Kris Hagerman, Chief Executive Officer of the UK-based cybersecurity solution company Sophos, has vast experience in running cybersecurity business. 

Hagerman, who led a key business at Symantec prior to his joining Sophos in 2012, drove the company’s expansion in India, where it set up a data centre in Mumbai last year.

In a virtual interview with businessline, he speaks on the current global cybersecurity threat landscape, skill shortage and tells organisations how to protect themselves from an increasing number of cyber attacks.

Edited excerpts:


Can you throw light on the current cyber threat landscape globally? What are the current challenges?

Cybersecurity has become so complex. It moves so fast that most organisations can’t manage it effectively on their own. The number of attacks is growing and the attacks are getting more sophisticated. Ransomware continues to be a global epidemic.

While organisations are buying products and tools, they are overwhelmed by their sheer complexity and high cost. They’re hard to manage. If you really want to manage cybersecurity effectively, you can’t just rely on products alone. It’s got to be a combination of products and comprehensive threat intelligence.


Are there enough cybersecurity professionals to help organisations protect themselves?

There’s a global shortage of cybersecurity talent. A study says there are about 3.5 million open positions in cybersecurity. Cybersecurity professionals are very difficult to hire, retain and train. 

Because of recent advances in technologies like artificial intelligence and cloud computing, automation, and sharing of threat intelligence, we can offer cybersecurity-as-a-service at scale.

Besides taking information from all our products, across endpoint, network and cloud, and email, we can now take information from other vendors’ products as well. 


The incidence of ransomware is increasing by the year.

Yes. Ransomware continues to wreak havoc and become more prevalent. It’s successful because it works. Cybercriminals are either exfiltrating the data or making it public to demand ransom from organisations. To combat ransomware, it’s not just enough for organistions to acquire better protection. They should also have better detection and response capabilities.

Attackers can find a way to bypass even the best protection. A combination of people processes and technology is so important because it helps leverage cloud-based databases, artificial intelligence, and advanced detection techniques across multiple organisations.


When attacked, big organisations with deep pockets can afford to pay for ransom and get their hijacked data released. But it is quite tough for SMEs and MSMEs. If they lose data, it would have a debilitating impact on their businesses. What is your advice for them?

Companies with deep pockets can purchase the right products and can have the scale, expertise, and budget to implement mature processes. But only a few thousand organisations have this luxury.

Small, micro and mid-sized enterprises, which make up the majority of the 30 to 50 million organiations in the world, face the same cybersecurity threats but lack the resources to tackle them.

This is why, we think, cybersecurity-as-a-service is so crucial. Because we can offer them access to the same scale, expertise and advanced tools and technologies, all packed as a service irrespective of their size.


How big is Sophos? How many employees do you have globally and how many of them are in India?

We have a revenue of over $1 billion. We have a global workforce of about 4,500 employees. Of them, 1,000 employees are in India.


How important is India as a market for you?

India is a strategic pillar of our business. It is the largest single country in terms of staff for us, across all functions, ranging from R&D, finance, marketing, support, sales and back office. It’s one of our fastest-growing countries.


You mentioned the challenge of manpower in the cybersecurity space. How are you addressing this problem?

We work with various organisations, both in India and globally, to provide training and opportunities for new graduates, whether they come from technical schools or support training institutions. We have large support and engineering teams as well as management trainee and internship programmes.

To help organisations address the skills shortages, we offer cybersecurity-as-a-service so that they can rely on us instead of hiring security professionals.


Do you have plans to increase operations in India? 

About seven years ago, we had only a few hundred people. Today, we have well over 1,000. We would continue to grow and expand in India. 


Are there any India-specific security challenges that you have seen? 

I think that there are a lot of common attributes. Most cybercriminals, particularly when they’re operating at scale, tend to operate across States, and they don’t really respect national boundaries.

When they find a technique that works, they often deploy it very broadly. That’s one of the reasons that you see many of the same kinds of attacks or the same kinds of concerns across geographies.

When we take up surveys, we find that organisations in different geographies have similar concerns, budgets, staff, and confidence levels when it comes to cybersecurity. Organisations openly admit to struggling to keep up, and that they are overwhelmed.


What are the three key things that individuals or companies should prioritise to protect themselves?

Our first recommendation is to make cybersecurity a priority. It’s not something that you can check a box and get rid of. It’s something that you need to make an ongoing priority.

Secondly, enterprises should focus on the basics. Do you have visibility into all the assets on your network? Do you have modern, updated fully patched software on all those systems? Are you training your people on good online practices? 

Finally, are you deploying a cybersecurity strategy that has defence in depth where you’re relying on advanced technologies at multiple layers?