CRN Exclusive: Sophos CEO On One Year As Public Company And The Growing Endpoint Market

Happy Anniversary To Sophos

This summer, Sophos celebrated its one-year anniversary as a public company after launching its IPO last June. Over the past year, the Abingdon, U.K.-based vendor has continued to push forward its synchronized security strategy, bringing together the network, endpoint and other security capabilities under a single management platform. That push has helped the company outpace the market growth in its first year on the public market, growing around 20 percent year over year. CEO Kris Hagerman sat down with CRN in an exclusive interview and talked about partners, the midmarket security opportunity, and what’s next for the midmarket-focused security vendor.

One year as a public company: What were some of the highlights from the past year for Sophos?

It’s been a great year. We basically just closed the first year and passed our first 12-month milestone as a public company. We went public in the latter part of June last year. We had a great first year as a public company. We grew at just shy of 20 percent for the year on a constant currency basis. We are outgrowing both of the core segments that we participate in in end-user security business and network security business. We saw continued strong growth in our partner community and it’s been a really strong year for innovation as we’ve taken this, we think, quite differentiated approach to focusing on the massive and underserved midmarket and enterprise segment and continued to really push forward the innovation to meet the needs of those customers and the partners to sell to them. We’re innovating on the endpoint side and becoming a real next-gen endpoint company and innovating in UTM and next-gen firewalls. Then, we’re doing something we don’t think anyone else is doing, which is put all of these products into a single, integrated console that is all managed from the cloud. That’s a big part of why we continue to see this healthy performance and outpace the growth of the security industry overall. It’s been a good year.

T alk a little bit about the state of your synchronized security strategy and how that’s evolved over the year?

The interesting thing about the security market is overall it continues to be one of the largest and highest-growth segments in all of IT. … Within that overall very broad and rising tide, you’re starting to see some separation in terms of individual security providers and how they are performing. I think that has a lot to do with the strategy of those companies, how well they are executing, and how well they are aligned with their go-to-market. … In those areas we just feel really good about the strategy we have put in place to be the best in the world at delivering complete IT security to midmarket enterprises and the channel that serves them. That approach is quite different than just about any other security vendor that I can think of and we continue to get better and better at it. All of the elements of our company are aligned to support that, ranging from the product segments we’re in, to how we design them, to how we deliver them in the cloud, to how we innovate and deliver true next-gen capabilities in a way that midmarket enterprises can actually manage and use, to how we sell 100 percent through the channel. All those things together have contributed to us continuing to outpace the overall market.

Over the past year especially, you’re seeing a lot of the other big security vendors moving to this full platform approach. How are you different?

There are a couple of things that are unique in what we’re doing. … No. 1, we’re basically the only major security vendor of any scale that has a strong and successful leadership presence at scale in both endpoint and network security. We’re literally about 50-50 between our endpoint business and our network business. If you look at virtually every other security vendor, they are 90 percent network or 90 percent endpoint. It’s very hard to build a platform, and a complete platform, unless you have strength in both. …The other important difference is we are doing all of this in the cloud. We announced this platform called Sophos Central, which is a single integrated cloud-based managed console. … We will extend to the entire portfolio, so we now have endpoint, mobile, wireless, email, web security, and eventually it will extend to our entire portfolio. … We think that’s a great opportunity for customers to get much more effective security and to manage it more simply. It’s also a fantastic opportunity for partners because of the ability to do cross-selling. … The third thing that’s different [about what we do]: this platform approach tends to resonate in a much more compelling way with midmarket enterprises that are really pressed for resources and staff. … The idea of being able to get a security solution that just works, is comprehensive, easy to manage, and fully protects you at the same time, that is much more interesting and compelling for the midmarket enterprise than the Global 2000.

Are the majority of partners selling across your entire portfolio, or is that just starting?

I would say that’s just starting. In their defense, it’s just recently that we began shipping products that fully integrate between endpoint and network. The security industry as a whole grew up with a lot of these components as separate and isolated silos. … If you were a security partner, in a lot of cases, you got really good at network security or you got really good at endpoint security, but it was relatively rare to see a partner good at both of them. … That’s what we just started to deliver in November of last year, with the launch of this synchronized security portfolio and technologies like the Sophos Heartbeat that creates this constant communications channel between our next-gen firewall and our endpoint. Once we started to deliver that, now we’re starting to see a steady increase in percentage of partners who are selling both endpoint and network. We call our most active partners our ’blue chip partners’ and we now have over half of them that have sold both endpoint and network and it just continues to grow. We would expect that to continue.

