Joe Levy: Scaling Sophos to $1B+ revenue and defending the 350M overlooked businesses

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sid Trivedi (00:04):
Welcome to Inside the Network. I'm Sid Trivedi.

Ross Haleliuk (00:08):
I am Ross Haleliuk.

Mahendra Ramsinghani (00:10):
And I am Mahindra Ramsinghani. We have
spent decades building,investing, and researching
cybersecurity companies.

On this podcast, we invite you to join us inside the
network where we bring the bestfounders, operators, and
investors building the future ofcyber.

We will talk about the hard parts of the
founder journey, launchingcompanies, getting to product
market fit, raising capital, andscaling to an exit. And, yes, we
will also be talking about epicfailures.

But Mahendra, we're here to make the founder journey
easier.

That is correct, Sid. But we cannot make it too
much easier because startups arehard, and, of course, you
already knew that. Alright,YouTube. Enough. Let's get
started with this week'sepisode.

Today, we are excited to sit down with Joe
Levy, CEO of Sophos. Sophos is a40 old company that has now
quietly become one of the mostimportant players in
cybersecurity globally. UnderJoe's leadership, Sophos has
scaled to serving over 500,000customers worldwide and

(01:28):
generating upwards of a billiondollars in revenue. Throughout
his career, Joe has operatedwith the founder's mindset,
thinking in bets, building greatteams, spotting technical and
market inflection points, andexecuting with long term
discipline. A great example isSophos' recent $800,000,000

(01:49):
acquisition of Dell SecureWorks,which added over a thousand new
team members and significantlyexpanded Sophos' managed
detection response and extendeddetection response capabilities.
Today's session is an excitingmaster class on how a
technically astute CEO like Joenavigates demanding customers,

(02:10):
engages positively with privateequity giants like Thoma Bravo,
partners with MSPs globally, allthe while building a culture of
vulnerability based trust. Oneof the most insightful
statistics Joe and his team atSophos have highlighted is that
there are over 350,000,000businesses worldwide. Let me

(02:34):
repeat. 350,000,000 businessesworldwide. And a very, very
small percentage of thesecompanies have a CISO.
As Joe shares, his team atSophos are working very hard to
protect the rest of thecompanies that do not have a
CISO. Find out how Joe isleading this charge at Sophos.

Hey, Joe. Welcome to Inside the Network.

Joe Levy (02:56):
Hey, Sid. It's great to join you guys.

We're so so excited to have you on. You know, we're
gonna talk about a couple ofthings. We'll start with talking
about your foundations and yourearly inspirations well before
Sophos and Blue Coat and, youknow, a whole bunch of other
companies that that you've beenpart of. But you've been in
cyber for over twenty fiveyears. Could you share a little
bit about your early childhood?

(03:19):
What were the moments thatsparked your interest in tech
and and cyber when you wereyounger?

Joe Levy (03:24):
So as my mom would tell the story from about the
time that I was able to walk, Istarted taking things apart in
the house. And that's prettymuch been a defining personality
trait for me. I've always beeninterested in how do things
work, how do you break them, howdo you put them back together.
And and that carried forward tomy teens, and I was fortunate. I

(03:44):
had a generous uncle who boughtus a home computer, and I wanted
video games.
And they were expensive at thetime, I wanted to learn how to
write my own video games. Andand I wrote to Atari, and they
sent me some developer manuals,I I learned how to program. I
also learned how to break copyprotection, how to run a pirate
BBS, how to do a variety ofother things that I probably

(04:04):
shouldn't have been go doing,accessing dial up systems at the
time, that that sort of thing.And it was all very, very
curious and new and interesting,and and there there wasn't,
like, a good understanding of,like, were you breaking laws
when you're doing this stuff? Sothat that kinda set the tone for
my my interest.
And I knew I wanted to do thatfor the rest of my life, but I
just didn't know the path to getthere until later on.

And and just tell us a little bit about where you
grew up.

Joe Levy (04:30):
So I grew up in Queens, New York. I lived there
until I was about 17 years old.And then I followed a girl out
to Utah, and, she left. Istayed. I've been here ever
since.

So awesome. Makes it relatively simple.

Joe, usually when we talk to CTOs, we expect them
to be, you know, to havecomputer science or engineering
backgrounds. Now many might notknow this, but you studied
English at Queen's College. Howdid an English major end up in
CTO roles in some of the biggestcybersecurity companies out
there?

Joe Levy (05:02):
So no surprise. I get that question a lot. I actually
I started as as a CS major, andand I had this frustrating
plagiarism accusation incidenton an assignment that we were
working on in a class where Iwas helping out a friend of
mine. And and I decided that thesimplest resolution to the
problem would be to just changemajors. And and that that was,

(05:23):
it was a bit of a dodge on mypart.
I knew that English would be alot easier. Plus, I I've always
been a big reader. I've alwaysloved literature. I've always
loved writing. So it just seemedlike something that would
provide general utility and amuch, much easier path through
college.
Maybe not the best decision atthe time, but I I think it
turned out okay. I've neverstopped being hands on with tech

(05:43):
though. Up until recently, Iwas, of course, in a technical
role. Earlier in my career, Ihad my dream job of working at
RadioShack or in my in my earlytwenties, And this is back when
they were still a hobbyist shop,and it was a technology store
and not a mobile phone store. Sothat that was, like, a wonderful
chapter in in my professionallife.
And then in the mid nineties, Igot really lucky, and, I met

(06:06):
some folks who were running anearly network focused value
added reseller here in Utah.They were a Novell platinum
reseller, just to date thingshere, you know, no Novell
binary. Like, they they werejust going to NDS with four one
one, that sort of thing. Startedbuilding out networks, did a lot
of the physical cabling aroundthe valley here in Utah. And,
that that also was my openinginto a security practice.

(06:30):
Like, were installing TrumpetWinsock TCP IP stacks on Windows
three one one machines, and I'mlike, we're just connecting
these things to the Internet.That's probably a bad idea. So I
I I developed a firewall onLinux and it was like the two
zero three four kernel at thetime, wrote a management
interface for reportinginterface, that sort of thing.
Sold like hotcakes And and I washooked at that point that that

(06:51):
it was at that moment that Iknew this is what I wanna do
with the rest of my career.

Joe, as someone who has studied English
literature and enjoys reading,give us a sneak preview of,
what's on your bookshelf, Whatdo you enjoy reading? Which are
some of the authors that haveimpacted you most? And I know
that Ross and I may not featureon that list, both

of us published authors. But still, what do you
have on your bookshelf?

Joe Levy (07:17):
So it's out of the frame in the camera here, but
I've actually got a fewbookshelves behind me. And, one
of the bookshelves is mydaughter's bookshelf. It's a
it's a series of books that Imaintain for her, and and
they've all got inscriptions inthem from me. And they were all
books that have just profoundlyinfluenced me in my thinking.
And and they're wide ranging, soI I'm I'm happy to share the

(07:38):
list with you after we getthrough the recording here.
But but in general, as itpertains to business, the books
that have really influenced mythinking, when I was first
getting into a leadershipposition earlier in the the
early two thousands while I wasat SonicWall, I was introduced
to, Pat Lancione, and he'sprobably best known for five
dysfunctions of a team, fivetemptations of a CEO. A lot of

(08:02):
the principles that I learnedthen have stuck with me. And in
fact, recently, we we've justdone a workshop here at Sophos,
with the table group, learningand practicing some of the
Elencioni methods, which I thinkare some of the best in
business, and I encourageeveryone to have a look if if
you're not already familiar. I'dalso say I'm a bit of a physics
geek, and I I have this kind ofa an adoration for physicists.

