Building the future of cybersecurity: Insights from the Chief Product Officer at Sophos

Show Notes

What's it like being at the helm of a security operation that safeguards thousands of businesses worldwide, with new cyber threats emerging every single day?

In this episode, host Heather Haskin meets with Raja Patel, Chief Product Officer at Sophos, to uncover the strategies that keep one of the world’s leading cybersecurity companies ahead in an ever-evolving digital landscape. As cyber threats become more sophisticated and relentless, Patel shares his unique approach to building resilient security solutions that not only anticipate future challenges but also empower teams to think creatively and collaboratively.

Discover how Sophos is pushing the boundaries of cybersecurity by blending innovation, strategic foresight, and a people-first mindset to protect organizations worldwide.

Featuring: Raja Patel, Chief Product Officer, Sophos

The Catalyst by Softchoice is the podcast dedicated to exploring the intersection of humans and technology. 

The Catalyst by Softchoice is the podcast dedicated to exploring the intersection of humans and technology.

Transcript

0:00

This episode is brought to you by Sophos, your partner in building cyber resilience and defeating cyber attacks. Sophos delivers a powerful solution to secure your most valuable data and stop threats before they strike. Learn more at softchoice. com slash sophos dash feed. You're listening to the Catalyst by Softchoice, a podcast about unleashing the full potential in people and technology. I'm your host, Heather Haskin. What does it take to stay ahead in the ever evolving landscape of cybersecurity? If you ask our next guest, it's about way more than just leading product development. It's about anticipating the future and shaping it. Raja Patel, Chief Product Officer at Sophos, is responsible for building a security solution that protects thousands of organizations around the world. From small businesses to global enterprises, the stakes are high. Every day, new threats emerge, and the frequency and scale of threats is only increasing. But Raja isn't fixated on the project. For him, the journey is just as important as the destination. Raja has been at the forefront of cybersecurity for years. Leading teams to create tools that are powerful, reliable, and forward thinking. We'll explore how he does it, the lessons he's learned along the way, and what he sees on the horizon for this fast paced and hugely important industry. Raja, welcome to The Catalyst. I feel extremely honored to be able to have the opportunity to talk with you today, especially coming out of a recent outage. I have a million questions for you. I'm looking forward to it and it's nice to meet you today. So having been in the tech industry for quite a long time, a lot of years of experience behind you, we like to ask all of our guests, what is your purpose statement as a leader? When I take a look at missions and opportunities for me over time, it's kind of molded. And I think as a leader, I have two main responsibilities. One is to just grow and broom talent, right? And so I spent a lot of time with my product and engineering teams talking and thinking through what's going to grow them to become leaders for today and tomorrow. And then the second half of it is the mission that we're all on in cybersecurity, which is to throw attacks and keep cyber criminals at bay. Day in and day out, that seems to be a cat mouse game and it's been that way for decades. And so that's always intriguing on what new mousetraps we can set to try to get ahead of this cyber war, I guess is what we would call it. Those are two very purposeful areas. I love what you said about growing and grooming from within. That actually really speaks a lot about you as a leader. And I appreciate that in my own company, I feel that we have a strong value for exporting from within. I think that. Could probably bring you a lot further just by taking the talent you already have and putting more investment into those people. So very warming to hear that. Sometimes they may not seem to think of it that way. Either when we're going through hot items on projects or whatnot, they seem like they're in the boiler. But ultimately I think a healthy working team is a team versus individuals that are kind of doing their own thing. And so I try to push folks towards common goals and common missions, and then everything else kind of fits in once. You get a purpose set for whatever it is, a business unit, a project, a new venture, an adjacency that you want to go capture, whatever it is. It seems to have worked for me for many years. And so I'm planning on just keep doing that for the rest of my career. When asking a question to a company, how do you guys make such great products? And the answer is like about how you treat your people. That that's such a great pause and think, Oh yeah, duh, that should be the reason. But it's great to hear. That's what you guys are focused on over there. Thank you. Give you an example. Recently I was with one of the teams, our security operations team, and we were working through user experience workflows. I'm notorious for going into workshops and just picking and choosing out of the business units because there's so many workshops that the teams are building, so many