An interview with our new CIO Tony Young

We recently announced the appointment of Tony Young as Global CIO of Sophos.

In his new role, Tony will be responsible for the strategy, security and management of the global IT organization at Sophos.

We met with Tony to say hello, and find out a bit more about him…

Welcome to Sophos Tony! What attracted you to the role of the first ever CIO of Sophos?

Thanks, I’m very excited to be here!

There were a few reasons that I was attracted to working at Sophos. First of all, I love high-tech. I’ve spent most of my working life in the industry and it’s a great place to be. I came to Sophos from GoPro where I was CIO, and working in a consumer business reinforced my excitement for our industry.

When I told people I was off to work for a security company, they asked me why. I explained that I had noticed how fractured many vendors in the security space are. A customer has to buy multiple products and then figure out how to stitch them all together. Everything is separate and you need an army of security professionals to enable and maintain any sort of security when faced with that fragmented approach.

Sophos really is “security made simple” – it’s more than just a tagline; the vision and strategy resonated with me as an IT buyer. Sophos was breaking the “point product” mold by making products talk to each other through “synchronized security.” Putting everything onto a single central management console made good sense – I could see that really makes things easier for security professionals, and for each business as a whole.

Where did you start your career?

I started my career at HP, working as a programmer. I worked my way up from developer, to senior developer, to project manager and then team manager. While working at HP, I went back to school at night to get my MBA.

After I received my MBA, and while I was building a CRM system, HP asked me to change roles to run the North America channel strategy for the PC business. Over the years, I became very intimate with this business. The new role was a challenge but it was great fun. It gave me a perspective into the business which, I believe, ultimately made me a better IT person.

After I left HP, I went to a startup for a year in another industry and then came back to HP to run ecommerce. Another two startups later (and the dot-com bust), I went to Informatica where I stayed for 13 years. It was a good run and I loved it there, but then a friend introduced me to the leadership at GoPro. Data integration isn’t sexy, it’s gritty, so working for a brand like GoPro was an exciting prospect for me, and one I couldn’t turn down.

How have those roles shaped what you’ll do at Sophos?

I think the variation of the companies I’ve worked for has been helpful to me. I’ve had the opportunity to see how large companies work and perform, and I’ve also experienced startups, as well as spending time in some mid-sized companies.

I’ve seen IT being done well, and I’ve seen it being done very badly. I’ve also seen the transformation from bad/good to great IT.

Throughout your career you build a playbook which you can refer to in your current role. You take the things you’ve learned and then you apply them. Knowing what worked well (and what didn’t) somewhere before is very helpful.

I’ve lived in Silicon Valley for over 25 years. You get to know a lot of cutting edge, innovative thinkers. There are about 6 different CIO groups in the Valley and we’re all really collaborative and open. We share with each other and are able to learn from each other. If there’s an issue someone is having, they can ask others if they’ve experienced it too, and can quickly get suggestions for a resolution.

What does being the CIO of a security company actually entail?

In general, a CIO’s role is quite fragmented. A CIO walks down the corridor and can be stopped by someone asking about the status of the supply chain project, take another few steps and he or she is being told about a network performance issue, then another few steps and they’re in a conversation about storage. The role is broad. Over time you realize you’re an inch deep and a mile wide.

At Sophos, security is at the forefront of everything we do, so the first questions are always about security, then capabilities. In most companies, it’s the opposite – the discussion is first about capabilities and then how secure something is.

What do you think makes a great CIO?

A great CIO needs to demonstrate great leadership – you need to be able to set a compelling vision for the team, and then get them bought into that vision and motivated to execute it. You also need to make sure that you are hiring and retaining top talent – you will only ever be as good as your team.

Making sure you are aligned with business priorities and listening to personal pain points is really important in IT. As a CIO, you need to remember that everyone in the company is a customer. If someone’s Skype meeting isn’t working, then that’s my problem. If someone can’t access email, IT needs to fix that for them. Every day you come to work to win business and make people more successful here than they could be at any other company.

Finally, you can be a good leader by doing the basics well. But the difference between a good leader and a great leader is that you don’t just lead with your head, you lead with your heart too. In my opinion, a great leader genuinely cares for the individuals on the team. Great leaders are trusted. And, people won’t care how much you know until they know how much you care.

What do you like doing in your spare time?

I do a variety of things – anything from woodworking to kiteboarding.

I’m health conscious and exercise several times a week. This is a great way for me to relieve stress and feel good.

We have two boys. They’re active and I’m active. I want to ensure we can always have fun together, and go out and enjoy life.

What can’t you live without?

Family aside, what I really love is good food, good wine and good whisky! If you want to bribe me, do it with one of those three things!

And I can’t forget the internet. I would choose that over TV in an instant – I could still watch my sports via streaming!

What can you advise others to do to keep their employees safe and secure?

It really goes back to the basics here – education and awareness. Phishing is the number one attack vector so educate your employees. Let them know that they should be on alert, and if they notice something that isn’t right then they need to tell IT immediately. I would rather have someone over report than under report. There’s no mistakes in reporting potential issues.

Other than that, enable them to be a good corporate citizen. Help them to do safe things, keep their computer patched, make sure they don’t turn off their firewall, tell them to use strong and varied passwords for each account and use two-factor authentication where possible. Small steps can make big differences.

Finally, do you have any security tips for at home?

If you have a family, watch your kids – know what they are doing on social media.

One of the challenges with kids is that they might be smarter with technology then you. You can put up all sorts of defenses to secure your kids online but they may well find ways around them. You can ask them to show you their phone but they can delete messages or use Snapchat. You can be their Facebook friend but they can limit what you see.

Technology moves so fast – there will always be a hack. You need to help your kids to make good decisions about what they decide to do online. Build up trust by talking openly about the ‘unintended consequences’ of online behavior – believe me, there are many – and if they trust you, then, like your employees, they are more likely to tell you if they’ve made a mistake.