CBR catches up with Steve Munford of Sophos to talk about IT security failures and where the industry is heading.
What is Sophos all about these days and how long have you been on board?
We’re number three now in the global IT security market after Symantec and McAfee, with 65,000 customers and rated the fastest growing security company of them all. That’s building on a great history as a UK-headquartered firm since being founded in 1985 by two Oxford Ph.Ds. We finished our last full financial year with $260m sales, for instance. I became part of Sophos as part of its first acquisition in 2003 and have been Chief Executive since 2005.
Your company was recently bought out by a private equity firm, Apax, in a deal that valued the company at $830m. But you agreed to that after backing down from a possible IPO in 2007. How do we not see that as an admission of failure? Being bought by an investment firm isn’t always the greatest signal.
I disagree. There are two types of equity investor, the ones that seek distressed assets, sure – but also the ones that look for growth assets and who seek significant return on their capital. Apax bought us for that reason. So we see the link as providing the catalyst we need to broaden our solution set and continue our strong growth. I think the value that they paid confirms that and reflects both our performance and our ongoing potential.
Yet at the same time most days we seem to read stories of spectacular IT security failures. Do you not get the impression that no-one’s really using the kind of products you produce at all properly?
Well, I’d have to admit that the security issue itself is a huge challenge and that there’s not one solution to it nor does it look like any company or organisation can really say they’ve solved it yet. The majority of data loss, though, is accidental, as in it’s down to error or inadvertent leakage and there are great security tools that can stop that, from us and others. I will also say that intentional loss – where data goes astray because of the actions of determined individuals – is much, much harder to deal with and while the market has solutions here, too, we are not there yet. Though we can at least provide audit trails to help understand what happened or went wrong.
So as a security vendor, such stories don’t depress you? It seems some of us run very leaky ships.
The problem’s more down to complexity. There are simply more and more devices attaching themselves to the edge of the corporate network and looking after them from a security angle is getting harder. At the same time IT budgets are being frozen at best, often reduced and the management load is that much greater. I’d say that we are probably on an absolute scale reducing the amount of data fraud but on a relative scale we’re hearing about it more – it’s sheer numbers of incidents that also get more publicity than the used to.
Therefore, what is the future for your market?
We have to work harder and harder to secure data as we move into a world where the corporate perimeter is, frankly, dissolving. We need to produce security solutions as an industry that are easier to use and easier to integrate. And we have to work just as hard on education, on policy and procedure, as we do on buying technology. The message for the CIO, I think, is looking at the risk management strategy of your company and really nailing down where you are now versus where you want to be – and what you’d need to do to get there. Only then, get the best tools in to support that journey.
