh, how many hours do we have? (ALL OF THEM LAUGHS). You know, with Phillipe, obviously we are all really impacted with his passing away. For a long time he had been with the Qualys and really drove Qualys to where it is in many ways. And you can see on LinkedIn today, there’s hundreds of people , sending messages.

 I don’t think I’ve seen anything like that before and I think it’s really just a testament of the kind of a leader he was. And, he was a leader who did not call himself a leader. I think that’s how he, like, he never really said, okay, let me sit down and mentor you. Or like there was no management training for leadership courses at Qualys or anything like that. If I kind of have to summarize the three things that I really learned from Philippe is “Passion, conviction and, reflection and he really believed and, you know, that, great companies are built with passion and great leaders are passionate.

It’s not something that you can learn in an MBA course. It’s something that has to come from inside you. You have to have the passion for something to really believe in that. The second part of it was, yeah. He had this conviction about things like, whether it was ,some, what is right? What is wrong? What needs to be done? And his passion, combined with that conviction, he would really push to do things that he really believed in. And, he really believed that you should try to do everything that you can do.

Now when you have conviction (LAUGHS), sometimes you may be wrong. And that was the third part of it, which was just the reflection. So, you have a lot of people who will not admit that they were wrong, and Phillippe was very open to saying, “Oh, wow, I didn’t see that coming, or I shouldn’t have done that. And that really helped us, somebody who was looking up to him to understand that, you really take your passion, you have a conviction about the way you want to go. You move forward in their direction. And then if you make a mistake, you admit it and you correct it and you move forward. It was that simple. We all learned from Phillipe.

Neelima: I actually know of many people who have worked with them. So it looks like he had an amazing neck(3:30) with reaching out and working out with people. Any  takeaways on that side as well, Sumedh?


Sumedh: Yeah. You know, it goes back to that.If you have a passion for something, how do you take people along with you to that goal and, the maximum number of people you can touch and feel. It was very much like that he would reach out, talk to anybody when, if they were different,  a competitor, and that he didn’t believe in that, whatever the approach that they were taking or whatever it was, didn’t matter to him, he would have a conversation. And so I think that’s really how he was, he just came to be that person that everybody knew because Phillipe was up there talking to everybody, talking about what he really believed in. And, I think that’s really where I see so many people, he has had an impact on their lives.

And I think that’s what a lot of people, I think that success is like, how many people do you touch that they are inspired and do better because of you. And  Phillippe was really good at it.

Ankur: Yeah. Speaking of somebody who also speaks his mind, actually we lost not one giant, but two giants in the security industries, obviously in the recent past with the passing of John McAfee as well, both very outspoken about their perspective, obviously very different individuals that pay different people a lot of respect. You mentioned obviously a passion that a Phillipe had, obviously, one of his passions was  vulnerability management and that’s where you’ve spent the bulk of your career. That’s primarily where Qualys started and still does, for our audience who are not security focused, kind of, demystify vulnerability management.

Why is it so important? Why has it had what I call the Lindy effect where the technology survived for 20 years?  So give us a little perspective on the past, present and the future in that particular segment.


Sumedh: See vulnerability management is a very broad term, right? It’s really about risk and in the very conventional way, the vulnerability management is used in the  Industry. It’s about software vulnerabilities, right? So the idea is that you have a lot of software installed on your devices, and if that software has a bug that can be exploited by attackers, they can basically get to your system. and, that’s a risk that’s about what is the risk to your device.

And I really believe that the term vulnerability is a very broad term as it applies to cybersecurity, because it may not be a software bug that may cause an issue, it may be a misconfiguration of your system where you may not have a software that has a bug, but you, you left your C drive completely open for anybody to read and write and so while vulnerability management is just a very broad term for managing. Are the risks that you have in your environment, whether it’s an S3 bucket that is improperly configured or whatever it is. And if you look at security, it really comes down to two things; You want to do everything to mitigate your risk. So you want to do everything to stop the attackers from getting onto your systems and then you have the threat monitoring, So even if you do all of that, you are going to have something that can slip through for whatever reason. So you want to have that monitoring and broadly, I would say the industry, kind of, divides itself into a couple of those areas.

So if you see the EDR vendors and there are a lot of like on the market today, when it comes to CrowdStrike, Sentinel-1, Palo Alto, many others. And they really focus on, if somebody is in your box we’re going to detect and try to do something about it. And, generally we believe  that is required, but it is late if somebody is already in the box.

So, how do you do everything before that to ensure that you have  fixed and protected yourself from any risk that might be on your system. And that’s really where one vulnerability management plays a big role is trying to do everything to mitigate that risk, So it’s like, will wash your hands. [LAUGHS]

So, you know, or you can focus on taking antibiotics after you are infected. So, you should always try to do everything to protect yourself so you don’t get the infection in the first place. And then at the border, since that’s really where one vulnerability management fits.

Ankur: Yeah, good analogy. It’s more focused on the prevention side of things which is the role of the other vendors, especially in the EDR space, threat detection, after knowing the fact,I think, both are important, but  if you’re not taking care of the infections, like you said, I mean, you might have to get the surgery later on. You want to work at all.