great things for a company of our size that in this workshop is watching the teams interact and they're different disciplines, right? There's a product marketing person in there. There's. A user experience person. There's lots of opinionated product managers. And as we were going through it, it was one of those moments where we, the teams are so into their thing, whatever their thing is, and the next little evolution of it, where sometimes all you got to do is ask them a question of what's that thing supposed to go do? What's its goal? How do you measure it? And the minute you give them that freedom of thinking, like outside of the linearity, because, because customers and partners are like, they're like, Hey, what about this feature? Or what about that feature? Because they might've seen it somewhere. They might've heard about it somewhere. They might've played with it somewhere. And oftentimes not all features are equal, right? And not every company has the, the wallet, if you will, of every other company, given the dynamics in the marketplace. And so within that particular meeting, I said, what if you guys could short circuit, get into that outcome, right? And in this particular example, the answer to the question was around time to detect, investigate and remediate. And we want somebody coming into this console to be able to go through that life cycle pretty quickly. What they started out with was in double digit types of clicks and flows. And what they ended up with. Was they wiped out a good chunk of what they were going to have an operator go do, because they realized that the system could just do it for the operator in today's day and age. And it's that kind of thinking that I think those like workshops are intended and meant for that you don't always get, which is take a step back. And is there a better way? You know, you don't have to do it the same way everybody else has, because they've done it and they've been successful at it with time, you get new tools and with new tools, you can find better ways to do things. And so. I like to push. I like to push because it's very easy for teams to just take the linear approach. It's hard for them to look around the bend and take a little bit of a risk. Because after all, if they go down the true tested path that others have been on, they're not going to fail. If they go take a risky path, you know, who knows? People may like it, people may not like it. At the end of the day, if it helps us reduce the surface area and the time to detect, I think it's worth the investment. That's that disruptor versus status quo mentality. Sounds like you guys have a real round table going over there. It sounds like autonomy, the ability to ask questions. I'd say all around good team building. Yeah, generally, I think, uh, we like to think that Tufos is, uh, a place where the culture is probably our greatest asset. As a leader, that speaks very well about you as well. Going back to what you said about your purpose in the cybersecurity space on the other side of things, not just related towards your employees, but towards getting ahead and being that leader in the space. What could you say more about Let me take a step back, right? Like for a very long time, this industry was all about proactive controls. We put control points at the end point, at the edge of a network, when the cloud came up at the edge of the cloud, the email gateways where email traffic traversed or the web gateways where internet traffic traversed for a very long time. I mean, gosh, over a decade, control points were the place where the investors needed to be. And everybody spent a Industry in large, but all of their investments and making sure those are the best control points to keep known threats out. And then this day zero thing kind of showed up at a faster pace and the industry recognized that detecting response was the way to go because you couldn't keep everything out. You still needed to do the first, but you could spend less time there and spend more time in detecting response. And the last one is one that's not even in front of us yet, which is. How do you actually take a step back and do healthy planning and constant planning that allows you to kind of stay ahead of this posture while your I. T. environments continue to change? So hold that thought for a minute. The second is, and products themselves, and it's in the eye of the beholder, right? I don't believe in this notion that you could either have a platform or best of brief. At the end of the day, the platform needs to be there to allow operators and customers and partners to scale. So they don't have 17 different places to go to manage, but at the same point in time if the category of the product or the solution isn't doing its thing, then what's the point of the platform in the first place, right? And so, power of the and that, that sets Sophos apart by nature, that's the second one. The third one is that not all customers are created equal, right? The banks might have really large budgets and large staff to keep up with their security posture, of course they need to, right? Stakes are really high, but if you think about Joe's coffee shop down the street or a midsize business anywhere in the world, their core context is their bailiwick, whatever they do for a business, they don't understand cybersecurity and it's