CRN Exclusive: Sophos CEO On Knocking Out The Competition With Security Heartbeat

Hagerman Talks Partners, Competition

Sophos shook up the security market Monday with the launch of Security Heartbeat, a solution that integrates both network and endpoint security into a single, synchronized solution. The news came the same week as the company's first earnings call as a public company, after going through with its initial public offering in June. In an exclusive interview with CRN after the earnings call, Sophos CEO Kris Hagerman talked about why the company thinks it has positioned itself to win in the hotly competitive security market, and why partners are a key ingredient to the company's success.

Take a look at what he had to say.

First, tell us a little about yourself.

I've been at Sophos for about three years now. Prior to that, I was CEO at Corel and prior to that, I was at Veritas Software, and then Symantec after Symantec bought Veritas. At Veritas, I ran a billion-dollar business, and then when Symantec bought Veritas, I ran the Veritas business inside Symantec, which is about a $2 billion business. Before that, I started and ran a couple of Internet startups and [worked] for an investment bank. I grew up in Ohio and went to school on the East Coast and did a stint at business school. Now, since I've been at Sophos, ... my family and I moved to the U.K., which was a terrific experience. Then, I went back to Silicon Valley, ... and I'm based out of Santa Clara [Calif.].

I am sort of an outdoors person. That's how I ended up landing in California. I run, and bike, and surf, and ski, and windsurf, and kayak, and all those cool things you can do outdoors.

Talk about the new Sophos Security Heartbeat solution.

We've taken our leadership in endpoint and network, and we're driving real industry innovation for the first time in integrating and linking directly these two worlds of technology of endpoint and network, which for the last 30 years ... have been independent, isolated silos. By linking [them] together, it's sort of like taking a security guard inside the building and the security guard outside the building -- who for 30 years have never talked to each other -- and now for the first time we're giving them radios so they can constantly and actively communicate with each other. It allows us to deliver much better protection against these advanced and sophisticated threats, and yet at the same time actually make it easier to use and easier to manage. Those are the things that we think really set Sophos apart.

Why is the Security Heartbeat so significant in today's market?

I think the quick punch line in the security market is, it’s the single most attractive market in all of IT. ... It’s the No. 1 priority for CIOs and IT executives of literally every size organization, from the smallest to largest. We've been fortunate at Sophos to put together a unique strategy to pursue that market that’s really working, and we continue to outgrow the market as a whole. We're growing at two to three times the rate of each of our core markets, both the end-user security market and the network security market.

Overall, IT security as a whole is just a broad, fast-rising tide for all sorts of different reasons. ... There are 3 billion people connected to the Internet now, ... and all of them are creating, sharing and using digital data, and it has extraordinary benefits for all of us. But then the dark side of the coin in all this mobile devices and connectivity creates the potential for cybercriminals to try to attack us.

There's a lot of players trying to take advantage of that opportunity. What is unique about the Sophos' approach?

I think [there are] four things that I think really pop to the top. The single most significant one is our commitment to the channel. ... No. 2, virtually every other major security vendor focuses on the very largest organizations -- the Global 2,000s. We take a very different approach, and we focus on the other 60 million. ... No. 3 is we take what we think is a quite distinctive approach to our products, where we deliver what we call "complete security made simple," which is enterprise-grade, industrial-strength products. We are ranked as leaders by [research firms] Gartner, Forrester, IDC, ... but at the same time, [the products] are designed to be simple, easy to use, easy to deploy, easy to manage ... and, put a different way, security that just works. Finally, the last thing that's different is that Sophos is really doing something right now that no other major security vendor has accomplished, and that is to be a successful leader in both endpoint security and network security.

Talk about Sophos' commitment to the channel.

I'm quite confident that there is no other major security vendor that has as strategic a commitment to the channel or as strategic an investment in the channel as Sophos does. We literally have channel in our mission statement in the company and that’s because we only sell through the channel. It's not one of our go-to-market strategies or part of our go-to-market strategy, it's our only go-to-market strategy. We have 700-plus sales professionals around the world and not a single one of them sells directly to end users -- they all work with the channel. ... That’s the only way we sell. That’s a very big deal because in a lot of other companies, you'll see the channel sales organization aligned with the channel and it stops there. ... I think if you ask what is the one fundamental attribute that is really driving Sophos' success, I think a big part of it is that we have a very clear and focused strategy to pursue this huge market of IT security and the channel is right at the top of that strategy.

It makes so much sense to link endpoint and network together. Why has it taken the security industry so long to get there?