(08:26):
And a lot of the internalprojects that we do here at
Sophos are actually named afterphysicists like Project Maxwell,
for example, which is a recentone that we're working on.
But Richard Feynman, the Feynmantechnique, where you basically,
you learn through explanation ofconcepts as if you were trying
to teach a child. And I guessyou could think of this as like
the original ELI five, explainlike I'm five. But but the

(08:49):
method works very, very wellboth for me as well as for
ensuring that we've got goodclarity across the direction
that the business is gonna befollowing.

You know, that's my favorite prompt, Joe, when I
use Grock or Chad GPT. Like,talk to me like I'm five. And my
wife, of course, says, I'vealways been talking to you like
I'm like you're five.

Joe Levy (09:08):
So That's great.

Well, Joe, let's talk a little bit about kind of
that early career journey. Andyou've held several CTO
positions. You've held a CTOposition at SonicWall. You
mentioned at Bluecoat. Andyou've even helped lead startup
roles on the technical side atSolar Networks right through the
acquisition.
What were some of the pivotaldecision points in your career
path as you kind of move towardsthat CTO function? And were

(09:33):
there reasons behind why youjumped between an established
company and a start up and thenback to establish, or were there
certain career gambles that youtook?

Joe Levy (09:41):
That's a great question. And, what I'd say here
is that in my youth, I was muchless patient than I am now. And
I think I'm an example of what Iwould call the paradox of
patience. We we have less of itwhen we're young and more of it
as we get older. And that reallyjust comes down to, like, what
are you optimizing for?
Are you optimizing for upsiderisk or downside risk? And and I

(10:03):
think my life sort of reflectsthat recalibration, including a
lot of the career decisions thatI've made. When I left
SonicWall, it was like 2007 or02/2008. I left as an employee,
but I actually remained as acontractor through to 2013. I
wanted to have my cake and eatit too.
Loved the technology. Loved theteam. Wanted to continue to work
with them. But I fundamentallydecided to leave the CTO

(10:25):
position because of theinnovator's dilemma. And, you
know, just to recap the conceptof the innovator's dilemma, it's
it's basically this notion of atreadmill of innovation that
gets driven by ROI, where thelarger and more successful a
company is, the greater theirincentive is to continue to
invest every dollar they haveinto their incumbent business to

(10:47):
the point of exclusion ofanything new and any kind of new
innovation.
And at the time, we we were justin the early stages of the
journey into virtualization andinto the cloud, like AWS was
just getting started. And and II really wanted to be part of
that. So I I made what I thoughtwas this very impassioned plea
to the rest of the leadershipteam and the board to make an
investment in securitytechnology in this new domain,

(11:10):
and, the timing just didn't workout. And I I fundamentally
attribute that decision to theinnovator's dilemma. That that
was one of my first learningsabout, like, the practical
implications of what the bookactually meant.
So I decided I was gonna go dosomething that was interesting
to me. I wanted to combine deeppacket inspection and indexing
flows using DPI and TLSdecryption and combine that

(11:33):
with, data carving technologiesthat existed for host based
forensics. Like, there therewere these open source tools
like Foremost and Scalpel, andthe concept was can you apply
this to a network flow? And theanswer is yes. And we we built
Solara Networks and that becameone of the first security
analytics companies that wassubsequently acquired by Blue
Coat.

(11:53):
Fundamentally believe that thereare no bad choices. I I believe
that everything happens for areason. I I subscribe to, I
guess, what would be theBuddhist philosophy encoded in
the story of the Chinese farmer.You know, once upon a time,
there was a Chinese farmer whosehorse ran away by Alan Watts. If
you're not familiar with it,just look it up.
It's a great kind of metaphorfor life. And I just think that

(12:14):
life is short, so bet big onthings that you believe are
gonna make a real difference.

Were there any specific gambles that you look
at today and you say, wow. Thatwas, I would not have made that
decision today?

Joe Levy (12:25):
There there are a number of them where you you
look back and you begin tosecond guess yourself. And and
sometimes they're attached tofinancial outcomes. Sometimes
they're attached to the teamsthat you end up aligning
yourself with. But but again, II I don't believe in in regret,
and I don't believe in handwringing about that sort of
thing. I believe you takeeverything in stride.

(12:46):
And if things didn't work outthe way that you wanted them to
at the start, you take that as alearning lesson.

And now talking about lessons, are there any of
the early lessons from yourearlier, years in the career as
a CTO that you would, sort of,share with founders or or people
who are maybe now, making thosedecisions or considering to make
those hard decisions?

Joe Levy (13:07):
Decisions within the the CTO level itself or
decisions through migration inthe career?

Decisions through migrating careers, decisions
through taking risks anddeciding to do something that
they haven't done before.

Joe Levy (13:19):
Yeah. My my appetite for risk is, I wouldn't call it,
ravenous, but it's significant.And, I I think that when it when
it does come to a retrospectivein general, it's easier to
regret things that you didn't dorather than things that you did
do. So, I I I generallyencourage people to do what I

(13:41):
do, that is lean in on thesesorts of things.

It does make sense. After nearly a decade as
a Sophos CTO, you took the CEOrole back in in May 2024. How
did you prepare yourself to makethis move from a purely
technologically focusedleadership position into the CEO
position? And also now thatyou're one year in, what are
some of the biggest changes inhow you make decisions? And,

(14:04):
also, what do you get to worryabout day to day?

Joe Levy (14:07):
Yeah. Well, it's been a very interesting year for
sure. And and what I would sayis that the move happened in
increments for me. It it wasn'tjust a big bang transformation.
And and that, of course, makessense at this scale that there
there would need to be anincremental progression toward
this.
So I think I would take thisback to about the 2017 time

(14:28):
frame when I began pitching theidea of MDR, managed detection
response to the business. And atthe time, Sophos was a very well
established endpoint securitycompany, network security
company, but we we didn't haveanything operating in the way of
security services. So we spent alot of time through 2017 going
through the rationalization, thebusiness planning, ensuring that

(14:51):
we can manage any kind ofchannel conflict that we have
with our 25,000 global channelpartners, thinking through what
the go to market transformationrequirement would need to look
like, talking about the the newkind of finance model that would
accompany how do you build andscale a security business,
security business, went througha build buy analysis, went
through the process of m and a,and there were a series of

(15:12):
acquisitions that we did to tobuild the MBR business,
including most recentlySecureWorks, of course, and
spent most of 2017, a lot of2018 doing that. And then we
actually did the acquisitionsand the integration work at the
start of 2019. And I would sayit was that experience that that
was, first of all, reallytransformative for Sophos.
It changed the the personalityand the identity of the company,

(15:35):
but it was also transformativefor me. And then when the
opportunity presented itselfabout a year ago for me to step
into the CEO role, honestly, itwasn't something that I had ever
intended to do within my career.I I was very, very happy and
satisfied doing what I wasdoing. But I knew that it would
be something that I would regretif I didn't take the opportunity
to do it, so I had a leap at it,even with the understanding that

(15:57):
it was fundamentally going tochange my life. And it has, and
and I'm thrilled.
It's it's been one of the bestdecisions I've ever made. I am
having the best time that thatI've had throughout my entire
career. Having the opportunityto learn at this kind of pace
and this kind of scale has beenabsolutely amazing. And and the
one thing that really surprisedme the most was the amount of

(16:18):
energy that I I have to spendevery day on emotional
regulation. And and I I've I'vethought long and hard about
this, like, what's different inmy life now?
It really does come down tothis, the amount of energy spent
on emotional regulation. Andthat means my own, my teams, my
boards, and, that that's themost stark difference for me.