ins and outs, nor should they. They don't understand IT and their ins and outs, nor should they. And in that particular area, the third dimension for us is how we serve our customers. For Sophos, the serving of customers is really pick your choice, right? On what extreme. You can buy the tools and deploy it yourself. In the middle, a partner goes and buys the tools and deploys them for you. And all the way on the right, you could say, Hey, the detector response part of the daily 24 by 7 grind, once I'm set up with my proactive stuff, I just want you to deal with. Here's the keys. If something happens, let me know. And we really have purposefully built a system that allows us to service customers in the way they want to be serviced. In the categories that we play in, endpoint, network, cloud. Be able to provide the best solution sets for what customers are doing today and where they may go tomorrow. I think the biggest thing to think about scale, many vendors in the industry have been talking about platforms this year. Gosh, for us, we've been delivering this platform for well over five years and it's scaled. And our sweet spot in the marketplace has been in this pick your segmentation view, but this mid market, small, medium enterprise and lower market. Well, scale matters and resiliency matters. So if we could service hundreds of thousands of customers there, I think we're in a unique position to be able to drive a life cycle. And that, that leads me to the last part, which is part of our ongoing journey is. Well, great. We're good at putting control points out where everybody is. And we're good at doing 24 by seven detect and response in an open environment. Now what, because that's just another game of the hamster on the hamster wheel. How do we go about. And what you'll see from us as our strategy continues to play out is the notion of taking this proactive environment back into the limelight. Whereas today, we've been in this reactive nature in the limelight in cybersecurity about detect and response. Drawing so many parallels, Hill, from what you were saying about the way that you treat your employees and that they're given their own view and be able to take a step back and look ahead and say, what are we actually doing? What we need to do? And then to think about the product itself. You need to have that way of thinking in order to stay ahead of all of the cybersecurity risks that we're dealing with. I've had experience with Sophos in my past years as a seller. It was one of my favorite security products to sell because the engineer that joined the call would always come at it so positively towards the customer. And the platform was so simple and. Pointed it directly what was needed. So it made that conversation flow so easily away from a sales conversation and towards a needs conversation. What pain points are we solving? So I found it to be quite an intelligent conversation because it was so easy. Ultimately, you want to make stuff intuitive for people to understand if you make it so hard. And so complex that you're kind of making it harder for you against the mission you're really on, which is the adversary. Right? And so a lot of things that we do, we try to make sure that when we design it in, that it's designed for a lot of different segments within verticals in the marketplace to take advantage. There's a good example. We rolled out this managed detection response service. The open version in November of 2022, where well over 23, 000 customers by the largest MDR service by number of customers operating globally. I'm lucky I have security operations analysts at scale that work for us. So every time I want to think about what I take to customers to service themselves, I got no further to look than watch them do their day job because that's ultimately what our customers are going to want to do. And so our user experience and product folks go in and have spent some time with our operators and our operators, there are over 200 of them, closer to probably 300 at this point, but very, I mean, it's a large team and the entire gauntlet for them is to learn from each other. Well, if we can take their collective learnings of how they run our service to keep our customers protected and start automating the things that you can actually automate, but leave the things for human control that need to be in human control, everybody gets the benefit of those operators at scale. Here's the other part, those operators at scale, they talk to each other, like they're constantly on their, uh, team channel or Slack channel, might be texting, whatever it is, when they're dealing with their daily issue. So if you're my friend, and you've got your set of customers, and I've got my set of customers. And you tell me about somebody being attacked, I'm going to go look and proactively do a threat search into my base and so forth. And I think that that's the power of the AND in, in our overall products. In today's world, cyber threats are more relentless than ever. Your data backups are under constant siege and a simple breach could lead to devastating consequences. But what if you had a powerful shield to protect your data? Introducing the Sophos Beam solution, designed to build unparalleled cyber resiliency. Sophos Managed Detection and Response pairs perfectly with Veeam's data platform, ensuring