Sumedh: And you know, you see all of that. So many of them have breaches. Most of them were, oh, we had an issue that was there for two years and we never patched it. Or we didn’t patch the system or we left an S3 bucket for credential. So went with the transformation to the cloud and all of that really comes down to the same basic mistakes that keep happening because of the manual process that happens in IT today. Right. And really, as an industry, we should really do everything we can do to minimize that and protect against that,first.

Ankur: The next question I had was, obviously, you know, your own journey, at Qualys, from when you started to now where you are now, obviously, you know, having the top role, and it’s a fairly broad question. You can start whatever you want, but, as you help transition qual(8:28) is the product, a single feature, single product company to multi-product and a platform, something that you’re super passionate about. Walk us through that journey sort of how you were thinking about it, over time. And in that process, talk about your core product building principles.


Sumedh: It’s been like 18 something years. I don’t recall how long I started as a software engineer back then and cyber security was generally new and the vision that Qualys was taking is, Hey, we could leverage, what we now call, this cloud-based solution, right? Something as a SAS environment to help protect your devices in a much better way than the traditional on-prem systems that were being used back in the day with McAfee Symantec,  where it was a big installation of on-prem systems, lots of hardware, and a lot of administration was required.

The concept of SAS was fairly new, and the idea that you could build highly scalable security capabilities and I would say we were not the first vendors to use SAS for security at that time. And that was really the vision focused initially on vulnerability management, right. Just being able to tell customers, sort of, on a hacker side view of what the hackers could see on your network, and leveraging that to start fixing things.

And it was very difficult in the beginning. A lot of people were like, as soon as you said that we were hosting the database, they were like, yeah, that’s not what we will ever do. Now,  being a cloud-based solution has become a fashion statement. So, everybody wants to jump to say that they are the cloud-based solution first.

But, as we found a lot of success in that, we saw that the model worked, that the technology worked, the scale, that we could bring, where companies had millions and millions of devices being assessed every day. I mean, at the end of the day, the customers were the ones who were like, Hey, this is working really well compared to other things that we have. Can you guys look into these other areas? And that really started helping us and which is really I fundamentally believe that, “For a product to be successful, it has to be something that the customers are bringing up and they want, and there is a need for them to deploy”. So that really started pushing us in the direction of thinking, Hey, we have this deployment, we have a pretty wide deployment across a lot of different companies.

We can start helping them to consolidate the security stack and reduce the friction that happens today. When you have so many different security solutions deployed, for every little feature, and that’s a real demand, right? A lot of every CISO, first thing they will say, I have too many security solutions.

I want a way to consolidate those. And we really started in that direction to say, this is something that everybody. Nobody has that today. And it’s a difficult journey, but we are going to make the investment and we are going to start building a platform so that we can continue in that direction to add more and more security capabilities, because ultimately it helps. It’s not just about Qualys, the TAM that we have and things like that. It’s also, how does that simplify,  deployment and cost for us overall as an industry? Otherwise, it’s just the cost of deploying so many different security solutions is just too high. And then that’s just money that we could be spending in other places to improve technology that we’re not doing, because we’re just trying to manage too many solutions.

Ankur: A Quick follow up I have on this one is ,what are some of the product things that you have or Go to market things that you have to start thinking about early on in the journey?

Because a lot of companies, both in security and SAS in general have said it, but at least in SAS, we know that Salesforce has been successful. Really. We can count on one hand the number of companies who have been successful doing that, What separates the best ones who are really good at this from the rest, like, what do you have to think from a product and Go to market standpoint.

Sumedh: Yeah. I mean, first you have to have a good product. That’s number one that I had without that, nothing. but I think, after that, it’s really about understanding what the customers really can do and I would say that the best products are the ones that understand the ecosystem of their customer. At too many times, we get so focused on, I have this amazing feature in my product, right? And my dashboard looks so good and the UI is this. And the best products I think are the ones that really can understand the end goal of the customer and the ecosystem that they have and where this product can seamlessly fit in the ecosystem to make things much easier and simpler for them end to end, right! Because you want to be able to essentially take response actions at the end of the day, you want to prevent and just be able to respond. The other day I was looking for a sprinkler system that I wanted to buy and funnily enough, I found myself not looking for any other feature other than being able to use it with a voice assistant. That was one of the requirements.

 So, it was really not even about the feature of that specific product. Does it fit well in my voice assistant enabled home network that I have, because that fitting in that ecosystem is really important, right? So I think, when you talk about to land and expand and things like that, and go to market, it’s really about, I mean, there’s a lot of complexities challenges because the way it has evolved today, there are multiple teams that are silos, different teams own different budgets for different products.

When we talk about having something like a platform, what we really focus on is how do we then reach out to the different teams? How do we focus on showing the value? Because our DevOps team is very different from the incident(13:54) response team, which is very different from the risk mitigation team.

And that’s how large enterprises really are siloed today. And the budgets are kind of divided. So, even if Qualys has a set of capabilities, we have to work with these customers to make sure that the CISOs and those people will actually see the value in having all of this. And,  because otherwise people just look at it right, like, this is my job. And, you know, if this product comes in and maybe I’m going to have less to do, and that sometimes it goes, well, sometimes it doesn’t go that well. people may not appreciate that. so from a go-to market perspective it’s really the value, right? It’s just at the end of the day, Showing that, having a combined capability of platform that can do both risk mitigation, threat detection, monitoring, asset inventory, all of that in a single platform is not just about reducing the number of agents, but also getting a lot of, consistency, lot of productivity because you have all of that data together.

 and that’s the journey that we are on, right. Take an example of AWS, right? Why or any cloud service for that matter? Why do developers prefer that today or WhatThe way we have done IT in the past? Because when you go to that one platform, you need CPU, storage, memory, whatever you need.

