Sophos CEO Kris Hagerman: We’re Winning On MDR And Now Driving The ‘Next Phase’ Of Security As A Service

Managed detection and response is just the beginning for Sophos, as the cybersecurity giant ultimately aims to take all of its products and ‘deliver them as a service,’ Hagerman says in an interview with CRN.

Hagerman On The Record

If Kris Hagerman is right, the trajectory for the cybersecurity industry will in many ways parallel what happened with data center infrastructure and the widespread adoption of cloud infrastructure as a service. “We see exactly the same thing happening in cybersecurity,” said Hagerman, the CEO of cybersecurity giant Sophos, in a recent interview with CRN. Now, he is focused on making sure that Sophos is at the forefront of enabling the shift to cybersecurity delivered via a service model—or “security as a service.”

Sophos has begun its shift in this direction by emphasizing its managed detection and response (MDR) service as a top priority for investment going forward. The Sophos MDR offering now has more than 15,000 customers and is a “$175 million business, growing at over 50 percent a year,” Hagerman said. “And we think that is likely to accelerate.”

All in all, when it comes to the highly competitive MDR market, “I think in many respects, we’re already at the front of that wave,” he said. “We have more MDR customers than any other vendor that we’re aware of.”

[Related: Sophos CTO Joe Levy On Surging MDR Demand And Endpoint Security Updates]

MDR, however, is just the start of the vendor’s foray into the as-a-service arena. Sophos is “now moving to the next phase, which is to take what we deliver in MDR and make that available in our products,” Hagerman said. The ultimate goal is to take all of the products in the Sophos portfolio—including in endpoint, network, cloud and email security—and “deliver them as a service—and do it in a way that’s highly flexible for both customers and for our channel partners,” he said.

The focus on partners is one thing that’s not changing with Sophos, Hagerman noted. “We have seen just incredible momentum with our channel partners selling and deploying Sophos MDR because it’s such a great fit for their own businesses,” he said.

What follows is an edited portion of CRN’s interview with Hagerman.

Could you tell me about your growth strategy in 2023 and what this year is about for Sophos?

I think that the most important element of how we see the market is that cybersecurity today is just so complex and so difficult and moving so fast that the vast majority of organizations, in our view, shouldn’t even be trying to manage it themselves anymore. It’s just too hard. Our view is that they should turn to an expert who can help deliver cybersecurity as a service for them. And what we find interesting is that the same thing that happened with data centers and infrastructure—where 10 to 20 years ago, most organizations managed their own data centers and had the teams and the training and all the hardware and software necessary to do so. [But] over the last 10 to 20 years, the vast majority of organizations have begun to shift to rely on infrastructure-as-a-service providers like AWS or [Microsoft] Azure or Google [Cloud]. Because it’s just really hard to be an expert in data centers. It’s expensive. You have to constantly refresh your hardware and software. You’ve got to make sure you’ve got really expert staff. You’ve got to keep them trained, you’ve got to keep them retained. We see exactly the same thing happening in cybersecurity.

The good news is that because of advances in technologies over the last several years like cloud computing, cloud management, AI, big data, APIs and interoperability—we now have the ability to do something we’ve never been able to do before, which is really deliver cybersecurity as a service. That’s something that we introduced a few years ago. We enhanced that even further late last calendar year. And that’s just been a really strong growth area for us. But we believe it’s just scratching the surface. Our view is that cybersecurity as a service is going to be the predominant way that organizations consume cybersecurity [within] the next several years.

In terms of comparing infrastructure as a service and security as a service, is there anywhere where that comparison breaks down? Or do you feel like it’s pretty close overall?

There are some areas that are inherently different. Infrastructure ultimately was more about software and hardware and networking. Cybersecurity, obviously, deals with risk and risk mitigation and risk management. [All] are very sensitive areas. But cybersecurity has this additional layer of scrutiny and priority for organizations. If an application goes down for a short amount of time, or a server goes down, then you can recover without too much trouble. But if you lose data, or if you have a cybersecurity incident, obviously that has really substantial implications for the organization depending on the scale of it. So there are some nuances that are different between infrastucture as a service and cybersecurity as a service.