your backups are not just secure, but also recoverable at lightning speed. Whether you're a current Veeam user or looking to strengthen your data defenses, this is your next step in cyber protection. Don't wait for a threat to become a reality. Schedule a meeting with Sophos and Sophos security experts today to explore how you can safeguard your most valuable asset, your data. Visit sophos. com slash Sophos dash Veeam to learn more. That's sophos. com slash Sophos dash Veeam. Sounds like you guys are maybe using some AI in what you're doing. What would you say would be your biggest concern and maybe your expectations for that in the future? Look, I think it's like with any advancements, like you look at the internet when it first came online and you know how the world of spam and everything else along with it that erupted, there's no going back, right? It's not like we're going to turn the internet off in this day and age, the entire economy would collapse. And I'm not sure what our young children would spend their time doing. In AI, I think just like we, even when cloud was born, right, there's good and the bad. And so for every. There's going to be the adversaries using the same technology for BAT. And so I think my biggest fear there is they've got no rules and how they deploy those tools and technologies. We're developing rules and how organizations and business do it. And I think that we're going to see eventually AI driven attacks formulating the marketplace at a bigger scale than today, the biggest advantage for us is. Look, it's a promising capability set that can allow us to have, uh, equalizer against the adversaries. Right? And at the end of the day, these generative AI tools or any AI tools are about two things, efficiency and efficacy. We talk about AI like it's new, but AI and cybersecurity products has been around for a long time, right? Pattern matching, behavior analysis, it's not new to us. What's going to be bigger and new is how we make use of the productivity element of it. The interactive element of it. And as it gets smarter, gosh, the things you can query from whether chatbots or whatnot is getting better. And so I expect that the customer experience will get faster. I expect that, you know, if something goes wrong, troubleshooting will get faster. I expect that security operations analysts will be able to get through their workflows faster. There'll be a lot of hidden benefits that come through it. And so I, I'm a cautious advocate of watching it mature and giving us some net new productivity, sort of like when the internet and the cloud came to fruition for, for the world. That's the thing. You can't ignore it. You have to use it. You have to get good at using it. And you have to find out the best way to use it to get the best outcome without wasting time or space. And that focus on productivity, I think that's key. My question to anyone that tells me they've gone through ransomware or whatever was, Hey, do you guys have cyber insurance? Because You know, they're worried about, is this going to ruin my bonus at the end of the year? Or is this going to affect the way I get paid? So, hey, do you guys have cyber insurance? So with that becoming more and more increasingly important, as these threats are more complex, what's your take on the role of cyber insurance in today's security landscape? I think it's super important. And I almost put it as a trifecta, right? I think that customers are going to need, if they don't already have it, a combination of cyber insurance for if and when things go bad. They're going to want an MDR service for 24 by 7 to keep up with threats that get through their control points. And they're going to want to constantly make sure that they're adhering to best practices and staying current with vulnerabilities and their environment. And I think that trifecta loop really works well to deliver the outcome of keeping customers protected, MDR service, it's like a service that's watching them all day long. It's like your alarm system in your house, right? When it trips, somebody's always looking out for you. Well, guess what? Your proactive controls are like the door locks and the window locks on your house themselves, right? The control points keep in. Cyber insurance is sort of like our insurance policies, right? If something does happen, it's there to cover you. We've been partnering with cyber insurers for a while now. And one of our partners, a company called Cy Assurance offers fixed rate policies and the policy structures are competitive and they're able to offer fixed prices and lower fixed prices. Because a customer might have an MDR service. And so you're starting to see that even that world in terms of risk versus liability, they're going to force people to have an MDR service because it's less likely that a end customer gets breached and they're going to call for the policy to get enacted if they do it. And guess what? Cyber insurance is all about risk and policy management. And so. Wits Insurance in our all hands a couple of weeks ago and then the partner summit a couple of months ago I shared a couple of case studies from the Northeast where the customer was looking for change in insurance They went and talked to our partner Partner was able to provide them a quote and with the money that they were gonna save Not only were