Peers including Palo Alto, CrowdStrike and Okta have announced they’ve sold over $1bn via AWS Marketplace. How much business does Sophos do through hyperscaler marketplaces, and how would you assess the partner opportunity here?
There’s a massive opportunity there, and I think one of the motivators is just that the spend incentive structures the marketplaces have constructed – where if a customer of theirs has an annual commitment for a certain amount of spend, some of that commit could be fulfilled by marketplace transactions. It’s a wonderful market incentive ecosystem they’ve built there.
We’re in the very early stages of leveraging that right now. We’re a big AWS customer today – we run Sophos Central and SecureWorks infrastructure out of AWS, and we have detailed quarterly business reviews with them about opportunities for us to bring more cybersecurity services to their customers.
With Chris Bell leading our global channel strategy, he has a mandate to grow our hyperscaler business and we’re going to be making some pretty significant investments in our partnerships with them.
How do you see the threat landscape evolving and what’s the one threat people aren’t talking about enough?
There are a couple that have recently made the news more frequently than any of us would like to see.
One of them is the DPRK fake IT worker threat.
Another, which is a much more difficult problem for any of us to get our hands around, is the third-party risk threat, the most recent of which was Collins Aerospace. There are too many examples to mention, but [it also includes] the drift attack against the Salesforce customers.
We are a Salesforce customer. We were fortunate that our configuration did not create any exposure for us, whereas many of our peers were exposed.
These are just two recent examples of commercial third party threats, then there are open source third-party threats as well, such as the node package manager exploits we’ve been hearing about.
These are going to have to get a little more airtime with leadership in organisations and boards, to better prepare organisations to get their heads around what their third-party risk looks like.
I also think it should start shaping some of the non-IT security practices around employee recruitment, employee onboarding, credential verifications for our employees…. It’s a very easy attack vector for attackers to successfully exploit, and they tend to follow the path of least resistance. And this has exposed itself as a weak underbelly in many organisations, where they’re just not well-equipped to deal with this threat.
Anything that takes the threat outside the purview of the security controls that are in place, and brings it into the domain of HR operations, or takes it off of company-issued devices and into social media communications like WhatsApp… the attackers have realised they’re probably going to face too much resistance within the IT systems so they’re pulling the attacks paths out of the IT systems now, and that’s a trend we’ll probably see continue.
Interview continues on final page….