What are you doing to push that shift along so more partners sell across the portfolio?

The truth is the most important thing we can do is on the product side to put the management of all those products in the same place, have it be cloud-enabled and have it be built from the ground up not just for end users but also for partners. That actually what Sophos Central is all about. That Sophos Central cloud platform is designed to be a single, integrated console to not only allow end users to manage their security but allow partners to manage security across multiple customers, to do cross-selling more easily, and to do upselling more easily. … We need to do a good job to let customers and partners know what we are doing and why it has value, but the product almost helps market itself because there are consoles where we make it clear to both the customer and the partner which product components are available to them and which ones they are enabled for. ... This comes back to the underlying demand environment, where we just see this very strong pull from both customers, particularly in the midmarket, and from partners saying they would really love to deliver more security capabilities through this platform. … As we deliver them, we’re delivering them into a market that has primed itself to be excited about it. … You have a dramatic pull for an integrated platform.

Do you have a strategy to push into the enterprise market down the road?

The midmarket is an enormous opportunity. There are over 50 million midmarket enterprises around the world. Today, Sophos has about 220,000 customers. We’re growing that pretty aggressively, but if there are 50 million or even 60 million worldwide, that’s a lot of running room. We feel very good about the potential and just how large the opportunity is as we deliver on this mission of being the best in the world at delivering security for the midmarket. That being said, we have a number of larger enterprises that find that value proposition compelling. In other words, we do probably 18 percent of our billings in organizations above 5,000 employees, particularly organizations that have a large number of branch offices or retail locations. … These solutions that we deliver, they are truly enterprise-grade with industrial-strength protections, but we deliver them in a way that are cloud-enabled, integrated, visible in the same pane of glass, and that are easy to use and manage.

What do you see as the biggest pain points in the midmarket when it comes to security?

They are fundamentally different from the enterprise. What’s similar is they face the same kind of threats as large enterprises, they are just inundated with security challenges all day long. The fundamental difference is they have nowhere near the resources, staff and budget to deal with that problem. … In that environment, they can’t effectively deliver great security if there is that level of complexity. … For a midmarket enterprise, complexity is the enemy of security. Even if they go out and buy a really sophisticated solution, they don’t have the expertise and the staff and the budget to put a dedicated team on managing all the custom requirements that come with those. So, this value proposition with midmarket enterprises of delivering enterprise-grade security, but doing it in a way that is cloud-enabled, simple to use, deploy and manage, that really works. That’s the product strategy that we have been delivering on for years and it just continues to gain more and more momentum.

How do you view the midmarket security opportunity for the channel?

We literally are 100 percent channel. It’s not part of our go-to-market strategy or one of our go-to-market strategies, it is our only go-to-market strategy. When we bet on the channel, we see a lot of that commitment get reflected back in the engagement that we have with partners as we go to market. … It shows up in all sorts of other ways that are not immediately obvious. The very best and brightest people in our sales organization and in your SE organization are all aligned to the channel. … All the systems, processes and back-end capabilities to create a frictionless flow to support channel partners. That’s the only thing we do. … It has a whole lot of implications in making us an easier place to work with for channel partners and, of course, the better you get at that, the more success you get with partners, the more time you spend with them and the more you’re engaging with them and the more they provide feedback to make that better, and better and better.

Any predictions for the market to come as we come to the end of the year?

The thing that we see interesting happening right now is just the resurgence of interest on the endpoint. You tend to have this pendulum swing where, four of five years ago you had this burst of new network security vendors saying it’s all about the network. … But, now you’re seeing more and more interest in next-gen endpoint. … For us, it’s particularly interesting because we have the ability not only to innovate and deliver next-gen endpoint, but also do that in parallel to developing next-gen firewall. Rather than being in a position of saying you can do it all with a next-gen firewall or you can do it all with next-gen endpoint, we’re saying you actually need both. … The other thing you need them to do is talk to each other, and by doing that, you’re will address all sorts of gaps in security that, for 30 years, have been very hard to deal with. … When a hacker or cybercriminal tries to get into your organization they will test every door that they can, whether it’s on the network, endpoint, Wi-Fi, email, web, mobile, you name it. … It’s these gaps between these independent silos that have been really hard to deal with because you have independent vendors, multiple solutions that don’t talk to each other so you can’t catch that stuff. That’s exactly what this synchronized security product strategy is all about.