01-07-2025
Exclusive: Qualys' Sam Salehi explains why ANZ firms are turning to risk platforms
Cybersecurity is changing fast - and Australian and New Zealand businesses are struggling to keep up.
According to Sam Salehi, Managing Director of Qualys for Australia and New Zealand, the region is facing a combination of a skills crisis, evolving threat landscape and rising customer expectations.
Salehi has led the ANZ arm of the cybersecurity company for just over a year. His number one focus is supporting customers while growing his team and expanding services through partners.
"In the next 12 months, we will continue to develop our managed risk operation centre (mROC) services in partnership with MSSPs," he said. "I'll also focus on hiring more people and expanding the team in the ANZ region."
However, talent is hard to come by.
"My take on it is cybersecurity moves really fast," he said. "We haven't paid enough attention to educating the younger generation to enter this field. Also, many people are coming from other industries, which means it takes longer to upskill."
He referenced a global estimate predicting over three million cybersecurity jobs will be vacant in 2025.
While that figure is staggering, Salehi said it highlights the importance of building an ecosystem of partners and investing in automation.
That thinking has led Qualys to embrace a "channel-first" strategy in ANZ.
"My team is around seven people, so shifting to channel-first helps us expand market reach and accelerate growth," he said. "We now have more than 80 active partners in this region."
The company also created a new role - channel account manager - to support those partners and ensure they're equipped to help customers.
It's part of a wider effort to raise awareness of what Qualys actually offers.
"Though we are a household brand when it comes to vulnerability management, we do 20 different things that people don't know about," Salehi said. "That really shocked me."
He added that many customers still assume Qualys is only a VMDR vendor. "When I tell them we play in API security, AI, patching - they're surprised," he said. "Some of them ask, 'Since when are you doing this?' And I say, 'It's been five years.'"
Salehi believes part of the issue lies in how the company traditionally went to market, and hopes the channel-first model will broaden its reach and change perceptions.
That ties into another growing trend he sees: platformisation.
"Companies are now looking for best of platforms, not best of breed," he said. "Instead of having ten vendors, they want to narrow it down to three and get better outcomes."
Cloud security and remediation are also top requests from customers, alongside automation tools that help lean teams do more with less.
To support that, Qualys recently launched TruRisk Eliminate - a platform offering patching, mitigation and isolation from a single console. It's aimed at overwhelmed security teams who need more efficient ways to reduce exposure.
"There are ready-made playbooks so your team doesn't have to spend hours researching how to fix something," Salehi explained. "The isolation feature is also granular - you can lock a server to run just a few specific applications."
Another recent addition is Policy Audit, an enhancement to the company's existing compliance tools.
"This drastically cuts manual audit preparation time," he said. "It helps organisations stay audit-ready, especially with increasing regulations like the SOCI Act and mandatory data breach notifications."
Qualys has also leaned into education and community building. Over the past year, Salehi and his team delivered 20 risk quantification workshops across ANZ, led by US-based expert Richard Seiersen.
"When you give back to your community and enhance knowledge around a critical topic like risk management, it builds trust," he said.
The workshops were free and well attended, each drawing 8 to 12 senior stakeholders from across industries. Salehi described Seiersen as "a celebrity in cybersecurity risk".
"People want help communicating cyber risk in a business context," he said. "That's still missing in the market."
Salehi says one of the most impactful developments for Qualys in this space is the company's Enterprise TruRisk Platform, which underpins its Risk Operations Centre (mROC) offering. It unifies cybersecurity, operational and financial risk insights into a single pane of glass.
"It enables business context," he said. "Not all vulnerabilities matter equally - it depends on their impact. This helps customers focus on what matters first."
That solution is also available via a managed version (mROC), delivered in partnership with MSSPs.
"These partners become strategic advisors to customers," he said. "They help with risk advisory, onboarding, integration and continuous monitoring."
"Reflecting on the past 13 months, Salehi said his focus was on bringing everyone together - being a small team, fostering a culture of support and collaboration was key".
"It took time to bring everyone together and build a culture of support," he said.
"We're a small team, and some functions like HR and legal are offshore, so collaboration is key."
Despite being part of a publicly listed company, Salehi said Qualys has a family-like culture. Much of that comes from CEO Sumedh Thakar, who's been with the business for over two decades.
"He's so approachable and empowering," he said. "It inspired me to lead the same way in ANZ."
For Salehi, customer relationships remain a top priority.
"I've had over 100 customer meetings this year," he said. "It's not about selling a product, it's about understanding the person in front of you."