I would say, however, that there are more similarities than differences. In both cases they are high-priority, business-critical requirements. In both cases they require expert staff that are constantly trained and up to date. In both cases, there was a clear shortage of skill sets, and just a shortage of staff. As a result, organizations were finding it really hard to keep up with the demands. And in both cases, there are real economies of scale where if you have the ability to see infrastructure across multiple organizations, you can build tools, technologies and staffing to deliver that in a really efficient manner. Exactly the same thing is true in cybersecurity. If you have a broad footprint and you’re delivering cybersecurity for hundreds—or in our case, thousands of organizations—not only do you have telemetry coming in from a large number of organizations, but you also have the ability to respond [more effectively]. It gives you a really good understanding of the threat landscape and how to respond to it.

What direction is Sophos, specifically, taking with security as a service and MDR?

We’re quite excited about the chance to help lead the entire industry to adopt this model for how to deliver cybersecurity. We have 550,000 customers, and we’re one of the few cybersecurity vendors now that is over $1 billion in billings and over $1 billion in revenue. But this is just scratching the surface. We now have over 15,000 MDR customers, but that’s a small percentage of our total customer base. And there are 20 [million] to 30 million organizations around the world, and the vast majority of them, in our view, are probably not adequately protected. That’s because they either don’t have dedicated cybersecurity teams that have the necessary skill sets and training and expertise. Or even if they do, they are most likely overwhelmed and exhausted by the challenge of keeping up with the relentless flow of malware and attacks. So we’re excited about the potential to take this significant customer base we have in place, and this broad product portfolio that underpins our MDR offering, to deliver all of these sophisticated solutions as a service in a highly flexible way for both customers and channel partners.

Our MDR offering is now a $175 million business, growing at over 50 percent a year. And we think that is likely to accelerate. But 80 percent of our business is in our product portfolio, the broad suite of products we have that cover endpoint—which includes EDR and XDR—network security and next-gen firewall, cloud security and email security. So what we’re excited about is the chance to take all of these sophisticated, advanced solutions and deliver them as a service and do it in a way that’s highly flexible for both customers and for our channel partners. Because working with our channel partners is a strategic route to market for us. One of the hallmarks of our offering in MDR is to deliver it in a way that’s flexible enough and that meets customers where they are and meets partners where they are. For example, if a customer already has a Security Operations Center [SOC] in place, we can help supplement that SOC and enhance and advance it so that the team is more efficient and more effective, and just delivers better security.

For plenty of organizations that don’t have a SOC, we can literally stand up a 24-by-7, world-class SOC on their behalf, in minutes, so that they can have the benefit of that for their own organization. The same thing applies to partners. Some of our partners are already delivering managed security services, and we can support that and help enhance and extend that offering. Other partners are excited about getting into that space, and so they have the ability to do so by reselling the Sophos service themselves. And then we can do anything in between.

In terms of the products in your portfolio that make up 80 percent of your business—you mentioned taking those solutions and delivering them as a service. Could you tell me more about that? Are you already doing that for your other products besides MDR?

All of our products are already managed in a single cloud management platform, Sophos Central. It’s one of the things that really differentiates Sophos. So all of our products are managed in Sophos Central and they all produce telemetry that populates a single, cloud-based data lake. That allows those products to actually talk to each other and communicate with each other. We are now moving to the next phase, which is to take what we deliver in MDR and make that available in our products. The technology strategy we have is to deliver these services and capabilities first in our MDR service, but then to extend those same capabilities into our XDR and product offerings.

For example, one of the things that really differentiates the Sophos MDR service is that we not only can deliver our own products as a service, but we can also manage other cybersecurity vendors’ products as well by relying on APIs and integrations at the data layer. In other words, the same products that we use to deliver our own MDR service, the Sophos endpoint that does EDR and XDR, Sophos XG next-gen firewall, Sophos email, Sophos cloud security—all of those same products, and their ability to populate this data lake to integrate with products from other cybersecurity vendors, those will all be available in our XDR offering as well.

If a company is providing managed security services but doesn’t have a platform like your MDR platform, how difficult is it for them to deliver their service repeatably and at scale?

Let’s talk about it from the organization’s perspective. The reality there is that it’s just exceptionally difficult to be able to constantly stay on top of all the dynamics in the cybersecurity landscape and stay ahead of them. And even for organizations that have their own SOC, they find it incredibly difficult to stay right at the cutting edge of technology and to ensure that they have an adequate amount of staffing so that they can run a 24-by-7 operation. [It’s difficult] to keep those people trained on all the most advanced threats and how to deal with them and to maintain that organization in the midst of a talent market that is very competitive. So from an organization’s perspective, it’s just incredibly difficult to, No. 1, become a cybersecurity expert, and then No. 2 to maintain that, and then No. 3 to do so in a cost-effective, cost-efficient manner. We can do all of that on behalf of our customers.