You’re just getting it from that one platform. You make an API call, you allocate additional CPU and that’s it. and it’s a very easy way versus how we were doing it in the past if you had to go to a storage vendor separately, negotiate with them. You had to go to the hardware vendors separately, negotiate with them and it was a lot of work and you’re to, you know, buy big quantities. And it was just a very different model and, and cloud really changed that. And,  it’s become a lot more simplified in that sense. You don’t have to go and do that anymore. Unfortunately, for security, it’s still very much like that where you have to go to 30 different vendors, buy individual solutions, put a lot of developers to make it all work together with the same solution.

 So, the vision really would be: How do we bring that sort of efficiency in security by focusing on fewer platforms or a single platform that can provide that efficiency?  So, you can focus on security in a quick and fast cost-effective way.

Neelima: You mentioned, Qualys has wide deployment out and with the SAS comes the ease of deploying very, very fast. But with SAS also, there is another thing that comes in, which is how do you quantify the value of your deployments? Because it’s so easy to deploy and our customers actually get value out of the product or not. It’s a challenge we see across the board, especially in security because we show value only when bad news happens. Are there some specific metrics that you see from product reviews which can help understand how the product value is being used by the customers? 


Sumedh: Yeah. You know, that’s the eternal question for security, right? It’s like the Cod insurance(16:56) side. It’s hard to show the value of that till something happens. Right. But, what the insurance company is doing is like, they will give you the best premiums when you are doing, you have all the right protection capability in place to reduce and minimize the potential of something like that happening.

Right. And I think that’s really where I would say the security solutions sit today is, there’s no sort of way to quantify that, in, in that sense, but the way you can really look at that is, am I getting the full visibility of everything that I have? Am I actually able to cover everything?Am I looking at fixing all the things that I need to fix, that create risks to my environment. So, what used to be a very audit based approach in the past where, you know, our, we would assess our network once a quarter, once a month. I think the, the value from the security and the largely deployed SAS solutions, I would say, comes from being, it really being real time near real time where now you’re able to really make sure that okay, if something, a new exploit has come out or a new malware, you know that you have the right tools and the right, checking in place immediately and not having to wait for days or weeks before you can start to see the visibility.

and I think that’s where, the, the move towards why all security solutions are now moving to SAS is because having a SAS sort of an environment helps you, deploy much faster, helps you scale much faster. So, inherently, it provides you more real time, more up to date visibility, more ability to take response actions quickly but otherwise, you know, just the security, it’s just like the insurance. It’s hard to quantify in any, any quantifiable way to say, you know, you are at a hundred percent security level, right? That is unfortunately not the case.

Ankur: So I have a follow-up here at speaking of value, being one of the metrics you want to measure. I want to go a little bit deeper into your product reviews. I don’t know about Qualys, but the product reviews at Palo Alto or rural(18:55), I’m assuming something similar. You’ve been a CPO forever. What are you measuring? What do those reviews look like typically? And you know, you can talk about general, your notions about things that you measure. Business metrics are obviously pretty clear, but like, what are the leading and lagging indicators that you’re looking at, to assess products health?

Sumedh: Yeah, I think the advantage of sort of SAS platforms is you have the general visibility in fairly near real time on usage metrics on how customers  they’re ramping up, ramping down. Your support cases are generally an indication, your incidences that you see across the platform, or indications of what’s going on with your product, what’s your platform?

So in many ways, SAS products, that is very interesting because you have that telementory,  that you can really measure to see how the platform is doing, how the product is doing, what is the customer sentiment in terms of, support cases. Sometimes there’s a fairly good metric of that, but just again, very different for on-prem products where, you know, once you give the software then, and see another customer is doing everything and you don’t really have that kind of visibility.

So, you want to make sure that your product deployment and usage continues to go in the upward direction. Right. And that’s really the best measure at the end of the day to say, are more people deploying more solutions, more agents, more modules being used, to protect them from different attacks and things like that.

So without over-complicating that, I think that at the end of the day is a very good indicator that, product is being deployed well, and people are happy with that.

Neelima: What is a good mental model to prioritize in that scenario?  Is there a good criteria to prioritize that? 

Sumedh: I think it’s a combination of what your core abilities are as a company and how you can add those adjacent capabilities that the customer wants? Right. I mean, at the end of the day, the customers are asking that because they have a need and they want to simplify their deployments and they want to consolidate the solution.

So, how are you going to do that? So in some cases, companies are very focused on being able to add that technology on their own, in their own platform. I think I would say that Qualys is very much like that, where we’re very much focused on being able to take the technology, build it ourselves, or tuck-in acquisitions, where it’s really technology acquisitions that we take the time to build on the platform, so it becomes extremely seamless, deployment and a usage for customers. I would say, other companies take a slightly different approach. So you have to kind of look at that to say, do you have the core ability? Sometimes you look at it and you say, I have everything. I just need six months of work and I can provide this and other cases that are areas like, even for us where firewalls and things like that.