Joe, you make it sound very easy. You make it
sound like going from from theCTO to CEO, nothing really
changes. It's all super easy.Talk to us about the hard parts.
Come on.
We need a story. Share sharesomething that is hard or
something that surprised you ina way that you didn't
anticipated.

Joe Levy (16:54):
Yeah. It it would be attached to that last point that
I made. We are people. We workwith people. Some of the biggest
challenges that we have are notarchitectural decisions on
technologies or how do youinvest a dollar in your your
marketing activities or how doyou structure a commission and a
compensation plan for your salesand your renewals organizations.

(17:14):
Those are hard problems, but butthey can generally be solved
through a data driven approach.While I don't believe in
management by consensus, it'soften easier to reach a
consensus in those sorts ofdecisions than it is in
decisions that involve peopleand decisions that you need to
make that affect the the careersand the the development

(17:36):
opportunities of individuals.And sometimes you are confronted
with very, very difficultdecisions, whether it's making a
small scale organizationalchange and a change in the
leadership of a team, or whetherit's something at a much, much
larger scale, like if a companyhas to go through a
restructuring, for example. Andwe know that under the current
financial climate, it's notuncommon for organizations to

(17:58):
have to go throughrestructurings. It could be a 5%
reduction, a 10% reduction.
And and these are really themost difficult parts of the
business. And it's never easy tomake these kinds of hard choices
even if you fundamentallybelieve it's in the best
interest of the business.

So, Joe, you know, hearing you talk about
pitching MDR in 2017 to now whenwe look at where Sophos MDR is,
you know, Grid, Gartner, Youknow, everybody's ranking your
MDR solutions in one of the bestquarter. And so, you know,
congratulations on that journey.It clearly didn't happen

(18:36):
overnight, but I'm sure a lothas happened behind the scenes.
One question that I wanted tojust double click on was your
transition from CTO to CEO.Clearly, it is it is not as
easy.
You once made a LinkedIncomment, which had over 1,300
positive responses where yousay, people often ask me, what's

(18:59):
the hardest part of moving fromCTO to CEO? And you have to say,
I can't blame it on DNS anymore.So but what is your advice to
the founders, especially in thecybersecurity domain? There are
so many of them who come fromtechnical backgrounds, and so
many of them aspire to get intothe CEO role. You know, what is
your advice to them, and howwould you mentor somebody who is

(19:22):
trying to follow that arc?

Joe Levy (19:24):
So I still run a full lab infrastructure in my home,
and I actually was having anissue with my own DNS server
that day, that's what promptedthat post. But it's funny. I'm
I'm just getting back from abouta six week tour where we, we
traveled the globe doing partnerconferences and sales kickoffs
in our three primary theaters,Americas, APJ, and EMEA. And I

(19:48):
was having a meeting with one ofour partners, and it was a
partner that I was meeting forthe first time. And it was a new
leadership team that had justcome in.
We've done business with themfor a long time, but it was a
new team. So I'm I'm meeting thethe the leadership team for the
first time. And I remember wewere having a conversation about
some technical detail about theintegration of the Tejas

(20:09):
platform from SecureWorks intoSophos Central. And I I answered
the question, and he said, well,you're just the business guy. I
would wanna talk to thetechnical guys about this.
And I'm like, yes. I havearrived. Like, it was like this
important, like,transformational moment for me
when I heard that, and then Iexplained to him. He's like, oh,
okay. Fine.
Maybe you do know what you'retalking about. But what I would

(20:32):
say is different is just the theamount of delegation that you
have to do when you you moveinto a new position within an
organization, especially at thislevel. I'm fortunate that I have
a really amazing leadership teamthat I am able to delegate to
with full confidence. Now now,like I said, I I still stay
close to the technology. Like, II still maintain an environment

(20:54):
that that I operate with, gotAWS and Azure accounts that I
play with.
I I still participate in a lotof our technical and
architectural work that we do.That's more of a a selfish
interest than anything else.Like, I I'm just I'm genuinely
interested in that sort ofthing. But I have to relinquish
ownership because I'm not thetech leader anymore. I have tech

(21:14):
leaders now.
And it's critical that Idemonstrate the trust and the
confidence that I have in myteam. And and that would
probably be my advice rightthere, that that you have to get
comfortable giving up controlwithin your business, but you
can and you should keep swinginga hammer on your own time. Just
understand what that divisionlooks like.

Also, Joe, you know, Sophos is backed by Tomah
Bravo, you know, one of thelargest private equity firms
that is out there. You know,clearly, when they look at your
leadership and your, you know,operating KPIs, if you will, I'm
guessing it is not an easy taskbecause you have a very
demanding partner there. Youknow? For for some of the

(21:56):
technical founders, you know,you talked about emotional
regulation. You talked aboutPatrick Lencioni's work around
the dysfunction of a team.
What are one or two things thatyou would tell a technical
founder that they should not dowhen they step into a CEO's
role?

Joe Levy (22:11):
Oh my gosh. Particular to private equity or in general?

In general.

Joe Levy (22:15):
Okay. Well, probably, well, first of all, let me let
me address the the the categoryof private equity because I
think it's an important one. Itcomes up frequently in
cybersecurity. People who knowme know that I spend way too
much time on Reddit. And if ifyou read Reddit, the zeitgeist
tends to trend negative towardprivate equity.
Like, anytime there's privateequity acquisition, the response

(22:37):
is, oh my god. This this iswhere good technology goes to
die and that sort of thing. Ijust I wanna get on a soapbox
for a second. I wanna disabusepeople of of that perception
around private equity. Now thisis my third time working with
Tomo Bravo.
I I work with them throughSonicWall, through Blue Coat,
and now here at Sophos. And andI I have a tremendous respect
for them, and and they theydon't pay me to say that, like,

(22:59):
it's legit. And, and frankly,I'm I'm grateful for the faith
that they placed in me as afirst time CEO with this size of
responsibility. So the firstthing that I would say, in our
experience, we have invested alot in our secure software
development life cyclepractices, the funding that we
have for our bug bounty programthat we've been running for
many, many years, the investmentthat we made in hardening our

(23:22):
technologies and ourarchitectures since the time of
the take private by Tomo Bravo.And and I know that some of your
listeners maybe read the PacificRim disclosures that we made a
few months back.
That was, in summary, it wasabout a five year engagement
with nation state actors fromChina who are attacking our
firewalls in in our customers'environments. And Tomo Bravo,

(23:46):
they they were very, interestedin the details of what was going
on. But but the question thatthey kept asking us again is,
like, what can we do to makethis get better faster? How can
we spend more money to justaccelerate the improvement so
that we can get to the otherside of this? Which I which I
think is a wonderful kind of anattitude for an investor to have
and probably very different fromwhat the perception most people,

(24:08):
would would hold of privateequity to be.
The next thing that I'd sayabout private equity is that
private equity is not amonolith. And, you know, just in
general, like, beware of overgeneralizations. Some private
equity operators deserve thereputation they have, but some
actually care about valuecreation, and they put their
money where their mouth is.They're also not a nonprofit,
and and they need exits. So asthey say about a healthy

(24:32):
transaction, companies aren'tbought, they're sold.
And and that fundamentally, Ithink, what drives the design
decisions. Like Tomo Bravo, theyhave a reputation and and their
success depends on ensuring thatthey're helping companies to
grow and thrive after they exit.So it needs to be successful on
the other side, which means thatyou can't have this over

(24:52):
optimization for the short termat the expense of the longevity
of the business and and theoverall operation. So that
that's my soapbox on on privateequity. And then what what I
would say in general for anykind of a leadership ownership
structure, whether it's privateequity, venture, public, just
make sure that you maintain asingle team unit with you and

(25:15):
your board, you and yourinvestors.
The moment you get into thiskind of emotional us and them
situation where there's a sidetaking that's occurring or a
finger pointing that's happeningwithin the business, that's
toxic. And you you you gotta seethat coming from a mile away,
and you gotta make sure thatyou're preventing it from

(25:35):
happening.

