Interview: Steve Munford

Feature by Paul Fisher

Most clients don't like their vendors and require a more comprehensive solution says the Sophos chief. Paul Fisher reports

Most clients don't like their vendors and require a more comprehensive solution says the Sophos chief. Paul Fisher reports.

Steve Munford joined the Sophos group in 2003 after it acquired his previous company ActiveState where he was president. His new masters must have been impressed with the laid-back Canadian's business skills as in 2005 they made him CEO.

My first meeting with Munford was about one year after that appointment on the exhibition floor of the 2006 RSA Conference Europe, held in the balmy surroundings of Nice.

Then, he spoke of the nimble advantage that Sophos had over its larger US competitors and was targeting 30 per cent growth in North America in 2007.

“Sophos is well-positioned to take a good chunk of the market and we will continue to innovate in the security area,” he said.

Today we are in one of the meeting rooms of Sophos' widely-admired HQ building (see box) in the Abingdon Science Park. Munford looks the same; the urgency to his speech is the same as I remember – the undoubted intelligence. Yet it takes some time before we move beyond the PR banter of “great technology company…our mission…core expertise etc…”

But there is some meat to the claims and he says that the management team has been expanded and the spend on engineering has doubled in the last three years.

And seemingly some of the ambition of two years ago has been achieved.

The US remains Sophos' key market – one he says that's been growing “north of 40 per cent” for the last three years.

“It's very, very important that we're able to go into that market and demonstrate success, because ultimately, our largest competitors are there; it's their home turf, and those, typically, have been people that have been on the leading edge of security decisions.

“We're a great European company, but we don't want to be seen as just a European company.”

He adds that Sophos has found an opportunity in that the majority of people don't like their security vendors: “The majority are looking for an alternative that could bring together the easy solution”.

Don't like their vendors – who could he possibly mean? “Symantec,” he says, before adding: “If you asked the average IT guy running the security, do you like your vendor? Do you like the solution set that your vendors are choosing? The answer is no. They're saying, in this economic environment, is there a way of doing it that either reduces the cost, or certainly reduces the people effort of managing security? And doing it in a way that allows them to get security in place, but also allows the business to get doing business, rather than always worrying about security.”

I knew from our last conversation that Munford was aggressive. He was deadly serious when he said that he had Symantec and McAfee in his sights. But since 2006 one of those businesses is now being led by someone equally sharp and aggressive – Dave DeWalt, the new king of an increasingly rejuvenated McAfee. How does this change the game?

“It will absolutely get better going to market; it's much more aggressive on the acquisition front, it's getting much sharper, but again, its solution is fundamentally more complex than ours, and it also lacks key areas, like no network access control, which we've done”.

“Customers are looking for an integrated solution. They don't want AV to conflict with the encryption software. They don't want to deal with five or six vendors; they eventually want a road map that these get brought together.

If you're a 500 or 1,000 person organisation with four or five IT staff, you don't have a DLP specialist; you don't have a security specialist,” he says.

By now Sophos should have become a publicly-listed company – it was scheduled to IPO in early 2008 but then the decision was pulled just before Christmas 2007. The official line then was that the conditions were not right. Given the financial hurricane that has engulfed the world since, they could hardly have got better.

“When we pulled the IPO (initial public offering) it was very much: we're not going to wait until next quarter and not do the things we need to grow a business, because when you're in the process for IPO you can't acquire companies; you can't change your business, you've just got to run with the status quo,” he says.

“So I didn't have access to public company funds, but we raised that, and we did the acquisition of Utimaco.

“So if you fast forward, maybe in a year from now, after we've worked on the integration, then the question of why do I need the money is pretty obvious. I've got $100 million plus of debt to service. I could use some money to potentially refinance that. We would like to get to the stage where we have the currency to go out and raise capital and make acquisitions that make sense. You never run a business that's dependent on an IPO; you never have investors that need an IPO out this year; you just do it at the right time when the market conditions are favourable,” he says.

“Now, the overall economic climate out there is tough, trading conditions are tougher. The great thing about security is that it's not optional; it's only optional who you buy it from, and that is more of an opportunity for us, and we had one of our strongest growth rates in the first quarter of this year, which is March to end of June,” he says.

At the time of this interview Lehman Bros still existed as a bank and the part nationalisation of three of the UK's biggest banks seemed an unlikely possibility. However, the Chancellor Alistair Darling had suggested that we were facing the worst crisis for 60 years – and had been roundly criticised for this statement as exaggerated. Munford picks up the thread. “It's funny, I'm an economist by training, but I don't know. I think in the majority of businesses in the majority of sectors, it's tougher but it's not the end of the world.” Then he adds: “We keep thinking we're at the end of it, but are we at the end of it? I don't know.”

Given the exposure as fools of so many banking CEOs just recently, it's fair to say that Munford's admission of ignorance can be forgiven. And he's probably quite glad right now not to be at the mercy of the markets.

And as he says the world isn't at an end, there may well be further acquisitions, but they will be specific and they will be strategic, he says without committing himself one way or the other to further activity.

“We're not doing it just because we have a mandate to do an acquisition every year; we're doing it because it makes sense. But you shouldn't assume that every year, we'll be doing an acquisition of that size.

“But then again, you shouldn't be surprised if another one happens”.

He's adamant however that acquisitions are not just there to scale, to make it harder for others to acquire them, but as he says continually through the interview, like a brand statement, to become the “next great security company”. I'm sure he believes that – I do too – but he lets slip finally that with the acquisition of Utimaco there is now in his words a company with $400m of top line.

“The number of people that can afford to buy a profitable, growing company of that scale is fairly few,” he concludes.


First time visitors to Sophos HQ in Abingdon Science Park are usually taken aback by what they see as they sweep into the visitors car park. Instead of the ribbed cowshed vernacular to be found among Sophos' neighbours on the estate, the company has a genuinely outstanding piece of architecture.

Built by Bennetts Associates, the building was opened in 2004. It covers a total area of 145,000 sq ft and boasts a roof garden. But it's the light and space inside that really impresses, especially if one is used to the cramped and dated environment of so many central London offices.

Steve Munford is genuinely enthusiastic about the building and believes it reflects the Sophos way of doing things, comparing it to the way the company's products work.

“It's like our software, which is built for purpose, well thought out and well designed, and it shows. Open our software and one of the first things that people say is that it looks very intuitive as you click through – there's lots of design philosophies to it,” he says.

Pointing to the other side of the floor he expounds on the philosophy behind the coffee areas which are, he says, designed to promote social interaction.

“What you want to do is create an area that has enough space, where people can come in, and not just have coffee but meet an engineer, or meet some other people. And to have enough shelf space, so that people aren't all queued up behind each other to make a cup of tea.

“And that all sounds very trivial, but if you get it wrong, it frustrates people, and people then do other things to avoid it,” he says.

He recalls going through the whole design of the place in Vancouver with Peter Lammer, one of the co-founders who he says particularly cared about the work environment.

“It was funny how many of the principles of the work environments you try to create we had in common,” he says.

“When you bring people into the building, sometimes you feel embarrassed, because it looks like we've spent too much on the building, but then again, there's not much difference between doing it right, than doing it poorly,” he says.

Those fortunate enough to spend their working hours in the Sophos building are probably glad that the business spent that extra little bit.

But it's not just about the wellbeing of employees or making them more productive and creative. Sophos management no doubt subscribe to the philosophy that the standard of a company's architecture also says something about the quality of its products. It's also good business.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events