Sophos CEO Kris Hagerman’s 10 Boldest Remarks From Best Of Breed Virtual Winter 2021

From surging sales and profitability and securing the supply chain to combating complexity and doubling down on detection and response, here’s a look at 10 notable statements made by Sophos CEO Kris Hagerman.

Going All-In On The Channel

Kris Hagerman made the commitment to go 100 percent channel since taking over as Sophos’ CEO in 2012, and has never looked back. The Abingdon, U.K.-based SMB cybersecurity stalwart has seen surging demand for its MSP program and new managed detection and response (MDR) offering as Sophos continues to shift more of its business toward the company’s advanced, cloud-based security offerings.

“We would not be where we are without them [our partners],” Hagerman said. “They are strategic to our success. And it’s one of the reasons why we continue to recommit to our channel best strategy every single year.”

In an interview at Best of Breed (BoB) Winter 2021, a virtual channel thought leadership conference hosted by CRN parent The Channel Company, Hagerman discussed why the colossal SolarWinds hack should be taken as a warning sign to all solution providers to become security aware and security literate even if they’re selling very little cybersecurity technology today.

From surging sales and profitability and securing the supply chain to combating complexity and doubling down on detection and response, here’s a look at 10 of the boldest remarks Sophos CEO Kris Hagerman made in an interview with Steven Burke, CRN’s Executive Editor, News.

SolarWinds Hack One For The History Books

This SolarWinds incident is probably one of the most dramatic and impactful security incidents of the last decade. And it has all sorts of pretty important implications for companies of all sizes, and in particular for the channel.

So if you think about it, number one, from this point forward, every channel partner will have to be security aware. Every single channel partner, whether they are an expert in security solutions and actually sell security solutions or not, they will have to be security literate.

Because as more and more research becomes available and some of the answers come out, it’s clear that not only did they attackers use vendors like SolarWinds, but they also took the opportunity to come in and use as a vector some Microsoft resellers themselves. And then they were able to move laterally from corporate environments into cloud environments and back again from cloud environments into corporate environments.

The Importance Of Getting The Basics Right

This [SolarWinds] was a very sophisticated attack. It’s sort of the equivalent of somebody wanting to rob your home by tunneling in under your house, waiting for you to go on vacation, and then sort of drilling holes up underneath your house. So it was a sophisticated, stealthy attack, and customers and partners should ensure they are protected and can detect those kinds of attacks.

But let’s start with ensuring that everyone gets the basics right. I mean, before you worry about people tunneling under your house, make sure you lock your front door and your back door. Make sure all your windows are locked. Make sure that you’ve got lights turned on at night on your front porch and your back porch. Make sure that you’ve got a security camera set up. Make sure you’ve got some motion detectors.

Do the basics first. Keep a clean, well-organized home operation and then set up the more sophisticated capabilities.

Winning The Footrace Against Hackers

Number one, protect against those attacks ever taking place in the first place. Number two, set up the ability to detect them if they do take place. And number three, establish the ability to respond to them super quickly, ideally in an automated way, if they do take place.

Because once an attack like this occurs, it’s effectively a race. It’s a race between the bad guys who were moving laterally and everywhere they can in the network to find sensitive information and then get it out of there. And it’s a race for the good guys to identity where they are, detect it, and ensure that they kick them out and protect the data.

So number one, get the basics right, deploy a security strategy that is multilayered and that relies on world-class protection, detection, and response. And you need all three of them.

Putting Supply Chain Front And Center

What this attack was all about was a supply chain attack. For the entities that were targeted, it looks like there were 18,000 that were exposed, but maybe only 200 to 300 whose networks were actually compromised.

But for those 200 to 300 organizations, it wasn’t specifically their own security estates that were used as the vector. It was the fact that they used other vendors, whether it was some cloud vendors or some IT systems management vendors, and the attackers came in through those doors.

So what it really says is that if you are a customer of any size or now any of the partners that serve those customers, you cannot think about your security only in the context of, ‘How well am I secured?’ You’ve got to go beyond that to say, ‘How well am I secured and how well am I securing everything that I connect to?’ I mean, it’s a daunting undertaking.

Complexity Is The Enemy For Customers

The thing that really sets Sophos apart is that our mission is all about developing highly innovative, highly intuitive products that offer the world’s most effective security for organizations of any size. If you’ve got a great tool, but it’s so complex to install and deploy and to use, and you need an army of security SOC professionals to manage and maintain it, that doesn’t work well for the vast, vast majority of organizations around the world.