Well, let's talk a little bit about Sophos and
scaling and innovating atSophos. And, you know, as I was
listening to both Ross andMahendra ask you questions of
your transition from CTO to CEO,was it allowed me to take a trip
down memory lane, and I wentback through our text exchanges
over the years, Joe. I went backto Feb twenty twenty four when
you got the acting CEO role andthe message I sent to you, which

(25:57):
was basically like, this is along time coming. That was the
TLDR on that message. So thefact that you're saying, hey.
I wasn't sure if I take it. Ithink most folks who know you
were not surprised that youended up, you know, in that in
that position. I think yourleadership skills are are truly
exceptional, particularly from,you know, when you compare them
to traditional CTOs who areusually much more introverted

(26:20):
and are not the type of peoplewho go and manage thousands of
employees. I wanna talk a littlebit about, you know, one topic
that, you know, I I I thinkabout pretty pretty actively
right now is in this kind ofpost COVID world, most CEOs are
asking their employees to comeback to the office, physically
come back into the office. AndSophos is based in in England.
It's based in Abingdon, and youare based in Brux City, as you

(26:43):
already mentioned. So you arevery much, you know, in some
ways against that trend. I'mcurious to just get your point
of view on what you think about,you know, this this push to
return to the office and how youcompare that to remote work and
distributed work.

Joe Levy (26:55):
I think it's an idea when companies begin to push for
these return to officeinitiatives. It for me, it just
suggests that there is a controldeficiency, a trust deficiency,
a metrics deficiency in thebusiness. I think it betrays
some more fundamental problem inthe business when there's that

(27:16):
sort of a mandate. Now on theother hand, I believe that there
is a ton of benefit to gettingpeople together and to giving
them the opportunity to go backto the office when they want to
get teams of meetings and groupsof engineers together in front
of whiteboards and that sort ofthing. There is no substitute
for that.
So on the one hand, I think abusiness must continue to
provide those kinds of face toface opportunities for

(27:38):
collaboration. It's importantfor hackathons. It's important
for collaborative architecturalefforts. It's important for
enculturation. When when you'reonboarding new employees, for
example, it's it's much moredifficult to imbue a culture
when you're trying to do it overa Zoom or a Teams meeting than
when you have the opportunity toactually interact face to face.

(27:59):
So number one, provide theopportunity for people to get
together. Number two, don'tmandate a return to office after
most businesses havedemonstrated that they could
actually work as efficiently, ifnot more efficiently, in a work
from home work environment. It'sworked great for us. We were
fortunate. When COVID hit, wealready had the technology in

(28:20):
place to be able to transitionto work from home without
missing a beat.
Not all organizations were sofortunate, but I I think it's a
good demonstration of beingprepared for these kinds of
unforeseen eventualities.

I wanna talk a little bit about m and a. You've
referenced SecureWorks a coupletimes. Over the years at Sophos,
you've led several differenttypes of, you know,
acquisitions. Some of them, youmentioned SecureWorks, which is
very much focused on buildingout a a net new business, and
that was an acquisition thatwas, you know, over $800,000,000
to acquire that business versuskind of the smaller, more tech

(28:55):
focused acquisitions you've donelike Avid Secure, which was
Nikhil Gupta's Gupta's lastcompany in the cloud security
market or Capsulate, you know,John Viega's company in the
container security market. Howdo you think about those two
types of acquisitions, the verylarge platform ones and then
the, you know, smaller techfocused acquisitions as you look
at the innovation strategy atSophos?

Joe Levy (29:16):
So first of all, I think that m and a falls into
the broader category of corpdev. And when you're thinking
about corporate development ingeneral, it can take on the
shape of acquisitions. It cantake on the shape of
partnerships. And we've beenreally fortunate over the years,
I would say. We we've hadtremendous success with the the
smaller tech tuck ins that we'vedone in the ten years that I've

(29:38):
been here.
And more recently, we we've alsoexpanded our corp dev bag of
tricks to include partnershipsand licensing of technologies.
We've licensed technologiesoutbound for many, many years.
We've recently started theinbound licensing of
technologies. And the examplethat I would provide there is
our partnership with Tenablewith their Tenable One platform.

(29:59):
We took the platform itself.
We wrapped it into a service,which we now deliver to our
customers as a managed riskoffering. And and that worked
great. And and that that is thesort of pattern that that we're
just gonna go continue to run.But if you look at the m and a
part of corp dev in particular,there are there are a number of
categories. And broadly, youcould look at smaller tech tuck

(30:22):
ins and then you could look atlarger consolidation plays.
Tech tuck ins are generallydesigned to patch for some sort
of a deficiency in a portfolio,whether it's, competitiveness
within existing products thatyou have and maybe you've fallen
behind or maybe you just can'tinvest as much as quickly to
close the gap between you andthe market demands as quickly as
you would like, or they couldallow you to expand into either

(30:45):
new markets or adjacencies.There is a lot of risk in trying
to expand into a new market witha tuck in because the size of
the transaction implies thatthey hadn't already begun to
operate at some scale, whichmeans that there is no kind of
material demonstration ofproduct market fit. So there is
a risk that is involved at thesmaller end when you're doing a

(31:06):
tuck in And you need you justneed to align the solution to
the problem that you're tryingto solve. For larger
consolidations, and and I wouldsay that, SecureWorks certainly
falls into the category ofconsolidation, this wasn't just
a matter of us buying more MDRmarket share. We certainly did
end up with more market share,largest pure play cybersecurity
MDR provider in the world now.

(31:27):
But we also got some of the besttechnology that I've ever seen
when it comes to an XDRoperating platform, next gen SIM
capabilities, the capabilitiesthat they had within their
advisory business, it some ofthe best in the world, tier one
producer of threat intelligencethat's just a great complement
to what we were alreadyproducing inside Sophos. So I I

(31:48):
think we got extremely luckywith SecureWorks. You know, I've
I've said that before. I'llcontinue to say it. It it was it
was a perfect fit in terms ofthe opportunity it gave us to
grow our presence as an MDRprovider, to expand into the
enterprise, to accelerate ourtechnology road map probably by
a couple of years by bringingTejas into the platform, and
then expand our competencies inthe space of threat

(32:10):
intelligence.
So the moral of the story isthat you need to understand the
problem that you're trying tosolve and then apply the right
strategy to go solve it.