It’s just not an area that we are in. We don’t have the understanding, the experience, and the expertise. We’re not really going to go into that. You have other companies, as you guys know very well with Palo Alto, that approach has been digging, doing strong acquisitions,  of solutions that customers can now take and deploy. And that’s a different approach than what we have taken. But ultimately I think both companies are looking to say, how can we help customers deploy or reduce the complexity of their deployments by integrating different solutions and capabilities? So sometimes it’s going to be, just have to have the introspection to say, do I have 80-90% of what’s needed? And then I can add that quickly. Or am I really just starting from scratch in which case, An acquisition might be a better approach here to bring those capabilities. And so it’s just, again, at the end of the day, right? Is the investment that you’re going to make. What is the game that you’re going to have from that?

And when, and are you willing to do that investment and the direction in that sense that I then, like many companies we have gone in certain directions and realized later, well, maybe that’s not really our core area.

Ankur: Do you have any mental models on how you simplify the everyday, every quarter product decision making? Because you know, your teams are constantly struggling to make and prioritize. Have you figured out any hacks that just your Northstars, if you will, that helps you simplify things as you’re, you know, dealing with complex decisions and products?.


Sumedh: SAS sort of goes hand in hand with your agile(23:14) and you know, all these kinds of ideas where it’s, it’s a quick, iterative cycle. Right. And I think I remember, in the day when I started coding, the concept of a PRD was the most dreaded concept for any engineer and product manager equally.

Somebody posted on LinkedIn the other day that product manager used to work for me that, yeah, I said that, you know, PRD is a document that the engineers don’t want to read and the product managers don’t want to write, but then, you know, they just, everybody goes with that. And I just really don’t think that great products can have a product definition that can be written down.

I think you have to feel the product. You have to understand the deployment and you can only build a great product if your engineering team can build a great product, right. No matter how good a product manager you are and how you inspire your engineering team. Right. So I think, yeah, Well, you really need to be able to inspire and involve your engineering leadership, understanding the customer pain point and understanding, being on those calls with the customer and understanding the requirement and understanding the need.

And that’s when they are going to build something, they are inspired to do quick POCs when they hear an issue, they want to get something out, see tested out if that works and then build upon that. If the model is a, what we used to have in the past, and which is sort of really the, at the end of the day, the big difference between the Waterfall and the Agile is not all this time box and sprint and all the things that they made you do with hoarding the ball, when you can talk and stuff like that, it was really about, can you iterate quickly with your engineering team on a problem, Come up with a POC, a version one version two every couple of months, and keep getting better versus the model?  Somebody from product management goes into a room for three months and writes a 700 page document, defining every little comma that needs to be in the product and then hands it over.

And then the engineering team will take a year to develop that product. And then you come out and you’re like, whoa, okay. That’s not exactly what the customer really wanted. when you look at products and what you should work on and prioritizing that is always first is understanding from the customer, boiling it down, getting your engineering team involved, getting them inspired, boiling it down to a quick MVP, getting it out to the customer, their feedback, and their enthusiasm really gives you that impetus of like, “Hey, this is where we’re doing something right here”.Right?

Like we should iterate on the next version of it and come up with something better. So that way you don’t get into this motivator, you spend a significant amount of time to realize that, well, actually this is not something that anybody wanted at the end of the day. Right? So you can pretty quickly make that decision to say “We think it’s a good idea. The customer wants it. Let’s put something together” and then they may say, “Yeah, this is not going to work”. And then you’re like, you know, maybe we don’t need to spend more time on that. Right. And that happens all the time. You need to be able to do that. So, there’s no magic. Like nobody really knows for sure. Right. I cannot say this product manager or me, or whoever knows for sure that this is exactly what the customers want. It’s about leveraging the SAS model and that  ability to iterate quickly to get a good product in front of the house.

Ankur: I have a scenario for you based on what you said about the product engineering dynamics. You have a scrum team where the product guy or gal says, “Engineers, go build, this”. And engineers are like, “Yeah, just tell me exactly, spell it out for me, I’ll go build it.” Another scrum team where the engineers are like, “Just give me just a general high level idea on what you want to get built and then just back off, like, I’ll build it for you. It will be amazing, et cetera”. Which scrum team is likely to succeed better in the long term? 

Sumedh: I definitely, I would say the second one. I think the first one, you probably want to recommend their engineering people to the competition as really be, to say, [BOTH LAUGHS] because if an engineer doesn’t want to get involved in really understanding, you’d pick any of the products, like, you know, Uber or whatever it is, right? Like if you don’t feel it  as an engineer, you don’t understand how you will use it. You’re just not going to be able to build a great product. Right. Then I would say that, you’re very much more likely to succeed when the engineering heads are really as curious and as enthusiastic about the product as the product leadership is and want to actually understand and want to build something.

Now, just over the period of time, there are inherent challenges and in that model also as well, right. Which is when you don’t have everything defined. You are going to go make a few mistakes or do something that was not quite defined. And you went in one direction when it should have been in another direction. But,  the way I look at that’s sort of built into the model, so it’s like, you know, you take 10 steps and then you ever take two back, but then you’re still eight steps ahead versus in the other model, you’re just waiting and waiting for somebody to give you everything before you won’t take the first step.Right? 

