Talking the hot topics of security with the Sophos board
At the start of this week I visited the offices of Sophos in Abingdon. Whilst having the opportunity to meet with the threat labs manager and various well-known spokespeople, I also got the chance to meet with the CEO Steve Munford and UK country manager Ciaran Rafferty.
As you would expect, there was little in the way of any negativity towards its own product and generally the attitude towards the rest of the industry (in the direction of this journalist) was also positive. However when I interviewed them both, what I did get was some interesting thoughts on some of the hot topics of the moment.
The government recently announced that £650 million will be invested into cyber security, while the Prime Minister said he wanted to work with the private sector. Would you welcome government interest into Sophos Labs if that were the case?
Munford: “Globally we are seeing four levels of warfare: the traditional land, air and sea and now cyber has to be recognised. When governments look at cyber security threats there is a balance of a traditional view of defence versus the benefits of working with industry, so to what extent do they have their own bespoke analysis versus working with industry?
“We are seeing a theme globally where the defence sector has things custom built themselves, which is very expensive and does not really leverage where it is at in the industry. In cyber security we have large corporations that are under attack constantly and that same behaviour is happening within government. I think it is the UK that has been driving that and we see ourselves in a unique position to be a partner to the UK government.”
Rafferty: “Historically Government were unaware that we were anything more than an anti-virus company and now they understand that we do a lot more than that. We are also being asked to get involved with the Government on various levels, for instance the Cyber Security Challenge, which is a great way to find and attract new talent at the same time as offering tests and games to identify areas of improvement to security.
“Looking at small-to-medium businesses, they are the backbone of the UK PLC and we ourselves are a mid-sized company; and look at what the government is trying to do in saving money, they want to know how to reduce costs and the big piece on that money is going to be spent is education. They do not necessarily need to spend £650 million to get a project off the ground, it is how we re-educate the government and the civil service on why security is important, because in a lot of the cases you can have encryption and anti-virus, but it is also about the people.
“I think that money will be used to tell people how sophisticated cyber security is and how you can work with private companies and I get a sense that is how it will be spent.”
What do you think about international cooperation on cyber crime?
Rafferty: “I see governments coming together in terms of cyber security because there are no borders. We trap malware and you find where it has originated from and the current jurisdiction patterns means that there is no actual way of finding out where they are. Subsequently they (governments and law enforcement) need to get tougher and if they find these people they cannot give them a £150 fine and a slap on the wrist, so I think you will see more and more the big G8 countries will work together on cyber security.
“What kicked this off was in 2006, when Arnold Schwarzenegger saw that data protection was the way to win votes, now look at 2007/8 and the loss of the HMRC disks and Gordon Brown and governments will ask themselves if they want to be Arnie or be Gordon? Regardless of their political background, some people see this coming and David Cameron is seeing this as a big piece that is coming. So why not ask for extra help from private companies?”
Munford: “Government are now seeing what corporations have for a long time: how do you solve all of this with a lower budget? That gets into analysing best practise and choosing the right product and platform and making the right decisions. They have to rationalise it and do more with less dollars. Then focus on the more general problems like cyber terrorism.”
Is there a general problem with a skills shortage in the UK, which has led to the creation of the cyber security challenge?
Munford: “There is a fundamental challenge with a skills shortage in the industry and there is a role for us to heighten awareness and get people thinking about security. We have talked about all of these initiatives within government and within corporations. If you are a technical person coming out of university and want an exciting job and a strong career path then cyber security is where it is at.
“Fundamentally we need to get it into the curriculum and more people doing it, I was hearing about the interest in the gaming industry but I think security software is equally or more exciting.
“You have the ingredients for a fantastic apprentice programme, as you will not find a person who has been trained in security in the UK and I think there is a role within education to build some basic foundations within IT security. Everyone within our labs is someone we have invested in to bring up to speed on how to do the work, not to say that you cannot get the skills out of university as you can, but people in IT departments are taught database skills and there is not the same development in security skills. I still think the UK is fundamentally a great place to hire and do development and there is more that government and industry can be doing to promote the right skill sets.”
Rafferty: “The whole reason the cyber security challenge was born out was because Baroness Neville-Jones said that cyber security was important and historically education had been left to somebody else. We can go round to universities and make it easy for them to see it in practise, the reality is that they want to leave university to an industry that is growing and is well-paid and fun, this is the place to be.”
This year has seen a number of acquisitions by major software and hardware companies of security brands; do you think that this has been a positive note for this industry?
Munford: “What companies want today is a broad-based provider that is independent from any vendor, because fundamentally the world tomorrow is haemorrhaging this network and security needs to work there and be specialised across platform. That is why security is not going to work if it sits inside a player and needs to be platform agnostic.
“There are two different arguments here: that security resides within the infrastructure; and that it is on an independent platform within a sophisticated company, then it requires a dedicated business-focussed company. What customers and industry wants is for a security company not to be swallowed up.
“HP, Oracle, Dell and IBM: all of these companies will invest in new verticals to drive growth and security seems to be an attractive vertical these days. No matter whom the acquirer is; it is yet to be proven that infrastructure companies are a good home for security companies. With core security, history will tell us that it is best to be seen as an independent security company and it is a large enough field that you can have strong stable businesses in it.”