And maybe just, you know, any advice you have for
founders on how to approach, youknow, an acquirer? And maybe
perhaps if if I was to just sumit up, like, what is one thing
you found founders do which youdon't think they should do when
they're looking to to sell theircompany?

Joe Levy (32:32):
Oh, that's a that's a great question. And and I I've
been on both sides of that, so Icould probably better answer
from the the the founder sellerside. Thinking back through the
history of transactionstransactions that I've been a
part of, whether it's been buyside or sell side, the one thing
that I would caution founders onthe most would be misreading

(32:54):
whether there is missionalignment and cultural alignment
with the acquirer. And andoftentimes, when you're when
you're a founder, you're very,passionate about the problem
that you're seeking to solve inthe world. And when you become
part of a larger organization,it can be simple to get
homogenized into that operation.

(33:15):
And if that happens in such away where there is a
misalignment or an impedancemismatch between their agenda
and your agenda, that could veryeasily degrade into a toxic
environment. So I wouldencourage founders to invest a
lot of time and a lot of effortinto ensuring that they've got
good cultural alignment and goodmission alignment before they

(33:37):
get too far along.

Joe, while Sophos is known for its m and a
strategy, it also does a lot ofinternal innovation and a lot of
internal development. Sophos isis an almost 40 year old company
in a very, very fast pacedindustry. Given that that's the
case, how do you foster aculture of innovation within
Sophos to keep it agile and tokeep it moving and and to keep
it competitive? And for example,how do you balance investing in

(34:02):
core products like endpoint orfirewall versus some of the
newer developments like likecloud security?

Joe Levy (34:08):
So this is, our fortieth anniversary this year.
Thank you, Ross, for pointingthat out. We we were officially
started in 1985 in, Abingdon inThe UK. And, yeah, over the
years, the the company, I think,prior to my arrival even has
done a good job reinventingitself. Started off as an
antivirus company, expanded intoemail security, the network

(34:29):
security, cloud security, andmost recently, of course,
security operations.
We we've we've also evolved thego to market. And and I I
fundamentally believe that therethere can be innovation outside
of just the technologydepartments within a business,
and there needs to be. Therethere needs to be innovation in
the go to market and the waythat marketing team works and
the finance team, etcetera. Andwe've done a good job evolving

(34:51):
the go to market as well. We, westarted down the MSP path about
ten years ago, and now we'rewe're one of the most important
cybersecurity partners for theMSP population.
And and I've said this beforeand I'll say it again, I I think
MSPs are the most importantoperators inside the
cybersecurity ecosystem today,and it it's one of our missions

(35:14):
to ensure that we're one of themost beloved and important
vendors to them. So when itcomes to innovation, our
heritage, our roots go back tothis prevention first mindset,
which I think continues toconfer a benefit to us because
much of the rest of the industryover the past ten years has
capitulated when it comes toprevention, and they've just
gone, well, it's not possible tostop absolutely everything.

(35:37):
Therefore, we shouldn't focus onthat. Let's just focus on
detection and response. And andI think the pendulum swung too
far when that happened and it'sbeginning to swing back now.
But but our MO has always beenprevention first because it's
always gonna be moreeconomically favorable to stop
an attack earlier in in itsattack cycle. Like, it's a

(35:59):
pretty simple concept and andwe've we've never let go of
that. And and we'vesimultaneously, of course, built
out very competitive set ofdetection and response
technologies, but we've neverlet go of that prevention first
mindset. Now while you're doingthis, you just continue to
obsess over workflows and secureby default product design
principles. Too many times inour industry, I think we've seen

(36:21):
examples where vendors push theburden or offload the burden of
a correct configuration to thecustomer.
And and I think vendors shouldbe spending more time ensuring
that they're creating productsthat are secure by default so
that they don't shift thatburden over to customers who so
often will just not get itright. I I think that's an
example of a market failure whenit comes to cybersecurity, and

(36:43):
Ross, I know you and I havespent a lot of time talking
about that topic. Once you're ina thriving business that's
operating at scale, I think it'seasier to invest in innovations.
It's easier to continue to takea dollar and apply it to
continuing to drive thosestrengths and those
differentiators forward. And andthat's perhaps the silver lining
to the innovator's dilemma.
That's where the innovator'sdilemma actually gets it right.

(37:04):
And and this approach hasallowed us to maintain what I
think, as an example, is, like,one of the best ransomware
protection, technologies in theindustry. The the thing that I'd
say on the services side, whenwhen you think about innovation
when it comes to services, whichis about one third of our
business now, a lot of theinterest is in what is AI going
to be able to do for us. And,you know, we're we're we're

(37:26):
already well past the pointwhere AI in security operation
can at least approximate theintuition of a human analyst.
Doesn't always get it right.
We know that. But it doesprovide a significant benefit,
the significant time savings tomost of the operators. And and I
think a lot of the innovationthat we're gonna see on the
services side of the business isgoing to come from better

(37:48):
applications of AI drivenworkflow innovation from this
point forward.

So, Joe, as we look at the the landscape and
the opportunities that lie aheadof you, and you've just
completed a tour of, EMEA,Europe, and The US. Where do you
see opportunities where acompany like Sophos could scale
and, more importantly, beat thecompetition? I just wanna put
something out there for therecord of our listeners. You

(38:15):
know, Sophos is ranked higherthan CrowdStrike in, you know,
endpoint protection, which issomething that a lot of our
audience and vendors would notknow. This is referring to a
Gartner Peer Insights reportwhere Sophos is rated higher.
It in fact, it's rated highestthan CrowdStrike, Central One,

(38:36):
BlackBerry, Palo Alto, etcetera.So here you are in a very prime
position on a competitive edge,but you still have to scale. You
still have to grow. So twoquestions. Where do you see the
opportunities, and where do yousee competitors doing some
things better than you?

Joe Levy (38:51):
So thank you for pointing that out, Mahendra.
That's Gartner PR incised voiceof customers. So there's tons of
different sorts of metrics inthe industry. None of them are
perfect. Most of them areuseful.
And, that that one is, ofcourse, useful in in its own
ways. So where do we see theopportunity? Like, there are a
lot of companies that are doingsecurity operations today. There
are lot of companies that aredoing EDR, XDR, network

(39:14):
security. One of thedifferentiators that we maintain
is is the fact that we canoperate across what I describe
as, all of the critical crossdomains within IT systems.
So that's endpoint, network,email, identity, and cloud. So
that that's one portfoliooperating benefit that we have.

(39:35):
Two is the scale of ourbusiness. We have about 600,000
customers globally, tens ofmillions of endpoints running
variety of different operatingsystems, hundreds of thousands
of firewalls that are deployed.Surface area confers a benefit
to cybersecurity operators, andand we have a very, very
significant surface area thatgives us just a lot of sample
data and a lot of intelligence.