You're absolutely right. If you start from the premise of every organization of any size, they need to have endpoint security and they need to have network security from somebody. If you require these two fundamental pillars, it would make logical sense that you would have them communicate with each other. ... The problem is that it's actually quite hard to do it, for several reasons. One, it starts with, you can't really do an effective job at it unless you start with leading products in both segments. ... You see plenty of players who are successful at endpoint, like Symantec, McAfee and Trend Micro, but they do virtually nothing at the network. You see plenty of players who do very well on the network, like Fortinet, or Cisco, or Check Point or Palo Alto Networks, but do basically nothing on the endpoint. You have to first start from a position of having strong, leading, well-regarded, highly ranked, leading products in both of those segments. Then, you need to take the next step, which is to have them actively communicate with each other. That’s a very deep technical problem that truthfully only became possible in the last few years with advent of cloud computing, very fast bandwidth and big data analytics.

Other vendors talk about integrating endpoint and network -- how are they different?

There are several companies who have been talking about this -- probably the most prominent are Palo Alto Networks and FireEye. We have a lot of respect for both Palo Alto and FireEye. They are both very impressive and very highly performing companies. The vision [is] somewhat similar but the actual reality is quite different. No. 1, both Palo Alto and FireEye are very focused on the very large enterprise, the Global 2,000. No. 2, to take full advantage of those solutions, you really do need to have an IT security expert, if not a team of experts, whereas the Sophos solution is designed to be simple, easy to use, easy to manage, both by our partners themselves or by the customers. Third, in the case of Palo Alto and FireEye, they have their endpoint and network communicate through the console, while we have them communicate with each other directly. In our view, it's more efficient, faster and allows you to identify important information quicker and to automate more of that process. Those are some of the key differences.

There are companies, most recently Intel Security, stepping away from that. Are companies that follow that path going to struggle?

There's a lot of opportunity and there are a variety of different approaches to the market. We have a lot of respect for McAfee [part of Intel Security] and we have a lot of respect for Symantec and for any of our key competitors. But, at the same time, we do believe that it really does make logical and compelling sense to link the endpoint and network together. We have a very strong point of view that if you want to have a successful and effective defense against these sophisticated next generation attacks, then the defenses have to be every bit as coordinated as the attacks. Therefore, we think that a player that is strong in endpoint and network, and that actually brings them together, is going to be in a very attractive position.

What is the opportunity for partners around synchronized security?

We think this opportunity around synchronized security is a great opportunity for partners and our channel community to not only grow their businesses but to make it more profitable. ... With this new synchronized security offering, you now have a very differentiated product to sell in the market, because there's no other endpoint offering that can be directly integrated with the network offering. It gives you a chance to sell more endpoint. If you are a partner who sells a lot of network security, you now have a very differentiated network offering, but in addition it gives you [the opportunity] to now go to that same customer base that you're working with and extend from network in to endpoint, and you can make all those endpoint products better by selling the network. And the same thing is true in the other direction. In addition it gives partners the chance to work more strategically with their customers, protect them better, give them a cross-sell and upsell opportunity. ... It’s a win for customers, it’s a win for partners and we think it's a win for Sophos and a win for the industry as a whole.

What's the next step of the road map? Will you synchronize more products?

The short version is: Yes. Our vision of synchronized security is that it will extend to our entire portfolio, such that if you have any one of our individual components, ... they will work very well on their own, but if you [have] more than one, they will work even better, such that you will get additional information and additional intelligence. That is consistent with this overall approach we have of synchronized security, where each of the components works better together. That's not something that we deliver overnight. That will be a theme that you will continue to see us deliver on month after month, quarter after quarter, as we continue to innovate.

Again, we think it's great news for our partners, because it will deliver better protection, it will be easier to manage, and it will be easier for partners to build a more profitable business and grow their top line and bottom line at the same time.

What are you predictions of trends to come in security in 2016?

There's two developments. ... IT security has been the No. 1 priority of CIOs and IT executives in the organization. I think that will continue. IT security will continue to be this very large, high-growth opportunity.

The second trend is a more challenging one for partners. ... Partners are feeling this pressure from their customers to become more and more service providers as opposed to product providers. It’s a big part of what we're working with our own partner base on. ... Some have already made that transition, but many more are in the midst of making that transition. We want to do everything we can to help. ... This is why we think there's such a great opportunity for partners, because they can work with these organizations, ... help them effectively manage the security challenge. [The partners can say] we have a long-term trusted relationship, and I'll solve this for you [so you can] focus on your real business, whether it's running a hospital or running a school or running a manufacturer.