they able to pay for their MDR service They still had money to put back into their operations wherever they wanted to and those types of stories are growing You It started out with one early spring, and now we have several that have followed suit through that kind of model. And so I think it's important, and I think it has to come holistically with that trifecta. With all of the different threats that you've encountered over the time that you've been in your position, my curiosity would be, what do you see coming next? You mentioned the possibility of threats that utilize AI. The most recent outage was very simplistic, and it was not a cybersecurity threat in the bad actor space, but it, it Did cause some disruption. So my question to a leader like yourself would be like, what do you foresee and how are you looking to get ahead of that? Yeah, I think, I mean, look, last week at Blackout, it was eye opening because it was the conversation for everybody. And it's not the first time we've seen it, right? We saw a long time ago with some of the, what you would call legacy players like McAfee, right? And, and the likes. And I think what it, what it comes back to is forget the incident for a minute and talk about just critical systems, right? A mob. I'm an aerospace engineer by background, and I'm a pilot when I'm not working in cyber, and in that domain Redundancy is a big thing, right? Well, I go fly in the air data computer on an airplane. There's two different versions of it, right? I have redundant displays. I have redundancy in just about every system, hydraulic systems. Everything that's in that aircraft is redundant. Why is that not the case for the architects for cybersecurity? It's probably because of how fast we move and we've not had to think about it this way, right? I think what that outage teaches us all is, any single point of failure is going to put us up at high risk, higher, high odds, right? Even if the likelihood would be small, because we haven't seen this in a very long time, when it occurs, gosh, look at the impact that caused and they're still causing today, right? And I think what's going to end up happening if I was to predict the future, which is more realistic is organizations are going to start thinking about a second source. And in this example, the second source isn't a system, it's probably a vendor. And they're probably going to have to start thinking about how they divide their asset classes up between those vendors to mitigate the risk of a single source of failure. We'll see how it plays out. It's a hundred year flood kind of moment, right, in industry, when the darling of the industry gets one of these things happen to them. It's software. It's avoidable, but at the same point in time, it's software and it's humans enacting the software. And so, I think redundancy is a important wake up call for us in the industry. When it comes to, then, the future for you, I mean, how do you stay ahead yourself? What do you do to keep yourself and your own personal development ahead of product development? My wife always tells me that. I need a big mental project at any given time. Otherwise, yeah, I'm just trouble. It's almost a puppy let out of its cage, not knowing where to go and what to do. I'm crazy. And so, I mean, the way I stay ahead, the things that motivate me the most is one, I'm competitive. So winning in the marketplace and getting a good outcome for customers is always the most rewarding for me. And so I tend to spend. A considerable amount of time in the field, talk to partners and customers alike. And I think when I sit down and I talk to them about where they are today and some of them about where they're going tomorrow, it's the 80 20 rule. A lot of folks are just dealing with the here and now that looking around the bend for them is hard, but there are a few people out there that are constantly thinking about disruptive, innovative ways to get ahead. Right. And I spend enough time with startups and the advisory networks and folks that are In that entrepreneurial spirit. And what I do is on some of them, we get back together as a team internally, and we talk about the areas that we want to kick the tires on, whether it be proof of concepts that we do by ourselves, whether it be work that we do with a potential partner on the technology side. Or not so that when we make a bet, we know it's going to give us a lot of a return on that investment and solve a customer problem at the same time. And so I'm a big believer in fail fast, fail cheap, big believer in a healthy debate and a brainstorm before we decide to go commit the project. And so we pressure test a lot of where we want to spend our energy and every bullet in that gun matters. I don't have the ability or the freedom to. Go invest in a hundred things and have five pan out. We'd be broke, right? That's one part of my way I spend some time doing a lot of research work with Listen to analysts in the industry and you know some of the trends that they're seeing and what they're hearing from their client base And you got to just triangulate what's a natural evolution of our product and portfolio from where we are Last, but certainly not least, it's true, I think, in industry in general, products are easier to build than go to market. And if you don't build both of them up to the same level, you