Ivan Milenkovic of Qualys explains why CISOs must evolve into risk captains who translate technical signals into business language. He introduces the Risk Operations Center concept as a proactive alternative to traditional SOC approaches.
In this Brand Highlight, Ivan Milenkovic, Vice President, Cyber Risk Technology at Qualys, joins host Sean Martin to discuss how security leaders can break free from the whack-a-mole cycle of vulnerability management.
With more than 48,000 vulnerabilities disclosed in 2025 alone and the average enterprise juggling 76 different security consoles, Milenkovic argues that the old methods of counting patches and chasing alerts are no longer sustainable. Instead, Qualys helps organizations prioritize threats based on business context through what the company calls TruRisk.
Milenkovic describes a fundamental shift he sees taking place in boardroom conversations: moving from risk appetite to risk tolerance. Boards and executives now want to know what specific losses mean to the business rather than simply asking whether the organization is secure.
For CISOs, this means evolving from the department of "No" to the department of "Know," where security leaders understand where problems exist, how to fix them, and what architecture supports business objectives. The key is demonstrating return on investment through resilience metrics rather than vulnerability counts.
Qualys addresses this challenge through its Enterprise TruRisk Management platform, which facilitates what Milenkovic calls the Risk Operations Center. Unlike a traditional SOC that focuses on incidents that have already occurred, the ROC takes a proactive stance, helping organizations prevent threats and optimize security spending before damage occurs.
This is a Brand Highlight. A Brand Highlight is a ~5 minute introductory conversation designed to put a spotlight on the guest and their company. Learn more: https://www.studioc60.com/creation#highlight
GUEST
Ivan Milenkovic, Vice President, Cyber Risk Technology, Qualys
On LinkedIn | https://www.linkedin.com/in/ivanmilenkovic/
RESOURCES
Learn more about Qualys | https://www.qualys.com
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Ivan Milenkovic, Qualys, Sean Martin, brand story, brand marketing, marketing podcast, brand highlight, Enterprise TruRisk Management, Risk Operations Center, ROC, vulnerability management, CISO, cyber risk, risk tolerance, security leadership, proactive security
[00:00:00]
Sean Martin: And hello everybody. You're very welcome to a brand highlight with Qualys. I'm pleased to be joined by Ivan, the Vice President of Cyber Risk Technology at Qualys. Ivan, thanks so much for joining me.
Ivan Milenkovic: Huge pleasure to be with you, Sean.
Sean Martin: And, if you could kick things off for us, a brief word about your role, what it is you're up to at Qualys, and maybe a quick overview again for folks of the latest of what's going on at Qualys.
Ivan Milenkovic: Indeed, I'll start the other way around. So 26 years ago, Qualys started as a vulnerability management company and everybody knows [00:01:00] things have evolved when it comes to cyber. We went from physical constraints to, you could call it digital boundlessness. So it's a mid world where, you know, cyber attackers can steal millions in minutes where cyber attacks can cost companies billions worth of damage.
So we realized that security teams are trapped. Playing this whack-a-mole thing and Qualys has obviously been in the middle of all of that madness for plenty of time to be fair. And therefore, we kind of evolved into a risk management company. We replaced generic technical scores with what we call true risk.
Where we actually prioritize threats based on business context. So, today through our enterprise to risk management platform, we don't just list bugs. We translate technical signals into financial language, into business language if you want. And we also facilitate companies establish their risk operation center.
So that was the biggest thing [00:02:00] that attracted me to join a vendor side. Prior to Qualys, so I was a group CISO of a rather large outfit out there with more than 140,000 people. So that should give you an idea and also explain to people actually how much attracted I was to joining Qualys.
Sean Martin: Oh, I love it.
And certainly a leader in a lot of things, vulnerability management. And I really like the idea of the risk operations center. And so I think we'll probably touch on that a little bit here today, as CISOs look to the coming year. With risk in mind, with business language and whatnot, what do you see as kind of the most important things that's shaping how they look at risk and how they connect that back to their business?
Ivan Milenkovic: Absolutely. Look, one of the huge problems we see these days is noise, deafening noise for that matter. Reflecting on 2025, [00:03:00] we saw 48,000 more than 48,000 new disclosed vulnerabilities. So, the challenge with that, plus the fact that if memory serves me right, there is some analysis that large enterprise on average has something like 76 consoles, different tools and whatnot.
It's almost impossible to handle everything. It's impossible to fix everything. It's impossible to have a very good overview. Across the board. And there's a challenge, I already mentioned security professionals playing Whack-a-Mole. So, the challenge is really, you know, how do you bring those things together?
How do you prioritize everything correctly? And also, you know, boards and executives are waking up to the fact that they need to move from what I would class, from appetite to tolerance. Really, when it comes to those discussions, it's not really anymore. You know, are we secure? [00:04:00] It's, is our exposure within our tolerance really, you know, what would that loss mean to us?
How much can we lose if particular system goes down and so on? Therefore, CISOs really need to wake up and they need to evolve themselves into risk captains. And what I mean by that is, it's really, you know, stop being department of No. When it comes to security, it's becoming department of know.
As in I know where the problems are. I know how to fix this. I know what's the needed architecture to support the business because. I understand the value at risk. I understand how our business operates, what brings money, what we need to stay afloat. So it's really kind of ruthlessly bringing together all the things that point at risks, and making sure that we can actually show the return on investment when it comes to security.
So it's not just, you know, reporting on number of vulnerabilities, it's actually [00:05:00] reporting on the quality, on the resilience, the level of resiliency, if I may.
Sean Martin: I love it. And in the final moment here, perhaps you can connect how Qualys helps organizations achieve the desired outcome for this.
Ivan Milenkovic: Indeed. Look, we've been putting plenty of time, money, and effort into this thing. We have a new product that hopefully everybody knows about, called Enterprise TruRisk Management. It is the platform that facilitates what we refer to internally as the risk operation center, but that's something that we would really like the whole industry to adopt.
At the end of the day, ROC is about, you know, having that proactive take. Everybody knows what a SOC is. Everybody knows how SOC is useful. Everybody knows how that security operation center helps companies get out of trouble. But frankly, SOC means you're looking at your rear view mirror. SOC means that, basically we're looking at things that already happen.
We're [00:06:00] trying to catch up with bad guys. Whereas ROC is how you prevent those things from happening. How you focus your effort, how you optimally spend when it comes to security to protect your environment. And that's really where Qualys is going.
Sean Martin: I love it. And I'm certain folks listening to this brand highlight, they're excited to figure out how to work with you and the Qualys team.
Because that usually represents the first step in understanding the challenge and overcoming it. So Ivan, thanks so much for sharing this story with us.
Ivan Milenkovic: Thank you. It was pleasure.
[00:07:00]