Security firm Sophos has transformed itself over the past three years to ensure that all of its back-office solutions are cloud-based, in a bid to keep up with its own product suite.
Sophos has over 20 physical offices around the world, and claims to have more than 200,000 customers, and within that customer base, Sophos software is provided to more than 100 million users.
The man who has overseen the transformation inside the firm and is continuing to bring changes to the organisation is its CIO, Jason Richards.
Richards told Computing that when he joined the firm more than four years ago, a key challenge was aligning the internal IT with the product suite that Sophos wanted to offer its customers.
"We had a set of platforms that had evolved over time, a lot of organic in-house development solutions that were well suited to our organisation at the time, but my role was to address how this was going to change in line with where Sophos wanted to go," he said.
"We knew what we wanted to do with products, but we were a bit nervous with whether the back office and internal IT were going to enable and support that transformation," he added.
The first phase of this transformation was to completely remove, replace and rearchitect the firm's processes, said Richards.
"From every single IT platform, whether it was front-end marketing technologies and the things that drive Sophos.com and social media forums, marketing automation, all the way down to the sales organisation, demand generation, invoicing, core financials and BI," he explained.
This was to ensure that the internal platform would be "flexible, reliable and open".
At the start of the programme, the firm set down some core principles, one of which was that by default all solutions would be cloud-based and cloud-delivered to Sophos or at a minimum delivered to the company as a fully managed cloud-type solution.
The billing engine was an example of a system that was replaced.
Despite Richards stating that the initial solution from billing provider Big Machines was well-suited to Sophos' business two years ago, the supplier had not yet released a cloud version of the offering.
"It was well suited for our configuration, pricing and quoting process, but the acceleration of cloud really drove us to look at new capabilities in Big Machines that did not exist at the time, or a specialist billing engine that was suited to the cloud," Richards explained.
"We're not used to hugely customised cloud solutions being delivered to us so we went through a good evaluation process to look at the specialist cloud billing engines that are out there, and ended up selecting Zuora in that space," he continued.
And that was just the beginning of many changes at the firm. It chose Neolane (now Adobe Campaign) to replace what Richards suggested was very basic marketing automation technologies and campaign management tools, which were in-house developed solutions.
The firm chose Salesforce for its CRM to replace a legacy Pivotal environment, and selected SAP as its main back-office provider to replace a legacy Dream platform and other in-house processes.
Dealing with security at a security company
Richards insists that Sophos is no different to any other organisation in terms of threats. In fact, he thinks that the firm may be under more pressure to be secure because he believes cyber attackers target security companies more so than other firms.
But despite this, the firm has a very small team of IT security specialists.
"It's two people, they run the whole security function at Sophos. The reason we can do this is that we run Sophos' own products, and I'm a great believer in drinking our own champagne. We want security to be simple and we want people to be confident of using our products and not needing an army of security professionals," Richards said.
"My view is that if we can do it at Sophos with a very small team, using our products, it's a very good showcase for what our products can do, and how other companies can leverage that," he added.
The company has about 2,000 employees, but like many other organisations, Sophos finds it tough to recruit the right people.
"When I interview people I spend most of my time getting under the covers of: who are you, how do you behave, what's important to you and can you effectively communicate to the organisation," Richards explained.
He believes that IT as a part of an organisation has to change the way it has behaved in the past, and continues to behave, by working alongside business colleagues.
"If you don't have the right people who can talk to the business, then even if they are ‘techy' people, you have a real challenge on your hands," he said.
He believes that security skills are the hardest to obtain, but suggests that there is a wider pool of talent available as IT security has become more of a mainstream topic.
However, he thinks there is still work to be done. Sophos has teamed up with the government in the Cyber Security Challenge, as one way of encouraging people to take up a career in cyber security.
There have been suggestions that the Challenge has not succeeded in tempting people to take up a career in cyber security, and one sponsor, KPMG, has even scaled back its sponsorship of the programme as a result.
Richards agrees that it is "hard to measure" the success of the Cyber Security Challenge, but he believes that it has at least been getting a lot of media attention, which is making the cyber security skills gap more of a mainstream issue.
"The fact that it is out there in the mass media is really important. I think the only way we can measure success is by the level of interest we have, and we see that increasing year on year, and the level of participation is increasing when we do workshops, too," he said.
Back at Sophos, Richards believes that he will continue to see changes at the firm.
"My view is that change is always happening, and ideally it won't always be major transformational changes [like we have been through]," he said.
"I've been colliding with lots of IT transformational change, but also seeing a lot of change in Sophos products and what they do. There's never a dull moment, it's lots of good fun."
This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy