Sophos bound

I’m very excited to announce that, in two weeks, I will be joining the team at Sophos. The company, dual headquartered in Abingdon, UK, and Burlington, MA, creates some of the best network and endpoint security products for small and medium enterprises. Sophos was one of the first companies to join StopBadware’s partner program when it launched in 2011, and I’ve had impressively positive interactions with the people there ever since. They also have one of the most prolific and entertaining blogs in the industry.

I’ll be joining Sophos’s marketing team as a Senior Product Marketing Manager, specializing in endpoint security. I have my friend and colleague Joram Borenstein to thank for helping me realize that much of the work I’ve done at StopBadware over the past few years has been product marketing, even if I didn’t have a name for it. I’m looking forward to this foray into a new field and a new organization. I’m also glad that I’ll be able to draw on the immense amount I’ve learned about the security industry during my five and a half years at StopBadware. I’ve had the chance to work with amazing people on our staff and board, at our partner companies, and throughout the industry. I’m grateful for the opportunity I was given to lead this exciting initiative, and I look forward to remaining involved as a member of the StopBadware Board of Directors.

I’ll be spending this week wrapping things up and training my replacement at StopBadware. Next week I get to take a much needed break, and then I’ll jump into my new role at Sophos.

Advertisements

Accountability for insecure software

The FTC recently settled charges with mobile phone maker HTC, which provided highly insecure software on its Android phones:

The Commission charged that HTC America failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices. Among other things, the complaint alleged that HTC America failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties.

I haven’t seen much written about this, but it seems like a big deal. It’s the first time I can think of that a U.S. regulatory agency has held a company accountable for failing to provide reasonable security in its products. Indeed, for many years, software and hardware vendors alike have avoided accountability. Vendors often disclaim responsibility through license agreements and/or asserting that all products have flaws, so they can’t be expected to provide perfect security. It remains to be seen whether this will be the start of a trend toward greater vendor accountability and whether this action will get other product vendors to take notice and beef up their security efforts.