Security Q&A: Sophos boss Steve Munford

Sophos CEO Steve Munford has held IT and business executive roles, but now has his heart fixed on the good fight, battling online threats as the head of one of the world's most popular security companies.

Sophos CEO Steve Munford has held IT and business executive roles, but now has his heart fixed on the good fight, battling online threats as the head of one of the world's most popular security companies.

Steve Munford

Steve Munford (Steve Munford image © 2004 Sophos. Used with permission of Sophos. All rights reserved.)

Name: Steve Munford

Position: chief executive officer, Sophos

Born: Toronto, Canada, 1965

Education: degree in economics and philosophy, University of Western Ontario. MBA in Canada and Japan.

Career: chief information officer at Canada's largest PC manufacturer, Seanix Technologies. Established and ran Vancouver-based security company ActiveState in 2000 until its acquisition three years later by Sophos.

ZDNet Australia: What interests you about information security?

Munford: Its pace and complexity. It is fast moving and competitive. Those covering the space know that you wake up everyday to something new to talk about and protect against. It makes for a dynamic and exciting industry.

What is your take on the industry?

The trends in security are somewhat shaped by the trends in the overall IT space. If you look back 10 years, we have seen and will see a fundamental change in the way corporate networks operate, [influenced by] the adoption of mobility, the dissolving perimeter of the corporate network and the ubiquitousness of the "always-online" generation.

The generation that has grown up with technology and social media is coming into the industry; this is a cocktail of open users, open networks and sensitive data which has created a tough job for IT security.

There is a lot to be done in user education, we don't spend enough time teaching them. Although the criminality that lies behind attacks has changed; some are much more explicit attacks into corporate networks that aren't always reliant on users, and are much more sophisticated at stealing data for financial gain. The industry must continue to evolve and build better solutions to defend against these attacks.

In your field would you consider hiring virus writers?

We have, and always will have, since we first got into this space a policy of never hiring virus writers. It is a crime. We hire incredibly bright people who are dedicated to cracking the codes and solving the problems. I believe they are infinitely more capable and smarter than those writing the malware. I think it would send the wrong message. We update a hundred million computers a day, and if we had the wrong person in there, we could do a lot of damage. We put a lot of care into hiring the right people.

But then, Frank Abagnale [Jnr] was a fraudster and now one is of the best weapons of the good fight…

Frank is working for the FBI and there it makes sense, but not in our industry.

On profiling, a lot of people will admit they struggle with it. How far and deep do you have to delve [into employee background checks] to ensure your staff don't leak [intellectual property] or sensitive data?

Like others, we do our best to make sure we bring the best people we can into the organisation. Secondly, we actually have very rigid security standards in the labs: physical to the network architecture, to monitoring activity in the labs. We monitor behaviours, what is being sent out of the organisation; we use a variety of tools to spot anomalies. Hire the right people, have the right policies and monitor with tools.

The questions that lie within that are about data leakage — how do you stop rogue employees stealing data or [intellectual property] or using the network to do damage to the company — I think that in itself is very challenging. The biggest area of harm is by the unintentional employee, which goes back to the need for education and tools.

What would be the risk if an employee were to release code or antivirus signatures?

We assume all bad guys have our software and test against it. The protection has a short shelf life before writers get around it, and it is always changed. If code was stolen, it may, in the worst case, give someone a leg-up in writing a virus, but it would be short lived.

McAfee's acquisition by Intel took many of us by surprise. They spoke often about integrating security into the chip. What's your take on this?

Firstly, I agree that it took everybody by surprise. When I heard about the announcement, my assistant texted me and I thought she made a mistake. The general feeling in the industry is that Intel has huge cash reserves and made an investment in a growing industry, and that's the primary reason behind the acquisition.

I think if we an make the chipset more secure, then that is good for the whole industry. But fundamentally can you put security into the chipset? There are a variety of reasons why that can't happen and why that is not the right place for it to be done. The very basic is the world operates on a very heterogeneous environment ad it is not chipset dependent, or operating system dependent, or platform dependent. To try to tie security to one particular platform is not the right thing for industry or customers, so I think Intel made a good investment, but their ability to cross-pollinate the chipset and the security industry is very limited.

Do we continue to see acquisition of security companies? Hard to say but I think the overall trend in IT is consolidation, people want to deal with fewer vendors. There have been many Oracle and Sun [acquisitions] that catch many of us off guard. Security is very different from other industries. People want a broad solution catered to their needs and that evolves and responds quickly. I don't know if being part of an infrastructure company is the right place to do that.

Why did you stay on after the acquisition [of ActiveState in 2003]? Why not, as it has been said, go and run a chicken farm?

We worked very, very hard to get the acquisition done and afterwards, we breathed a sigh of relief and victory is declared. I like the people in Sophos and find the security industry fascinating. I didn't set out to run Sophos but along the way, opportunities are created and it has been a lot of fun.

This article is the first in a series of Q&A interviews where ZDNet Australia will talk with some of security's most prominent names — from executives to technical gurus, from global to local figures.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All