So I think that iteration and that ability to move fast, even though sometimes you have to take two steps back. I think that’s still at the end of the day, you come out much more ahead than in any other way.

Ankur: How many times, by the way, I’m just curious, in a quarter, do you have to break the time between the product and engineering people, where, we got to get somebody involved in his mind? Is it a one supporter type of thing, or this is like your day in week kind of thing?

Sumedh: Yeah. You know, my  general response is always to ask the customer, right? Why are you spending time and arguing with each other? And neither one of you is going to pay for the product. So, [HE LAUGHS] ask the people who are actually going to pay for it and let them figure it out. Right? Yeah, of course I am very passionate.I have certain thoughts on how things should be. And, you know, sometimes my team likes that, sometimes they don’t,  but I’m very much of a, like, “on demand” type of person. I don’t do that. Schedule one-on-ones because then I feel like you’re sort of creating this artificial like I will talk to you once a month and then you will come up with something to tell me what you have been doing. So that, then I can tell you if you’re doing good or not, like maybe I need to talk to you every day. So you could just ask me, or maybe I don’t need to talk to you for three months because you’re just doing so great at what you’re doing.Right. Like I don’t need to come and tell you anything.

 So in general, like, if there is something like that, it’s not a scheduled thing. People just ping me on teams. And then,  throw chairs quickly and figure it out. And most of the time it’s really just, “Hey, let’s, let’s just send this customer a couple of screenshots and then figure out what they want”.

Neelima: I quite agree.  I believe scheduling kills creativity and also collaboration. 

Sumedh: Yeah, absolutely.

Neelima: So now, we’ll switch a little bit to the stock market. So as a public traded company, your shareholders expect growth year over year. And we’re seeing startups raise monster rounds.I mean, I’ve never seen before kind of rounds and public traded companies are raising debt to keep up whereas we’ve seen Qualys has taken a very, very deliberate approach to growth. Can you walk us through your thinking on how you see the company go to the next phase of growth?


Sumedh: I will say that there’s different approaches. Right. And it’s about what the VCs think. When you look at the startups more specifically, it’s about what they think that investment is going to be. Maybe because they’re seeing the bigger companies acquire these at higher multiples or valuations.So, they say, even if I’m putting a lot of money right now, I’m pretty sure it’s going to be something that I’ll get the return on time. And for them it’s not necessarily about technology or anything. It’s like, do they see the returns that are going in? Right. So look at the end of the day, what it comes down to, when you talk about the stock market versus the VCs that are, is Who’s building a more sustainable long-term business, right?

Like, is there something that’s going to be a flash in the pan where suddenly you spent a huge amount of money on sales teams. And growing sales very fast, it was to get that quick bump and the stock and then after that, you don’t have a sustainable business that will continue to keep growing.

If you look at Amazon, they’ve done a great job of continuing to grow their business in different areas and build something like that. So,Companies that are taking debt or whatever it is to build that, if they feel, and their investors feel that this is something where they will get value for their investment. I think that’s great. So, that’s one way of doing it. Qualys has done it in different ways, so there are companies that are very focused on creating that sustainable longer time growth investing in a more prudent way. Not necessarily,  just throwing money for the sales side of the house as some companies do so. Again, I’m not saying more specifically about Qualys. In general, the different types of companies that do things in a certain way.

Right. And I think, It goes with that. Everything we’ve talked about so far, right? How do you build something that’s sustainable and iterative and  you be a little agile at coming up with a new idea and building something and then taking it to customers.

And if that is actually working, then you can now put more investment and grow your time and take it that way. Or do you go off to the next flashy thing? Because maybe they got some other company, got a lot of investment in that. Right. And you have to make a judgment on whether you want to go in that area.

Is it something that you can actually do, it’s not just about building the product, right. It also is the scenario that you can sell the product once you build it. Right. Do you have the right people that  go to market, and that our customers are not aligned with it?  So,all of those factors go into that thought process, but, I think it’s just the focus on building long-term sustainable business, is what certain companies focus on.And I think that’s, I commend that.

Ankur: Yeah, it is commendable. Indeed. It requires a lot of discipline, self-belief, think of them a lot from,  any thoughts on companies that are just, over-rotating, hiring(33:00) sales,  on their way to growth, you know, sort of,  invest ahead of the market opportunity in some cases.

Sumedh: It’s a gamble, right,That they take. So, when you go in that direction, you spend a significant amount of money upfront to hire a sales team. Again, we’ve seen this happen in cybersecurity as well, where companies hired investors significantly in sales, early on that in the stock, went four or five times, and then couldn’t sustain that because the product behind it was not backing up that sales effort to grow and be able to sell additional capabilities.

Right. And we’ve seen that happen. And so, in other cases, however, there are organizations where they have invested in sales because they are very confident and maybe they are  validated that investment is going to bring their additional revenue, which will then help them go in a certain direction from a product which will help them, build a more sustainable company in the long term as you,  maybe Amazon would be a good example of something like that. Right. So I would say that, ultimately as long as you’re doing that to create a long-term sustainable business, that’s what, the market we’re always like, do some stuff to get the stock to go up, that, people may be looking at, but that’s not really sustainable long term.