(39:57):
Where where we reallydifferentiate ourselves because
then naturally you have to askthe question, okay, well, what's
the difference betweenCrowdStrike and SentinelOne? And
a lot of people would have adifficult time answering that
question. And then you couldextend it and you could say,
what's the difference betweenCrowdStrike's n l one and
Sophos? And where where Sophosdifferentiates itself is the
fact that we historically havetargeted a segment of the market

(40:19):
that I would say has been underaddressed. And this is where we
begin to intersect with thisthis idea, another idea that
Ross and I have spent timetalking about, the cybersecurity
poverty line.
And and that that basicallystates that there is another
market inefficiency where it'sjust either difficult or
impossible for the vast majorityof organizations to make good

(40:43):
decisions and do the right thingwhen it comes to cybersecurity.
And and the the the mission andthe focus of Sophos historically
has been mid market SMB.Naturally, that changes with the
acquisition of SecureWorks thatnow gives us a significant
enterprise capability. But theperhaps surprising detail that I
would share there is that whileSecureWorks had about 2,000

(41:06):
enterprise customers, prior tothe acquisition, Sophos had
about 1,500 enterprise customersthat were actually quite
similar. And and when when youcombine them, obviously, now now
you're looking at a prettysignificant scale enterprise
business.
So I do believe it's possiblefor organizations to serve all
segments. I also believe it'seasier for an organization to

(41:26):
move up market than it is tomove down market. Meaning that
once you've achieved technicalcompetency in the technology
that you're building and theservice that you're offering, it
comes down to whether or notyou've built the go to market
apparatus to be able to servethose segments of the market.
And and because of the strengthof the channel and the
relationships that we have withthe MSP population, I think that

(41:47):
we're just better situated to beable to do a greater amount of
good in the world with thetechnology that we have. And you
just announced a data center inThe Middle East.
Tell us about what's happeningin that market. I was there for
JISEC a few weeks ago, and Ibelieve that there are

a lot of interesting things happening in
a market that is very rich incertain assets, you know, oil
and gas, obviously, but it'salso targeted very intensely by
a variety of actors because ofthe assets that they control.
What are your perspectives onthat market?

Joe Levy (42:22):
It's one of the fastest growing markets for us.
I think that despite the factthat there is a high
concentration of capital that isavailable there, that it isn't
always deployed in the mostefficient way. It's funny
because when you look at thisconcept of the cybersecurity
poverty line, you tend to thinkof it as smaller organizations
that just don't have thebudgets. Budget is just one
component of it. Knowing what todo is probably a bigger and a

(42:44):
more important component ofthat.
And oftentimes, you can havevery well funded multi billion
dollar operations that justdon't have good cybersecurity
strategies. And as a vendor whois now in a position to help
with advisory services, I thinkthat we're gonna see a pretty
rapid and healthy expansion ofthe kinds of engagements that
SecureWorks brought over to us.Many of the customers that we

(43:07):
have in that region areSecureWorks customers. Some of
them are quite large. And manyof those engagements began with
the security advisory servicesand then grew from there into an
MDR engagement.
And that kind of pattern, Ithink we're gonna see repeating.
My goal is for the combinedcompanies is to figure out how
we can scale that model. And andby scale it, I mean to tens of

(43:28):
millions of businesses. Now,naturally, we're not gonna be
able to do that on our own.We're not gonna be able to
employ enough people even withthe aid of AI to provide those
kinds of security advisoryservices to so many customers.
But in partnership with our MSPsand by establishing ourselves as
the vendor who the MSPs rely onto help scale them up to be able

(43:48):
to effectively become the armythat can do that engagement and
work with those customers, I Ithink this is where we begin to
make a really significantdifference at scale. There's one
really interesting statisticthat, we, we introduced at our
sales kickoff at our partnerconferences recently, and I'll
I'll I'll just share that withyou and your listeners. There

(44:09):
there are approximately359,000,000 businesses or
organizations in operationacross the world today. And we
asked the question, how many ofthem have a CISO or have access
to somebody like a CISO? Andit's it's a great question.
I don't think I've ever seen itasked and answered before. So we
did the research ourselves onthis and and we we came to the

(44:29):
number. There are approximately32,000 people working on the
planet today who either have thetitle CISO or a title like CISO,
like director of security, thatsort of thing. You look at the
ratio and it's point 009%. Sothat that basically means that
fewer than one in 10,000organizations operating today

(44:50):
have access to a CISO orsomebody like a CISO.
Now basically what that means isthat they probably don't have a
strategy. They're going out andthey're buying cyber security
products and services, but theydon't have a goal, they don't
have metrics, They don't theydon't have a risk reduction or
management strategy for theirbusinesses. It applies to cyber,
perhaps not even for the wholebusiness. And and I think that

(45:11):
the market has just done aterrible job trying to address
that, and that's a problem thatwe're gonna fix.

What an amazing stat. Joe, we we at Pingdaw have
several different folks inadvance of this conversation
with you who have interactedwith you, spent time with you.
One of those was was JimFlagging who was on the board at
Sophos for many years and hasspent time with you since your
Solara Networks days. And and hereally pushed us to ask you
about the question that that youkind of, you know, discussed,

(45:36):
which was how does Sophos playboth in the SMB and the
upmarket? And and you'vementioned a little bit about
SecureWorks and the acquisitionand how that allows you to play
more actively in the upmarket.
The other question he he pushedus on was, we'd love your point
of view on how do you thinkabout tech and architecture just
to cover both the, you know, theSMB market as well as those

(45:57):
large enterprises. I mean, theirneeds are very different. And so
as a result, the underlying techhas to also be very different.
So how do you make it flexibleenough to service both of those
customers?

Joe Levy (46:07):
That is a perception that I've challenged for a long
time, that that there needs tobe some kind of a fundamental
difference in the technologywhen you're trying to sell to
different segments in themarket. I think historically,
that was true. And and I thinkthat that is where this
perception is rooted. And it andit comes from this notion that
if you were selling to theenterprise, you require a high

(46:29):
degree of customization. And andif a business is going to go
down the path of pursuingenterprise customers, they need
to avail themselves to a lot ofbespoke customization that
they're gonna be at the beck andcall of their largest enterprise
customers who are 20% of theirARR.
And and I think thathistorically, it absolutely was
the case. What what I thinkchanged all that is APIs. And

(46:53):
what happened with APIs over thecourse of the past ten years for
sure, when a technology companyprovides a set of APIs that
allow for control andinterrogation of the way that a
technology works, that enablescustomers, enterprise customers
in particular, to choose theirown path and to devise their own

(47:14):
kinds of interactions. Nowyou're no longer in this captive
model where the the vendor needsto produce that sort of workflow
support for the enterprisecustomer. The enterprise
customer can produce it on theirown.
So I I I've always referred toAPIs as being the great enabler
when it comes to unlockingaccess to the enterprise market

(47:34):
because it solved whathistorically was an obstacle.
And again, like, I will get backto the point that technology
must be measured in someobjective way based on its
competence at performing thetask that it was designed to do.
If you're buying a firewall, ifyou're buying XDR, if you're
buying email security, you canmeasure the effectiveness of it.

(47:54):
And there are probably alreadyobjective measures whether it's
coming from a third party likean analyst like a Gartner,
whether it's coming from thevoice of the customer through
peer insights, whether it'scoming from a more rigorous
scientific measurement like theMITRE ATT CK enterprise
evaluations. There's a lot ofreally good reference material
out there, and I I know thatbuyers are using this.

(48:16):
When when you look at it, therethere tends to be a clustering,
like, invariably, like, in theGartner Magic Quadrant, for
example, there is a leadersquadrant, and and there is a
cluster of six vendors, youknow, in in endpoint or in email
security or whatever it mighthappen to be. That clustering
implies that there is a lot ofcommonality and similarity in in

(48:37):
what the leaders in a space arebuilding. And there might be,
like, two degrees of differencethis way or that way, and it and
it might be on the ability tosupport a particular use case or
another use case. But ingeneral, market leadership
implies competence across thethe set of expected utility that
a platform is going to be ableto provide. Once you've

(48:58):
established that, then it's justa matter of how well equipped is
the business to actually servethe needs of the customers in
that segment, and do they havethe scale that is required to
deal with hundreds of thousandsof customers or hundreds of
thousands of transactions ayear.
That that's where I think thedifference is made today.

