Kris Hagerman of Sophos on beating the bad boys
PUBLISHED: 10:16 29 October 2013 | UPDATED: 10:22 29 October 2013
© Thousand Word Media
Like it or not, our world depends on functioning IT systems. If they’re threatened, we’re all in trouble. Oxfordshire-based Sophos keeps the viruses at bay
Imagine a world without the Internet. No Google, Wikipedia or Twitter. No email, Facebook or LinkedIn. Don’t kid yourself you’d welcome it. As soon as we want to access emails at a convenient time, find the time of a film or check a bank account, we regret it not being there.
The internet has broadened our horizons, and while there are well-publicised bad bits it’s largely a force for good, from education and social networking to on-line banking and shopping. It’s also fundamentally changed the way companies do business.
But of course there are risks in linking with the World Wide Web. Open the door on your life and business and as many unpleasant things can creep in as good. Malicious computer viruses arrived over 30 years ago and now hundreds of thousands lurk across the web, infecting computers, stealing identities and sometimes bringing businesses to a juddering halt. The most important and probably least understood solution is good anti virus software. Not uploading it onto your systems is like leaving the office safe open with a sign saying ‘come in and help yourself’.
Sophos, headquartered at Abingdon and Massachusetts in the US is one of the few successful independent antivirus companies of its scale, and one of the top 100 companies in the world. Oxford University graduates Jan Hruska and Peter Lammer founded it in 1985 originally as a hardware computer company before they realised there were bigger opportunities for a business which could protect computer systems from the growing threat of Internet viruses. Now a £300 million business, its founders still sit on the board and there is a new(ish) CEO, Kris Hagerman, a softly spoken Californian with big ambitions who took over a year ago.
“We want to become a billion dollar company over the next five years by being the best in the world at delivering complete IT security to small and medium-sized companies,” he says. “Sophos’s challenge is to remain nimble and quick as it grows, and what’s really important is that we deliver solutions that others are not solving well.”
The security software market is worth $20 billion worldwide. Include network security and it’s a massive $60 billion and growing 10% a year.
“The multitude and diversity of threats are extraordinary,” explains Kris. “Every day our teams across the world are dealing with up to five hundred thousand unique threats rolling through computer systems globally.”
Sophos protects 100 million business systems worldwide. Six times a day, every day, it sends out live updates online to those it protects. Customers include Hollywood film company Pixar, Xerox, Ford, Avis and our own Houses of Parliament.
“We have a significant presence with the UK government as well as other governments,” explains Kris. “These organisations don’t want to hire an army of people to protect their systems, they want someone who can do it for them, with products that are efficient, easy to use, manage and maintain.”
A big challenge for the industry is that no matter how good a company’s office-based computer anti virus is, as we increasingly access company data via smartphones, iPads and even memory sticks, everything is vulnerable unless encrypted. “When we talk about complete security, it goes far beyond the desktop and laptop,” says Kris. “It’s also how employees use and manage their data and devices.”
If you leave a smartphone on a train or a plane, Sophos can wipe it clean remotely, ensuring that data doesn’t leave a device and get uploaded onto unapproved sites, or copied to another device.
Viruses are so much sneakier these days. We might think that porn or other dodgy sites are the most likely to harbour malware (malicious software which gathers sensitive information or disrupts computer operations), but it’s now more likely to be legitimate websites unknowingly hosting unwanted bugs and its increasingly difficult for the antivirus industry to identify what sites are not legitimate. What’s needed to prevent the spread of viruses is the gut instinct of the computer antivirus teams as well as their computer surveillance systems. “Human judgment is critical,” adds Kris. False positives (thinking something is nefarious when it isn’t) can also be a problem. If a company really locks down on its security it can easily prevent a large majority of bad information, but that also raises the possibility that the good stuff won’t get through either.
So prevention has to be a team effort and the industry works together. If Sophos identifies a new virus it will share the information with its competitors. “No one vendor will get everything first,” says Kris. “Everyone’s approach is a bit different, using different algorithms and we will each in turn spot something new.”