Neelima: Talking of sustainable business. You had a very interesting story about how the India office opened for Qualys. Can you tell us a little bit about that? 

Sumedh: You know, as we really started seeing that we need to expand our engineering talent to do all these additional adjacent  things like customers were telling us, we could do.  of course from their standpoint, it’s like, oh, you just have to add this one thing. And then, you know, we’ll have a new capability, but, hiring that kind of talent and in those numbers, in the bay area, and as publicly traded company with the EBITDA margins and all of that, Really at that time, I felt like, Hey, we need to augment our team with, some way for us to get additional talent,  that is high-quality and can scale. Right. It was really about being able to scale the talent and not really so much about the cost or anything like that. Initially, at least, right, Phillipe used to say that a lot, you know, we went to India for the talent and we found the cost. And I think we started this out in Pune as a very interesting way of building an R and D center that was not sort of a second fiddle necessarily to the US entities.

It was really meant as a way for us to be able to get additional talent,  in different locations. So we heard a lot of good talent in the US, we were able to now expand with getting good talent and in Pune as well. And, it was very interesting to build that out and create a name for ourselves in the local market, as a company that was giving opportunities for people to really own product lines globally.

And I think that the best talent looks for that. They want to take responsibility for the global product line and not just be focused on one aspect of it. Then we offered that opportunity, which really helped us grow significantly, our talent over there. And we’ll be able to deliver a lot of these capabilities that we have in a fairly short amount of time, expanding into, out of vulnerability management, into EDR and now XDR and, file integrity monitoring, and many, many other cloud container capabilities has been mainly because an interesting model that could be built, where we would hire the leaders no matter where they were and empowered them with the responsibility of the entire product line so that they can really take that shine. Build good teams and work with customers. And then we didn’t sort of differentiate between, oh, because you are in the US or because you’re in India, you only get to do a certain type of work. It was just, you know, strong product lines built of strong engineering talent. And that’s what we focused on.

Neelima: Couldn’t agree about giving ownership. With ownership comes responsibility, and then you have great products. I wanna pivot to your career now. Sumedh, you’ve been at Qualys for nearly two decades. In this time you must have gone through phases where it may have been easier to go work elsewhere. How did you think about your career as you were going through these phases? 


Sumedh: Yeah, don’t we all have those days, right? Yeah. You know, I think we went through many or the last 18 plus years. I’ve personally gone through many different ups and downs, great moments and not so great moments. And, I really took each of those moments when things were looking down as an opportunity to take that as a challenge.

Right. And because I felt like even if you go somewhere else, you’re just dealing with a different challenge. Right. And again, you have a different environment and you have to figure a lot of things out there anyway, right? Like if you’re going to need a job, you have, there’s a lot here to figure it out. Right? You have to figure out your management, you have to figure out your peers, you have to figure, are people reporting to you. Who is going to work with you? Who is not going to work with you. Is your management going to give you the resources that are required to be successful? You know, do they like your style or art?

So if you’re going to go and try to do all of that anyway, well, why not do that? Where you are. Right. So take a fresh look, look at it  as though I have a challenge. It’s, you know, probably it’s with my peer, my manager, whatever it is. And then find a solution because that’s ultimately what helps you get ahead. Can you find a solution?

And so for me, it was always about. Okay, let’s take, let’s take a pause. Okay. Here’s where we are. So what is the solution to this issue? Right. And, that’s every time we ran into a challenge or I ran into a challenge, I would do that. And I think that worked well for me. I would say that it also helped quite a bit that Phillipe was very supportive in general.Right? 

Sometimes, it becomes very difficult if the management is not supportive of what you really want to do and you know, sometimes that they want to go in a different direction  and you just don’t want  that as not your direction. So, for me, I always kind of would take a step back and think about why Phillipe wants to do something different than what I want to do.

And does that make sense to me? And if it is then yes, I would continue and if it didn’t, I would pick that for, to try to work with him to say, this is why we should or shouldn’t do that. And we figured it out sometimes, you know, he got his way. Sometimes I got my way, and we were able to work that out.

And so I don’t necessarily think. And again, not that people shouldn’t switch jobs or anything, but I don’t necessarily think that that’s going to solve the problem because you’re just taking over different challenges. Right. So, and if you are going to take up a challenge, then why not try to really take the challenge where you are, if you believe in the, of course you have to believe in the company or to believe in the vision and all of that. Right.  then it makes sense. And,  for me, that perseverance definitely worked out because I was able to get enough challenges to resolve or get promoted at every stage and was able to get to this point.

Ankur: Yeah, you are what I call the Michael Jordan of the security industry or vulnerability industry, whatever you want to call it.[SUMEDH CHUCKLES]  Yeah. It is indeed really commendable, to stick with the same team, pushing through a lot of adversity. I don’t think that they teach you that to kids nowadays and right there a little bit of adversity and they pocket(40:05) and they want to work somewhere else because Facebook or Google is going to drop like two extra salary. So, I have a lot of respect for people who stick it out,  to the extent that the company is growing and you’re, you’re instrumental in that road. So definitely, something that I had my personally, what advice would you have for someone who’s aspiring to take their top role? Imagine yourself, 18 year old again. What are the top three things you did that you would advise somebody else to do?


