I joined Sophos 20 years ago when I was offered a place in the first graduate trainee program that the company ran. Today, I’m leading the team developing our new Sophos XDR product. It’s been quite a journey.
In the last year of my Physics and Astronomy degree at The University of Glasgow, Scotland, I wrote a program in C++ that analyzed data to work out how fast binary stars orbited. I realized I really enjoyed programming, and could make it my career.
When I came for my interview at Sophos I was really sold on the fact that we’re the good guys, and we help to protect everybody. And that’s how I made the leap from astrophysics to cybersecurity.
A lot has changed since then—for the company and for me—but that idea still gives me great job satisfaction.
20 years of growth
I was among the first few hundred people to work at Sophos; one of six trainees who started at the same time. We all had different academic backgrounds, and learned programming and software engineering practices on the job.
It felt like a startup back then. We used to send out our product updates on CDs, and at busy times the engineers would help to support customers on the phone. When we’d gather for a company meeting, we would literally all stand in a circle with our CEO in the middle.
Now there are 5,000 of us, all over the world, and those same meetings are big online events for thousands of people. Our engineers focus more on development, and the growth in computing means the people we recruit tend to already have programming and engineering skills before they come to Sophos.
Sophos XDR: putting the power in users’ hands
My career has grown along with the company. As well as managing UK-based engineers who work on our Linux and Microsoft Windows products, I’m now the overall lead for one of our most important projects: Sophos Extended Detection and Response (XDR).
Sophos XDR is important because the bad guys are always evolving their approach.
One of the changes I’ve seen over my time in cybersecurity is there are now a lot more bespoke attacks that combine hands-on live hacking and use of legitimate IT tools such as PowerShell and PsExec to avoid triggering an alert. Writing generic detections for those types of attacks won’t stop them.
Instead, we need to write tools that help customers find potential problems and resolve them—which is where Endpoint Detection and Response (EDR) and now Extended Detection and Response (XDR) come in.
Endpoint protection means we detect a threat we know is bad, and we stop it running. But EDR is more about giving a customer the ability to detect anything that might be suspicious, investigate, and address the situation themselves.
XDR takes that idea even further by expanding the visibility users have so they never miss a thing. This helps identify and stop the most stealthy, high-stakes attacks.
Diving into the Data Lake
Sophos XDR takes the most interesting points of data from various sources, including endpoints, servers, email, and firewall, and puts them into a Data Lake. That gives our customers a rich source of information; they can use it to look for signs they’ve been compromised, or just to check the health of their network.
It’s powerful because the data is optimized for customers to find those indicators. My team has written pre-populated queries that customers can run, so they won’t feel overwhelmed by the sheer volume of data. And all the SQL that sits underneath the query is already written, so the user doesn’t have to worry about it.
We’ve also introduced pivot capabilities—so it takes one click to start a new query based on your existing results. This speeds up investigations and reduces response times.
Another strength of Sophos XDR is that you have access to the data you need, even when devices are offline. So if there’s an attack and devices have been taken off the network you can still query the Data Lake to diagnose the issue. It’s exciting to see the Data Lake volume increasing as more customers come online.
Building the team that builds the software
I’m proud that my team has delivered such an important project while working from home, but I really like working in the office, and I’m looking forward to getting back to it.
I’ve missed meeting with my team in person. Being a manager—looking after people and building the team—is an important part of my role.
On the last day of our sprint, we always have breakfast together, and I’m hoping the new rules will allow us to celebrate the successful Sophos XDR launch. The canteen at Sophos is really good; the fish and chips that Sharon serves on a Friday are a real highlight.
Another thing I’ve really missed is whiteboards. When you start a project like this one, you just want to draw it out and sketch some squares to show, “this thing is going to talk to this thing.” And that’s so much easier to do on a whiteboard than on a screen.
And as a manager, recruitment is part of my job in turn; I enjoy bringing in new people to energize the team.
Our recruitment has changed a lot compared to when I joined Sophos. The programming skills are a given, so we look for qualities that suit the Agile way we work: problem solving, communication skills, and being able to collaborate with other people. I also look for a bit of drive: sometimes people just grab you, you can tell that they’re really keen.
I’m involved in our internship program, too, and it’s important to me that we achieve a fair gender balance in our intern group.
Most of all, I really like seeing new people join the team and find things that they’re good at—then giving them opportunities to progress. After all, over 20 years at Sophos, I’ve been on that journey myself; it gives me a sense of pride to know I’ve helped them grow too.