Kris gives me a tour of the Sophos building on the Abingdon Science Park. There’s plenty of space and it’s laid out in a collegiate fashion. On one floor there is also a locked area we don’t penetrate. Only those with the highest security clearance can enter. Throughout, there are a lot of rather geeky-looking computer wizards lounging comfortably in front of big computer screens hunting down bad-guy computer hacker adversaries.
They might look a bit geeky, but every staff member has the razor sharp intellect needed to make good computer virus analysts.
“To work here you have to be whip-smart,” says Kris. “Our staff must also want to work in a very dynamic environment where what they are doing is constantly changing. They must want to be the good guys and be prepared to do battle against the bad guys.”
If it sounds a bit wild west, I guess it is, but I carry on listening to John Wayne, sorry Kris.
“We look for solid, entrepreneurial engineers who like the idea of being on the front line to protect the world’s businesses and enterprises and we do think very hard about the cultural fit of new employees,” he adds.
Like any other high-tech, intelligence-driven business, it’s tough to find the talent they need. “We have development centres across the world to attract the very best that we can. We look in the industry for people who have done this for some time, and we also go to the universities to find the right graduates to train.”
Kris’s own career has almost been run in reverse. After Stanford Business School in the US he set up and became CEO of his own on-line business, raising venture capital funds and successfully selling it and establishing a second before moving into corporate life. He was previously CEO of Corel Corporation before taking over the top job at Sophos. His direct experience of the issues around growing a business from scratch allows him to understand the SME businesses Sophos is targeting. “The industry is changing fast and if we are to grow our business we must also stay nimble,” he says.
So what are the biggest global issues for the industry at the moment?
According to Kris they are the rise in sophistication and organised nature of the attacks taking place. “It used to be a cottage industry built for notoriety and ‘bragging rights’,” he explains. “You had individual hackers who worked their way into a particular website and software so they could say ‘look at me and what I’ve done’. They’d put up an ‘entertaining’, perhaps self promoting message and there is still plenty of that happening but there has also been a dramatic shift towards organised crime syndicates and government organisations bent on disruption. As a result the nature of the threat is getting much bigger. It has become an enormous business.”
Statistics are unreliable – no big business wants to admit they’ve been hacked. A study published recently said that the size and scope of the threat in terms of losses to businesses and public sector organisations is massive, but studies base their conclusions on varying assumptions, such as how much economic value is ascribed to inefficiency or loss of data. How can you put a value on the loss of a laptop left on a train with unprotected data? Did it end up in someone else’s hands and if so what was the impact of that, or did it simply end up gathering dust at the left luggage depot?
“The problem is that the more you share what’s happened, the more you inform the bad guys as well as the good guys,’ says Kris. “What I will say is that there is a host of steps organisations can take to protect themselves and many SMEs are not doing the basics. When you look at the number of tasks and responsibilities a company’s IT officer has, it can be an easy oversight not to ensure all mobile devices are protected and encrypted. Encryption has been around for a long time.
“We have customers from five users to 150,000 users and it’s about how the enterprise uses IT rather than the size of the company. Our bigger customers have many offices all over the world – so each office is like an SME.”
Sophos is finally opening an office in San Francisco. “It’s such a hotbed of industry activity and talent that a company of our size in the security industry should be there. We are opening in the Bay Area where we already have customers.”
There are also great opportunities in Brazil, Russia and South East Asia, but Kris is mindful that business must be built in a culturally sensitive way. “There are now probably more internet users in China than the US, but they have their own cultural norms and it will take time for us based in the UK, where we are more attuned to Western Europe, and in the US to get comfortable doing business in these new regions, but we will. There are probably between 30-70 million small to mid market businesses around the world and half are outside western countries, so for the global company we aim to be, we must understand the countries to operate there – and we have people on the ground there already.”
In this 21st century dangerous equivalent of cowboys and Indians, instead of a clean neckerchief the good guys wear Superdry t-shirts. The trouble is, thanks to the anonymity of the internet, no one knows what the baddies are wearing.
Visit the Sophos website: www.sophos.com/en-us