Kris Hagerman, CEO, Sophos, hasn’t changed how he runs the company since its IPO on July 1st which placed 35% of its shares on the London Stock Exchange valuing the UK security software supplier at over $1bn.
He says: "We haven’t changed. Our view was that we would go public at a time when fully ready to do so and when we felt we could sustain profit and growth. There is no difference in how we run the business now."
Hagerman says he does carve out time to meet with investors and speak at investor conferences but doesn’t pay too much attention to the recent volatility in the capital markets. The day to day market gyrations don’t keep Mr Hagerman awake at night.
"We have a healthy long term view of what we’re trying to achieve. IT security is a $35bn market growing at 7% per year and we’re growing at twice the market rate."
Sophos is a company that likes to emphasise simplicity to address complexity.
Mr Hagerman says the revenue model is simple. Sophos sells security solutions made up of a combination of different form factors, pure software, a mix of software and hardware in appliances and through the cloud. It sells 100% through 12,000 channel partners to over 200,000 customers.
It protects 100m endpoints and tracks 300,000 to 400,000 new threats daily.
In almost all cases Sophos sells its software through subscriptions so it has good visibility of billings and revenue.
The subscription model also suits customer requirement to keep up to date with the changing nature of threats.
Reputation
Sophos is probably best known for endpoint security on the mix of desktop, mobile, laptop and server.
"That’s a market we almost pioneered and we’ve been very successful," says Hagerman
Less well known is Sophos in network security. "We’re now successfully in network security. Half our revenues are in endpoint and half in networks."
Why that’s important, says Hagerman, is that in order to stay on top of advanced threats an approach is needed that is unlike that of most security players who take a silo by silo approach to security. Sophos, he says, allows different layers to communicate and share deep information.
"It is the more innovative thinkers and practitioners as opposed to Symantec and Mcafee on end point or Cisco on the network who can best deal with the new adversaries. It is the next generation of security players, those taking a more creative and more disruptive approach to effective delivery who will succeed given the current threat landscape," says Hagerman.
Market
Sophos grew in the SME market.
There remains a clear focus on SME and what he calls ‘pragmatic enterprises’ which is defined as those who don’t want to hire an army of dedicated professionals to handle security.
"Most other [suppliers] are focused on very large enterprises – the global 1000. These organisations have an appetite and continue to consume dozens and dozens of solutions and deploy the resources to manage them. For the mid market, which doesn’t have these resources to mange products which conflict or to sift through the enormous amounts of data generated it is more sensible and easier for them to deploy effective security of the type we’re delivering through the cloud," the CEO says.
Next Page: A solvable problem?
Solvable problem or unsolvable journey
At a time when some security organisations and suppliers are positioning security as a journey to be taken not a problem to be solved Hagerman takes an interesting view.
Given the number and profile of the breaches reported almost weekly, it is fashionable to view security as an unsolvable problem.
"Security is a solvable problem," he says, "if you are going to take a new approach to systems and actually create a layered approach to security."
But when it is put to him that a dedicated, persistent adversary will always find a way to breach any defence and the real role of security is to have mitigation policies and procedures in place, Hagerman accepts this and says: "Security is a solvable problem that includes the components such as mitigation. Say, I’m going to concentrate on protecting the wall. A second position is if you have sophisticated adversary and they are persistent they will get through. But at the moment they get in you make sure they are identified, you are protected and that the data can’t get out," he says.
His position is that organisations must think holistically, use a layered approach to create effective repellents and know that if someone gets past the barrier then data security can be maintained,
The game
In the development environment the nature of security is if you want to be a leader you have to be a leader in innovation. Hagerman characterises security as the only space in software which is ‘playing tennis against an active adversary instead of against a static backboard.’
He says: "When Oracle develops a new database the innovation is new features, but not features to counteract a huge volume of people trying to undermine the database."
Because of that the pace of innovation is as fast as any segment of technology on the planet to counteract against large well funded and capable adversaries.
That creates continuous innovation at the core of company.
"We have the best product development minds in the world. We’re establishing roadmaps. We’re continuing to progress. The approach takes advantage of current modern techniques in agile development of idea, develop, protocol, product from major centres of development in the UK, India, Budapest in Hungary, Germany, Vancouver Canada."
Talent spotting is done through a combination of direct contact via its existing development teams and, like all other companies, trawling university campuses.
Says Hagerman: The challenge of finding great software developers in security is hard. That is true of software development overall but particular in security because demand is growing.
Galileo
Sophos is working on ‘Galileo.’ There are few details available but Hagerman describes it as a way of providing communications between ‘the security guard at the perimeter or end point and the security guard inside the perimeter on the network.’
"Security should be comprehensive, to stay ahead of what attackers are doing you can’t just provide a great end point or network solution. It can’t just be two separate security guards so we’re giving the security guards a radio to speak with each other," he says.
Adversaries today are smart attackers who set up a system that hops from place to another.
Sophos’ Galileo will be a fully integrated platform which meaningfully integrates end point and network.
Spend?
As a percentage of IT spend, how much should organisations invest in security?
Hagerman says "All the studies say IT security is the number one priority for organisations of all sizes. Whenever I speak with industry observers, with investment bank analysts or with third party analysts they all say among surveys of CIOs the common finding is that IT security is the number one priority in every segment, more than cloud, more than storage. It has been number one in 2014, 2015 will be in 2016 and it keeps distancing itself further ahead relative to the rest of IT."
"We don’t see that changing. The large scale relentless environment of attack is here to stay. The more connected the world becomes will bring huge business and societal benefits but all those connections open up attack surfaces for cyber criminals. It is endemic to the connected world. It will carry a dark side."
The security business case for SMEs, believes Hagerman, can be stronger than for very large organisations, though the nature of attacks and attackers are the same.
"If anything, small and mid size are more exposed than larger organisations. If successfully attacked mid-market organisations might not survive. That’s the fundamental difference between SME and those operating at a large scale. They [SMEs] don’t have resources to withstand sustained attack. That’s what Sophos gives them."
Sophos Market Breakdown
Though associated with the SME world, over 20% of Sophos revenues come from organisations of over 5,000 people, customers with over 50,000 staff are counted in the dozens and clients with more than 100,000 users are in double figures.
The target customer for Sophos is less about size and more about how firms manage their IT and their security. "If the desire is to have large dedicated departments that’s not our target customer. A very large group of companies want security to work without having to spend a fortune without hiring dozens of security professionals," Hagerman says.