Sophos’ Vision of Simple Security Empowers CIOs: Kris Hagerman

It’s been two and half years since Kris Hagerman took over as the chief executive officer at Sophos. Spearheading strategic direction and business operations for a security company is not new for Hagerman who has held senior positions in companies like Symantec. Now he is working towards positioning Sophos as an end-to-end enterprise security player. The company surprised the industry when it acquired Indian-bred Cyberoam a year ago to tap the lucrative network security marketplace. 

Heartbleed, Poodle, and Shellshock have reaffirmed that hackers are a step ahead of technology vendors. How can Sophos ensure peaceful nights for CIOs and CISOs?

Kris Hagerman: By continuing to relentlessly execute on our strategy of delivering a complete security portfolio that covers all different components of the security juggernaut: End point, network, mobile, Web, e-mail, and server. One of the key attributes of Sophos’ strategy is offering ‘security made simple’ solutions. We not only continue delivering world-class solutions in end user security but in network security too. And for the first time we are meaningfully integrating both sides of the architecture.

Most importantly, an IT admin can actually manage and deploy these products. By delivering security as a system and allowing these different components to communicate with each other. Each one of the component works great on its own but when you have more than one operating, it makes the other ones better. It is the only way that we will be able to stay ahead of bad guys.

How can CIOs design a perfect security posture of their organizations?

Kris Hagerman: I don’t think there is a one-size-fits-all answer because it is so customized and dependent on each individual environment: Number of users, kind of applications, nature of the IT system architecture. Security, just like any other discipline in IT, needs to be adapted. Having said that, there are clear best practices for any enterprise of any size.

First, get the basics right. Take a complete orientation of identifying the key complements you need and to have them covered. Make sure those key components are delivered and consistently upgraded and updated. You can spend good amount of money on a piece of technology but if it is outdated or the users do not like it to be put in place, then it is of no use. And finally, educate your people on the importance of security as a priority. Technology itself can be very thorough but ultimately human beings are a critical part of the picture. Combining great technology–that is well deployed, well maintained–with a user base conscious of the threat landscape results in an effective security posture.

How do you fight next-gen firewall companies like Palo Alto Networks and FireEye that are making waves in the security market?

Kris Hagerman: Palo Alto and FireEye are great companies, but it is important to keep the comparison in context. Their specific target market and philosophy is quite diverse than ours. They almost exclusively focus on global 2000 organizations with big budgets and huge staff. In most cases, companies need real security experts to deploy their solutions.

Our overall addressable security market is much bigger than those of the mentioned vendors. Our security solutions are usable for mere mortal IT admins in 10, 20, 30 million SMEs globally that often lack huge dedicated IT staff. We are, hence, virtually unique in the security landscape. How many large vendors (hardware and software) focus solely on security, focus on mid-market/SMB, and deliver well-oiled and integrated components of end point, network, server, and mobile? There is no one else except us. This is different than what FireEye and Palo Alto Networks do.

But FireEye and Palo Alto Networks acquired end point companies Madiant and Cyyvera respectively a few years ago.

Kris Hagerman: Nobody uses their end point solutions. We probably have hundred million active end points. FireEye bought Mandiant. I don’t think they have more than a million end points. Palo Alto Networks paid USD 200 mn for Cyvvera which is a zero-revenue company. They too have maybe one million end points. The scale is simply too different and we are on different planets with regard to end point security.

Sophos is the only vendor in the world that features in the upper right-hand quadrant (Gartner) for both UTM and end point security. End point vendors like Symantec, McAfee, Trend Micro, and Kaspersky, are not in the leadership quadrant for UTM, and UTM leaders like Check Point, SonicWALL, Fortinet, and Cisco do not lead in end point.

Sophos acquired UTM companies Astaro and Cyberoam in a space of three years. But the market for hardware appliances might dwindle with the advent of cloud.

Kris Hagerman: UTM is the fastest growing market in the security space globally, which in turn is also the fastest growing market segment within the IT industry. Various analysts value UTM market at $ 1.5 billion with a 12 to 15 percent CAGR. The next-gen firewall market viewed separately–which probably should not be the case–makes it a colossal $ 3 billion market. I don’t think the hardware security appliance business will slow down soon. We are thrilled with the combination of Sophos and Cyberoam, just as we were excited about the acquisition of Astaro in 2011. To reign as a truly disruptive leader in network security, Indian company Cyberoam emerged as an incredibly complementary partner for us. We can now deliver scale, speed, reach, innovation which neither company could have delivered its own.

At the same time, we are also viewing the cloud market selling virtual appliances or cloud implementations. The numbers are much smaller but they are growing fast. The real strength of our offerings enables partners and customers to choose on-premise appliance or virtual appliance that’s delivered on cloud. They can even choose hybrid cloud.