could have great technology and it goes nowhere because you've got nobody to be able to articulate its value or intercept the customer at the right place or the partner is not the right type of partner because they're focused here. And so a lot of it goes into that blender to kind of hit the blend button and see if the taste on the other side looks good before we actually go spend a dime investing in it. Many years ago it wasn't the case. Sophos in its history would invest in technology because it was the next thing that was coming. We wouldn't invest in the equivalent go to market and, you know, the products until you actually put an investment in go to market or you re invest. factored the product or the capability into a feature of something else, the world wouldn't get to take advantage of it. And I think we've, we've balanced out, you know, both product and go to market to be able to pick the things that are going to work for us in this time and age. It's an amazing combination of things. You have this amazing product, but you have to make sure to put the time and energy into just communicating, talking about it, making sure people are aware of it, how to use it, when to use it. I'll give you some stats. When we go back to the platform conversations and the solutions that ride on platforms, essentially the platform should enable you to drop new solution sets or new features or new offerings on it at a faster pace than you did last time, right? And that's a true test of a platform because it means that you're able to leverage. For us, as the industry talks about platforms, we do 150 terabits of data through our data platform a day. And, and most people will be like, is that a lot, is that a little, how do I make sense of it? Can you imagine sitting on your couch watching four straight years of HD movies? If you think about it that way, like that's what we collect on a daily basis, that much data, right? Or, like, our analysts do about 200, 000 cases in MDR a year, serving 23, 000 plus customers. What I'm afforded in my role here versus any prior company I've worked for is that I have this incredible platform in which we can roll out new capabilities while we continue to maintain best of breed of the categories that we do represent today. And as time's gone on, the products have just gotten that much stronger. Along the way of gosh, in fact, I think that when customers speak, it's the loudest compliment you can get both in Gartner Peer Insights, which is a pretty good public Yelp, if you will, for cybersecurity and the G2, if you take a look at the history of Sophos, go back several years and look at it today, products are now starting to win some of those awards. And I overweight that all day long, above and beyond. You want to analyze say by themselves or any other fraction has to talk about is because most of those folks are actual users. Their guidance is much more important to me than any other part of the industry. Wow. Thank you, Raja. I really appreciate learning so much from you. I feel like I have so many more questions. For any of our listeners, um, listening that want to take a deeper dive into some of these topics and learn more about your work at Sophos, where can they go for more information? I think what I would tell them to do is go start at Sophos. Go take a look at some of the accolades and then hit the product and services page on the Sophos website and there's a ton of information there. I think at the same point in time, reach out to your reps, um, what can bring talent into the environments to come talk about the customer specific situations and help figure out a plan going forward and maybe they'll select Sophos to protect their enterprise. Awesome. We love Sophos here at Softchoice. Always enjoyed working with members of your team. Appreciate your time as well. Thank you so much, Raja. Heather, it was awesome. Thank you. In an era where cyber threats are constantly evolving and becoming more sophisticated, understanding how to build resilient security solutions is paramount. Raja's experiences and strategies offer a roadmap For navigating these challenges, highlighting the importance of innovation, strategic foresight and strong leadership and safeguarding the digital assets of organizations. I was particularly warmed to hear him speak to growing and grooming his people, providing space for them to collaborate freely while challenging them to To reach their full potential for those at the forefront of technology and cybersecurity, staying ahead of these trends isn't just a competitive advantage. It's essential for the survival and successes of their businesses. Raj's experience and insights serve as a reminder of the stakes involved and the need for ongoing vigilance and creativity and protecting what matters most. Thank you for tuning in and see you in two weeks. The Catalyst is brought to you by Soft Choice, a leading North American technology solutions provider. It is written and produced by Angela Cope, Philippe Dimas, and Brayden Banks in partnership with Pilgrim Content Marketing. This episode is brought to you by Sophos, your partner in building cyber resilience and defeating cyber attacks. Sophos delivers a powerful solution to secure your most valuable data and stop threats before they strike. Learn more at softchoice. com slash Sophos dash Veeam.