Philippe Courtot, chairman and CEO of vulnerability testing company Qualys, is convinced software-as-a-service (SaaS) security offerings will disrupt both the security industry and the IT sector as a whole.

“Today, enterprise software is a losing prospect for vendors,” he says. “Quality assurance in a diverse environment [such as the security industry] has significant costs in terms of time and money, therefore the vendor has to pack enough features in to justify the cost of the QA. That’s why SaaS is such a disruptive technology – it’s an order of magnitude more cost effective to develop, deliver and update.”

Enterprise security, perhaps more than other IT sectors, requires constant innovation to keep ahead of attackers and vulnerabilities and thus a torrential stream of updates and patches. These must be rapidly developed and tested for different platforms and applications. In no other field is software updated a week ago or less considered a liability.

Courtot believes the flexibility of SaaS will simplify the way organisations view security.

“Attacks are becoming more sophisticated, innovation is accelerating and there is an ever-increasing set of data security and privacy regulations,” he says.

“At the same time, people need to communicate and security people can’t keep saying ‘no, you can’t do that.’ It is very clear that throwing hardware and software at the problem is no longer an option when 80% of the average IT budget is spent on maintaining legacy systems.”

The SaaS model could be the “paradigm shift” that challenges those legacy systems, he says, giving organisations a different view of their assets.

“SaaS is delivered instantly, it has to work – a new concept for those used to maintenance releases, which are a nightmare especially from a security standpoint.”