Sumedh: Gosh, you know, I’ve been getting this quite a bit in the last few days and people are like, oh, you’re successful because you know, I never see you. And I just don’t, I don’t necessarily look at it like that. I don’t feel it like that because I feel like there were times when I felt so successful, because one of the algorithms I was trying to write really worked out well as an engineer.

And, that at other times when, in a different position and you don’t feel as successful. So feeling successful is a factor of your own goal. Like that’s how I look at it. Right. There is a social success thing where people obviously say that the higher you go, you, they see that you are more successful when you may not feel happy or successful or whatever it is.

So, for anybody who’s sort of, looking to, to grow or whatever it is, it’s just, you have to know if that’s what you want to do. Like the, you want to go in that direction and then if you knew, then you just need to cite the more immediate near term goals and resolve them and have find success in them. Because I don’t think you can really start now and say, I’m going to carve a path for myself to be at this position in 15 years. Right. Because so many things change the world around you, changes, economics change, social situations change. So, I just looked at it as what’s then what’s my next challenge.

How is that going to help the company? How can I help the company grow the customers to find some solutions? And then that eventually led to things, working out well, people buying more and the stock going up and all of that. But, I would be the first one to say that  this was not part of some sort of a plan that I had written down on paper and put under my pillow 10 years ago, that this is where I was going to be. Right. I think if you just focus on  digging one challenge at a time, looking at being successful in that and doing the right thing for the right reasons,  I feel like that  leads to success, as you move forward and you cannot have success with our failures.

So, you have to be open to learning from your failures and your experiences that a lot of banks, people say that, but they don’t always think about it. But I think you have to have things that don’t work out. So you learn from them. Now, I would say the leaders, good leaders or the successful people are the ones where most of the decisions work out.

If most of your decisions I’m not working out, then that’s a different problem that you have to work on but you know, if you  gotta be able to make a bunch of decisions quickly based on your, which again goes back to that passion and conviction that we started off talking about. Right. You have to have the passion for something, believe in it, have the conviction, jump into it and then be ready to reflect on it. If it doesn’t work out, find the next path or find another way to do that. Right.

Ankur: How do you manage the psychological aspects of being at the top? Having to make so many decisions everyday, being responsible for the business and thousands and thousands of people. You know, my son, when I’m stressed out or working on the weekend, he’s, like, you’re the boss, at least boss has the team that I have, like just delegated. I said, you won’t understand the higher up you go, the worse it gets actually. So, how do you manage the psychology of just having to do this day in and day out?


Sumedh: I don’t think anybody’s really perfected that, but in general, stress is a factor of your worry about the future of what you don’t know. Right. That’s basically what it is like, why are you stressed? Because something  you think is going to happen and that is not going to be good. Right. And I think we all can agree that we really don’t know what the future holds even tomorrow.

Right. I think that the best way for me to manage is to make the best decision today with whatever information that you have, and not try to spend too much time speculating what could happen in the future. I mean, how many times has that happened in life? Not just about work that you’re so worried about(something) and then It doesn’t end up happening.  And then you’re like, oh man, I just spent so much time and stress and wasted my weekend and all of that worrying about this. And I didn’t think of this other thing that actually,  because of that, this is not true or not possible. And I just went in the completely wrong direction of the tangent.

 So, I think the more you can not worry about what could go wrong, or have a way to know how you would address that if it does, you’re going to feel a lot more at ease and a lot more at a clear thinking and making decisions. And so that’s what I tried to do, right. I think at the end of the day, whether you’re an engineer, a director, CEO, whatever it is, we all have the same amount of hours in a day, right?

So it’s still 24 hours and we’re all working just as hard as just the different jobs have different areas of focus and responsibilities in decision making. And, more you can land for the future, but not worry about it, what has not happened by thinking too much about what could go wrong? I think, the less stressed you are going to be, and the more clear vision you’re going to have, and that’s going to help your decision making process. So that’s my opinion.

Ankur: Yeah. Well said. Having that perspective is the most critical thing. Yeah,

Neelima: And also those Zen like philosophy thinking, which,  I think Sumedh, you follow. 

Ankur: It looks like him, it comes naturally to him.

Sumedh: You guys, it’s a lot of thinking, right? Self-reflection and you’re looking at like, why did I worry about that thing so much? And then you’re like, well, maybe if I stop worrying about things that have not happened, given that things don’t always happen the way you think that they will be, that helps to think.

Neelima: Yeah, And I’ll  switch to Hindi and say  “Karm karo, fal ki chinta mat karo”.

Sumedh: Yeah, that’s true. Because you don’t know what you’re going to get in the future.

Neelima: Absolutely. And this is my last question. Before we go into the rapid fire with Ankur,   the rate of change continues to accelerate in our industry. As a leader, how do you make sure you’re on top of the latest innovations and tech trends, because as you said, being customer led on the product side is so important but then you are also going towards the top. So, time is scarce. How do you balance both? 


Sumedh: You cannot do it alone, right? You cannot be successful alone. You have to surround yourself with people who are experts in it and know more than you, like, It’s number one thing, right? There are many more people at Qualys that understand the security aspects of things much better than I do.