Yeah. I think it's a great way to put it. And I
think the other piece that thatmany folks don't recognize and
has been much more clearer todayis the fact that there's this
perception that the SMBcustomers want really, really
simple products with, you know,a couple of knobs, and
enterprise customers want theincredibly complex products with
50 different knobs. And and thetruth is that the enterprise

(49:37):
customers don't want the the 50knobs because it becomes too
complex to manage it. You youknow, you wanna have these
relatively easy simple productsat the end of the day.
Everyone wants simple. They justwant them to do a lot of things.
That's the the the piece that'smore important.

Joe Levy (49:51):
That's right. And you you want the thing to work well
out of the box, and, you you youwant the flexibility and the
configurability ofcustomization, but you don't
wanna have to do it unless youneed to do it. And that's where
good UX principles and and goodUX teams help ensure that
vendors are driving gooddecisions in those places.

Agreed. Well, we're gonna get into the final section
of our conversation, and andthis is, you know, broadly
around your perspectives on theindustry as well as advice for
founders. And let let's startwith you know, you alluded to
this that you've been at verydifferent types of companies.
You've been at companies thathave been venture backed. You've
been at companies that have beenprivate equity backed, and then

(50:31):
you've also been in a seniorleadership role at a public
company.
So first was public before itwas taken private. What advice
do you have for technicalfounders on how to manage
companies of these differenttypes of categories? What is
different between thesedifferent types of companies,
and are there things that changeon the board that you also
factor in and and say, hey. Thisis something you have to

(50:52):
recognize.

Joe Levy (50:53):
So I'll start with, the differences. And and there
there are, of course,differences in different
ownership structures andshareholder structures. So
across the models of publiccompanies, private equity
companies, and venture backedcompanies, where where I think
they differ primarily is in afew dimensions. One is their
appetite for risk, and you couldthink of it as low, medium, and

(51:16):
high. And and the rank would gopublic companies are low,
private equity companies are aremedium, and venture capital
companies are high.
So that's one appetite for risk.Two, their control and their
engagement models, the way thatthey interact with the teams and
how much time they're actuallyspending in the business. And
I've experienced all of them andthere's a clear difference here.

(51:38):
So low, medium, and high. Publictends to be low.
Venture tends to be medium, andprivate equity tends to be very,
very high. Like, the PE wants toget into the operational
details. They've got operatingpartners. You mentioned Jim
Flagging. Jim Flagging is one ofmy favorite operating partners
ever, and I've got all the timein the world for that guy.

(51:58):
If he ever wants to talk to meor the team, pull up a chair.
That's goodness. So no sort ofvalue judgment on that, by the
way. Like, just because PE wantsto spend a lot time in control,
that could be a good thing whenyou've got the right people. And
and then the last one would bejust on what time horizon is the
business optimizing for.
And you could think of publiccompanies as being some sort of

(52:20):
evergreen where they're alwaystrying to optimize for
predictability, and they'rethey're trying to optimize
between this balance of shortterm and long term. Whereas
venture capital tends to be moreshort term oriented. They're
looking at how do they get tothat next round of investment,
how do they ensure that they'redriving it toward an up round,
and then maybe their exithorizon is, five to ten years.

(52:43):
And then private equity is inthe middle on that one. Private
equity, they they tend to bethree to five years, you know,
six years, something like that.
And there's usually a short terminvestment in operational
optimization and then dependingon the private equity operator,
ongoing investment to be able tosay, consolidate, expand into

(53:04):
new markets, do tuck ins, thatsort of thing. So that that from
my experience, that's thedifference between the the three
kinds of ownership structures.And then when it comes to the
advice, you know, I I'll I'lljust I'll call back back to
Lanschoni again and and thisprinciple of there needing to be
one team. Like within Sophos,for example, there are many
different functional groups, butit's just team Sophos. And

(53:26):
that's the way that theleadership team thinks about it.
And that's the way that you needto think about it in your
relationship with your board. Itcan't be your board. It can't be
your investors and you. It hasto be team company. And and as
long as you maintain that kindof relationship, you're gonna
have a good working arrangementwith the board.

Joe, let's dive deeper into this the topic of
the cybersecurity power of theline. I remember the last time
we've discussed this, I did mostof the talking, so I would love
to flip the script and and nowhear your perspective on this.
So the good news is that overthe past several years, this
issue is finally being discussedmuch more often than it was
before. Now the bad news is thatdespite all the discussions, we

(54:06):
haven't been able tomeaningfully change the
situation and truly impact andand shift the the problem. So it
does appear that the gap betweenthose that have access to
security and those that don't isstill massive.
In in many ways, it is evengrowing. From your perspective,
what are we missing? Like, isthere like, what it would take

(54:27):
to actually move the needle atthe structural level and to get
more organizations that don'thave access to security and more
people that don't have access tosecurity to finally get that
access?

Joe Levy (54:39):
Yeah. I I love that question. And we've we've been
asking it as an industry foryears. Like, you know, we spend
billions of dollars oncybersecurity. Why isn't it
getting any better?
And first of all, I I thinkthere's ways to measure that we
are getting better. So, like,I'll start by saying that this
is not bleak and hopeless andwe're never gonna get on top of
the problem. There there areways to improve. I think that

(55:01):
one of the primary missingingredients here has been
figuring out how you scale acybersecurity strategy across
larger segments of the market.Like, again, like if we go back
to that that statistic of we got32,000 CISOs for 359,000,000
organizations, less than one in10,000 have access to a CISO.

(55:22):
If you use the title CISO as aproxy for this idea of having a
strategy for cybersecurity riskmanagement, you immediately
begin to see that we're playingsix year old soccer as an
industry and we're we're justgoing out and spending money on
products and services, but wedon't actually have a strategy.
We don't have a desired endstate that we're driving toward.

(55:44):
We don't have KPIs to enable themeasurement of the progress that
we're making toward that. How dowe know that we're getting
better? Like, that's a questionthat the industry is just not
really able to answer.
And and I think that until weunlock this this notion of
access to CISO likefunctionality for the vast
majority of businesses, that weare gonna be trapped in this

(56:04):
poverty cycle that we justhaven't managed to break
ourselves out of. So so for me,that's it. Like, how do we as an
industry, how do we figure outhow to scale that kind of
strategic access to all of theseorganizations that up until this
point couldn't even dream ofhaving a CISO.

Joe, I wanna I wanna talk a little bit about,
you know, the the the personalaspect of, you know, your your
you leading. And many may notknow this, but for those of us
who do know you, you you've alsohad a whole bunch of personal
things that have happened on thehealth side. How do you could
you talk a little bit about thatand how do you manage that while
also leading a multi thousandemployee company? How do you

(56:44):
kind of, you know, go andbalance that? Because many
founders go through thoseexperiences.

