Alex Kreilein, VP of Product Security at Qualys, discusses the shift from vulnerability management to risk operations at the company's Risk Operations Conference (ROCon). He explains why focusing solely on vulnerability counts misses the point and how organizations can achieve better security outcomes through risk-based approaches.

Kreilein breaks down the practical challenges of the concept of the SBOM (Software Bill of Materials), introducing VEX (Vulnerability Exploitability Exchange) as the missing piece for effective vulnerability communication. He shares insights on developer friction points, the real reasons for vulnerability debt, and why test efficacy matters more than compliance checkboxes.

Key takeaways:
• Why risk operations differs fundamentally from vulnerability management
• How SBOMs become actionable with VEX status messages (affected, not affected, under investigation, fixed)
• The hidden cost of technical debt and fragile applications
• Real-world approaches to secure by design and developer productivity
• How agentic AI can help security teams focus on strategic outcomes
• Why compliance is a floor, not a ceiling for security

0:07 - Introduction to Qualys RiskOps Conference
0:33 - Understanding risk versus vulnerabilities
2:21 - The role of VP Product Security
3:03 - Software bills of materials explained
9:08 - VEX for vulnerability communication
10:51 - Agentic AI in security
13:38 - Building secure protocols
15:58 - Developer challenges with security