And that’s really the key for success as you have. The experts are the people who see it and they can collaborate with you, work with you to say, what’s the direction that we should take so that we can stay ahead of it and you can trust them. And I think that’s how building a great team is really more important to success than anything else I would say is like, because you can never do it alone.

You have to have a great team that is going to take you to success. And I think,  staying on top of industry trends and stuff like that, it’s just that these are the experts that are part of your team, they are the ones who you work with  what you see, what they see, work with each other, collaborate and then, make sure if that’s the direction that you feel you want to go, then are you ready to make the investment? And, then,  go for it. One thing that’s constant is change, right? We, five years ago we really needed no containers. Right. And now suddenly here we are. And,  at that time we felt like firewalls were the best thing. And then now we’re, container security is the best thing and whatever. Right. So I think in five years you’re going to have some new technology that we haven’t really thought about today, and now we’re going to have to rush to secure it.Right.

So, how do you make sure that you know that’s going to happen? So how can you build a platform, or build a solution that can address that fairly quickly. Right. And I think that’s what it comes down to when I was saying earlier at the end of the day, no matter what next technology you have, it still is coming down to, oh, I put that bucket out.

There will be four credentials, but that’s what we were doing 50 years ago when we put the server on the internet or whatever it is. Right? Some things are not, no matter what new technology will come, the basics of risk assessment, risk mitigation are going to stay the same. And,  people just want to know that before the bad guys do.

I think that’s what the focus of this is going in my mind.  It needs to be really,

Ankur: So, that brings us to the last and the final segment of the show called rapid fire. I’ve got some simple questions, Five of them, short answers, long answers, whatever you prefer.All right. Are you ready for this?

Sumedh: Let’s do it.



Ankur: All right. So since you’re a product guy, I’m going to start with an easy one. Your favorite SAS product, B2B or B2C.

Sumedh:  I would say Salesforce.

Ankur:  It’s a little bit harder, but, let’s give it a try. So let’s say you were appointed the GM for the Google workspace business, the G-suite business And your goal is to gain significant market share from Microsoft. And you’ve got to take it away from Microsoft, what’s the number one product or the go-to-market bet you’re making to make that happen.

Sumedh: We’re really focused on understanding enterprises and having the go-to-market team understand how an enterprise functions versus more of a beta product. That’s how I feel like really a lot of people get that feeling that G-Suite products still seem like a beta. And that’s what I think Microsoft is probably doing better because they understand the enterprises and how they buy and deploy and work better.

Ankur: Yeah. In a classic Google fashion, it seems like the engineers got excited about G-Suite early on and they’re like, oh, we’re bored. Give us some other projects that they just kind of paused.

Sumedh: Well, we ultimately switched from Google to Microsoft for that G-suite or Office365, just for the enterprise capabilities.

Ankur: Okay. A third question. Most useful AI app that hasn’t been built yet.

Sumedh: Self-driving cars. I would say, you know, that nobody’s really built it.I would love to have (somebody),  a car come and pick me up and drop me off at the airport, but we don’t need drivers far, so we don’t have to pay search pricing, maybe.

Ankur:  Well said, a good one. You’re getting your teams to build a game-changing capability or a module. Okay. You can only pick one of the three, you’ve got to hire a whole bunch of people. You can buy more time or reduce the scope. Which one are you picking?

Sumedh: Reduce the scope.

Ankur: Yeah, spoken like a true product person. 

Sumedh: Sure. I think, and I will bet the minimal MVP and we’ll see how that goes.

Ankur: Okay. So last week it was big  news that there would have been about 142 event occurrences. Now confirmed by the Navy and everybody else in mainstream media, that there have been 142  UFO’s/UAPs. My question is in your opinion, what are the odds that there’s an alien life out there?

Sumedh: I don’t know. It’s like asking, you know, it’s about, It’s like, God, right. You who it’s really up to your conviction. Right. So, people will see things in what they see and it’s always hard to prove or disprove.  So when it is the right time for these things to be revealed or they will continue the debates on whether it’s real or not. We don’t know what we don’t know. So we, nobody can say with conviction that there is no other life form out there, or there is out there until we actually see some, something that is happening. So how can I say that? Yeah, it’s possible  and we don’t have any way of putting a timeline on that one.

Ankur: yeah. I like your no answer answers. You’ve been prepped well by your communications team.

Sumedh: Yeah, you have to be good at that. Now.

Ankur: All right. Last question. If you had to spend a weekend with one product person from past or present, who would that be?  

Sumedh: Yeah. I would say Sundar Pichai  or I would say Satya Nadella,yeah, between the two of them, the way they have transformed their, you know, organization. So, the product focus, I think, is phenomenal,  because it’s not just about the economics and the business aspect of it. I think for again, building something that’s long-term, you have to have a great product that can continue to grow. And I think both of them have done a great job, so would love that. 

Ankur: Awesome. Well, Sumedh that wraps up this episode of ZeroToExit.  It’s been a pleasure to have you. Thanks for taking the time, wishing you a lot of success in your new role as the CEO of Qualys and wishing Qualys, a lot of success, as you transform the company through the next phase of the growth. Thanks a lot.

Sumedh: Alright. Thank you guys. I really had a lot of fun, hope to talk to you again sometime soon.