Joe Levy (56:48):
Yeah. So I am I I'm I'm happy to share this,
because, Sid, as you said, therethere are a lot of people who go
through this sort of thing, andI I think it's helpful for
people to know that there's alot of company out there. So,
about a year ago, right aboutthe same time that I took the
interim CEO appointment, I wasdiagnosed with melanoma, form of

(57:09):
skin cancer and I was fortunatein that it was fairly early
discovery, stage 2B. My wife whoI think usually doesn't pay that
close attention to me wasactually quite eagle eyed. She
said that that mole on your headlooks a little different.
Maybe you should, go talk to adermatologist and see what they

(57:30):
say. And they they biopsied itand and it came back as a
melanoma. And I and I remember II was at our partner conference
in Austin, Texas last year and Iwas about to step up on stage to
start our opening keynote. And Ireceived a phone call from my
dermatologist's office and I andI looked at the caller ID and
I'm thinking to myself, it'sabout seven minutes before I

(57:51):
have to go on stage. Should Itake this call?
Thought about it for a minute,and I answered the call, and he
and he said, hi, Jody. Got asecond? I said, yeah. Are you
about to ruin my day? And hesaid, yes.
So that that was, that that wasan unexpected discovery, but
what what I could say is numberone, thank God that it was
discovered when it was. Youknow, I I continue to thank my

(58:11):
wife every single day for justpointing that out to me. The
company was just in a greatshape at the time. I I was able
to step away for surgery andsome recovery over the course of
about three or four weeks. Theboard was incredible in their
support for me and, you know,now now it's just like regular
maintenance at this point andknock wood, things have things

(58:32):
have gone good so far.
So these surprises happen and,you know, you you're never
prepared for them and you younever, you never quite know how
they're going to turn out. Soagain, like, I I feel nothing
but gratitude for my situation.Hopefully, other people who are
going through similar kinds ofthings can say the same things
and have similar sorts ofoutcomes, but I I just I

(58:55):
consider myself very fortunatefor being at a time where I was
stepping into what was probablyone of the most stressful
experiences of my life, bothprofessionally and personally,
to have the kind of support thatI had.

Thank you for sharing that, Joe. Even even
more so because I think thereare more founders and CEOs who
go through this, and it's justnot publicly discussed. I mean,
it's very sad to say this, but,you know, Amit Yaron was one of
the people who had said hereally wanted to be on the show.
Like, I have an email from himsaying, Sid, as soon as I'm
better, I'd love to be on thisshow. And, unfortunately, you
know, we won't ever be able tohave that that opportunity.

(59:28):
And, you know, this isn'tsomething that that is, you
know, one off. We we see this alot more, and it's it's it's
good to see leaders like youjust sharing it a little bit
more publicly as well.

Joe, let's switch to the two words that you have
used extensively in ourconversation today, culture and
leadership. What are some thingsabout culture that you have
inculcated in Sophos? And as youlook at your own leadership
style, how do you see itevolving over the next phase of
your journey?

Joe Levy (59:57):
So I will, again, refer back to my personal
learnings from Lencioni on thisone. And, this this gets back to
the way that you set the examplefor how a company should be run.
And, you know, in particular,I'll I'll refer to the five
dysfunctions of a team. And I Idiagnosed some inefficiencies in

(01:00:21):
our business when I stepped intothe CEO position, and, I
realized that there were somethings that we can improve
across some of these dimensions.And and just to list them for
listeners, number one is absenceof trust.
Number two is fear of conflict.Three is a lack of commitment.
Four is avoidance of teamaccountability. And five is

(01:00:41):
inattention to team objectives.So, like, you hear these things
and you you say to yourself, ofcourse, the these are
dysfunctions.
But the two in particular thatthat were most important for me
were getting to the point wherethe leadership team engages in
this idea of vulnerability basedtrust. And vulnerability based
trust means that you can't justexpect that people will trust

(01:01:04):
you without first demonstratingto them your own vulnerability,
that you're you're receptive tofeedback and you're willing to
listen and and you're willing toexpose your soft underbelly in
the way that you engage withother people. That that has to
happen otherwise, you're justnot gonna be able to build
healthy trust basedrelationships between people in
your team. The the other onethat I'd say is really really

(01:01:26):
common and and you see thisoften in organizations that tend
to run by consensus. And, Ithink consensus is a bad word,
really.
And I think the the the way thatthis manifests itself is that
they tend to move away fromconflict. They they tend to try
to solve problems in a series ofpeer wise conversations where

(01:01:48):
where they drive consensusiteratively over an
excruciatingly long period oftime. And I think the antidote
to this is that the culture mustbe set by leadership whereby
there is a willingness to engagein productive conflict. And
there's this principle thatLencioni talks about which he
describes as telling the kindtruth. And that basically means

(01:02:10):
sometimes you have to saysomething that people don't want
to hear, just be kind when youdo it.
And and I think that the morewilling an organization is
number one to build theserelationships founded on a
principle of vulnerability basedtrust and to steer clear of
consensus driven decision makingand to engage in productive
conflict through telling thekind truth. That that is one of

(01:02:34):
the most rapid ways to solvewhat I think is one of the most
challenging set of culturalproblems in many organizations.

Ross Haleliuk (01:02:42):
One last question around the vulnerability based
trust, Joe. You talked aboutleading with an example, showing
yourself underbelly. And I knowseveral people who have done
that and have built a culturethat's extremely positive. On
the flip side, I have somepeople who say when they did
that, people took advantage ofthe fact that they were being

(01:03:03):
opened down the road. Somethingcame back to haunt them.
So I'm willing to trust you, buthow do I know that you won't
stab me in the back down theroad? You know, that's the
question that comes up in theValerie based first approach.
And I'm curious, like, how didyou resolve that internal
dilemma? Well, you need to bewilling to go out on

Joe Levy (01:03:21):
a limb. Somebody has to be a first mover in these
sorts of relationships. You needto be the one to extend and to
lead by example. And frankly, ifthere are instances where people
weaponize that, where somebodydoes attempt to build this kind
of relationship through theestablishment of vulnerability
based trust and it'ssubsequently weaponized by

(01:03:41):
someone, that person probablydoesn't belong in the company.

Yeah. Yeah. Yeah. Now thank you, Joe, for, you
know, sharing your journey, youknow, sharing some very
important insights on theindustry and how the industry is
evolving. And, particularly, thethe golden statistic that you
shared with us today that veryfew of us really appreciated,
that you have over 350,000,000companies worldwide and only

(01:04:08):
just slightly over 30,000 CSOs.
You know, when when we look atthat statistic, it is scary. It
is both an opportunity for us toimprove on what we are doing,
and, we look forward to your,your leadership and insights in
solving some of these problemsas we progress. So thank you so
much for joining us today.

Sid Trivedi (01:04:28):
Thanks, Joe.

Joe Levy (01:04:28):
Thank you.

Sid Trivedi (01:04:31):
Thank you for joining us inside the network.
If you like

this episode, please leave us a review and
share it with others. If youreally, really liked it and you
have some feedback for us, wrapit on a bottle of Yamazaki and
send it to me first. No. Don'tdo that. Mahindra gets too many
GIFs already.
Please reach out by email orLinkedIn.

All Episodes

Episode Transcript

Popular Podcasts

Bookmarked by Reese's Book Club

On Purpose with Jay Shetty

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Joe Levy: Scaling Sophos to $1B+ revenue and defending the 350M overlooked businesses

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Bookmarked by Reese's Book Club

On Purpose with Jay Shetty

Dateline NBC

All Episodes

Joe Levy: Scaling Sophos to $1B+ revenue and defending the 350M overlooked businesses

Bookmarked by Reese's Book Club