And so, the thing that really sets Sophos apart is, yes, we have a broad portfolio, but we have a broad portfolio where the individual products are among the one, two or three best in the world at what they do, in many cases validated by real third-party tests, not to mention real world success.

I mean, we have now over 450,000 customers, we protect over 100 million endpoints around the world. So it’s a broad solution, but it’s one where each of the components is highly effective.

Betting On The Channel Has Paid Off

We’re essentially 100 percent channel. Virtually everything we sell goes through the channel. So we have no internal debates or conflict about what’s our channel strategy or where’s the channel conflict. We don’t have any. We have pushed all of our chips to the middle of the table on the channel.

And that was one of the core strategic decisions we made not long after I joined. And Mike Valentine, who runs sales for us, and Kendra Krause, who runs our global channel program, when they joined soon after I did. We decided that we were going to bet on the channel big, and it was one of the best decisions we ever made…

What we don’t subscribe to is this idea that, okay, well, this year is the year of the channel so here’s all of these temporary programs or spiffs or discounts. And then six months later or a year later, the company changes its direction or changes its priorities. We think it’s steady, continuous commitment and focus and prioritization on the channel.

Cyberattacks Have Surged During Pandemic

During this pandemic, attackers aren’t slowing down. In fact, they’re actually ramping up their activity and they’ve been ramping up their activity for two very obvious reasons. One, more and more organizations are virtual and working remotely, which means they’re relying on systems that are a bit new. Everything’s being communicated digitally, relying much more on the cloud. So that’s one; you just got a lot more digital remote activity.

And number two, attackers take advantage of uncertainty and disruption. And it’s hard to imagine since World War II a more disrupted time than right now. And they take advantage of that. So partners have really stepped up to help protect customers in this really crucial time.

Good Enough Security Isn’t Enough Nowadays

There’s Sophos and then there’s good enough. If you have something that you think is good enough – given the wave of ransomware and the wave and the volume of attacks – it doesn’t take a very big difference between good enough and world’s best before you really regret it.

We’ve got over 12,000 MSP partners. A lot of those are coming from environments where they’re working with other endpoint providers who said they were kind of good enough, but the moment that you got a breach, all of your decisions around, ‘Hey, that’s good enough’ go out the window. Because, not only have you jeopardized your reputation with the customers, but, of course, the customer is in the middle of the breach. That could be a business life threatening event for that company.

In our view, there’s no practical alternative for a partner that really cares about it’s ongoing reputation and its business but to be really thorough and confident in ensuring that whoever you’re working with, as a security vendor, has really nailed, in a comprehensive way, some of these core attack vectors.

Sales Growth, Profitability Accelerating Dramatically

At the time we closed the [Thoma Bravo] deal, we were probably about 50 [percent] – maybe just shy of 60 percent – of our business was in what we call our next-gen product portfolio. That’s all of our most advanced products all managed in the cloud. By the end of this fiscal year, that’ll be 70 percent. And that business is growing at 30 percent a year. This ability to work with a single shareholder to take the transition we were already driving and accelerate it and get to the future faster has really worked for us.

The other two attributes that we were looking to accomplish were to … drive faster growth on the top line and faster growth on the bottom line at the same time. And again, it’s been a great year for us. We’ve been able to grow. In the year of a pandemic and the worst economic shock in macroeconomic terms second the Second World War, we’ll grow faster this year than we did last year and we will dramatically grow our profitability year-over-grow.

Security For The Masses, Not Just The Massive

You’ve got this massive, massive security market, a $65 billion market growing at 10 percent a year. You’ve got security as the top priority for every size organization around the planet. And you’ve got over 2,000 security vendors, and yet probably 95 percent of those 2,000 security vendors focus only on the very largest organizations in the world, the Global 2000.

We are focused on delivering world-class, enterprise-grade security solutions that are accessible to any size organization, whether you have 100,000 employees or 100 employees. And that is crucial because those organizations, they’re all subject to the same kinds of threats, but they have nowhere near the same scale of resources to respond to them.

And so, we’re very proud of the 450,000 customers that we have today. But I mean, look, there’s more than 20 million organizations that we think are great potential customers for our solution. So we’re really excited about the road ahead.