For other vendors who are trying to do this, the short answer is it’s really hard to do this at scale—particularly for small and midmarket enterprises. One of the things that Sophos has had as a real strength for years is that while we serve customers of all types and flavors and verticals and sizes, we have a particular strength in small and midmarket enterprises. We have crafted and refined the ability to deliver this advanced, world-class cybersecurity-as-a-service offering and to deliver it at affordable levels, even for small and midmarket organizations. [We’re taking] something that in the past has been incredibly complex, incredibly difficult and quite expensive and [making] it much easier to understand and to consume. And [we’re making] it affordable because we’re delivering this at scale.

What are some other differentiators that Sophos has with its MDR offering?

One of the things that really differentiates Sophos is that we don’t just come at it from the service layer standpoint. Underpinning that service is a really deep and rich product set of over 300,000 next-gen endpoint customers and of over 250,000 next-gen firewall customers. So we have a rich set of experience on both the endpoint and the firewall, which are two of the really critical pillars of any security estate. And because of that, we go far beyond what a number of other MDR offerings do. They’ll kind of monitor an organization and if they see something that looks concerning, they might raise a flag and alert the organization and say, ‘You need to do something about this.’ One of the real differentiators for Sophos is that because we have this rich product depth, we can not only identify issues but then go in and take action on them, depending on the arrangement with the customer. We can operate in a notification mode. We can operate in a collaboration mode. Or we can operate in a full response mode. And that’s something that a lot of other MDR vendors can’t do. They’re really alert only, as opposed to being able to take a direct and immediate response.

Does that make Sophos MDR more applicable to a wider range of partners, especially MSPs who focus on smaller customers?

I think that’s a really good point. We basically go to market entirely through the channel. [Two] of the expressions of our go-to-market strategy [are] ‘channel best’ and ‘MSP best’—meaning we are committed to being the very best vendor in the cybersecurity space that a channel partner and that an MSP partner can work with. MDR is no exception to that. We have seen just incredible momentum with our channel partners selling and deploying Sophos MDR because it’s such a great fit for their own businesses. It comes back to this flexibility.

If one of our partners or MSPs doesn’t currently have an MDR offering, they can go out and sell the MDR offering from Sophos. And they have a chance, through that, to establish trusted relationships with their customers. For partners that do offer security services, we can help supplement their MDR team and their cybersecurity-as-a-service team through richer telemetry coming from our products, from broader threat research that is coming from our X-Ops team—so that the partner’s managed services staff is only focusing on the alerts that really matter. They can prioritize those alerts, they can sift quickly through what matters and what doesn’t, and it can extend that team and make them much more efficient and effective. So that flexibility has proven to be really popular with our partners. And it’s one of the reasons we keep signing up more and more partners and MSPs to deliver MDR, and why we see such dramatic growth in that business.

What do you think you need to do in order to become the dominant player in MDR?

I think in many respects, we’re already at the front of that wave. We have more MDR customers than any other vendor that we’re aware of. We are consistently ranked as the No. 1 MDR player when it comes to kind of pure rankings, whether it’s from Gartner or G2 or other third parties. We’re consistently in the top of third-party assessments of MDR offerings, like Mitre.

But I think one of the things that we can particularly help with is educating the channel and educating organizations around the world [about security as a service]. Cybersecurity is viewed by so many as being difficult and complex and almost unmanageable, [but] there is in fact now a really attractive way to deliver improved cybersecurity outcomes through a service. Most organizations and most partners still aren’t aware that that’s a possibility.

What is it about Sophos that positions you better than others to deliver security as a service?

I think one of [the factors] is just that we have had a commitment to trying to make cybersecurity simpler and more manageable. That’s been a priority at Sophos at least for the last 10 years since I’ve been at Sophos. It’s [a commitment] to drive the complexity out of cybersecurity.

And so that commitment—paired with this broad product portfolio, combined with the scale of customers that we have and the scale of over 30,000 channel partners—all of those things came together, such that we could see a path to take the next leap. [We’ve found] a way to combine this rich set of products—and a cloud-managed, cloud-populated database that these products inform with their telemetry—and deliver cybersecurity as a service. It’s really the ultimate manifestation of this desire to make cybersecurity more consumable and more manageable by any-size organization.