CISO Conversations: Ross McKerchar, CISO at Sophos

Ross McKerchar began his Sophos career as the firm’s first security engineer 18 years ago and is now the company’s CISO. We discussed his journey and the role of the CISO.

“Like most youngsters, I played video games as a child. By the time I was 16, I was already convinced that IT would be a good, solid career – so I went on to take a computer science degree at the University of Edinburgh.”

But then came a realization. “I’m probably going to offend a lot of people with this, but much of IT is quite boring.” When you talk about IT, people’s eyes glaze over, he continues. But if you talk about cybercrime, they become engaged. “It’s whole of world rather than just the box in the computer room. It’s geopolitical, it’s adversarial, and it affects everybody, everywhere.” Conflict, he adds, makes for good stories – so, he shifted his interest from IT to cybersecurity.

The path to leadership and team management

How and why did he become a leader in cybersecurity? There is always a question over whether leadership is a genetic quality or something that can be learned: nature, or nurture – or both. McKerchar’s short answer is that it can be learned, but only if you enjoy it. For himself, he suggests, there was an element of both growing into it, and growing with it.

“When I joined Sophos 18 years ago, I was basically the first internal cybersecurity employee. In that sense, I was always the leader – of a team of one. Now I am the CISO with a much larger team.”

Ross McKerchar, CISO at Sophos — Ross McKerchar, Chief Information Security Officer (CISO) at Sophos.

Along that route, he has had to acquire or learn skills that cannot be gained from a degree in computer science: how to recruit quality team members in an age typically described as a skills gap; how to manage that team to provide optimum performance; and how to maintain the team at that optimum performance.

“The skills gap is real,” he says, “but I think it is mischaracterized both in number and effect. The cybersecurity profession is growing faster than most others. So, in this sense there is an ever-increasing demand. Education is responding with more training in security fundamentals, so there are more people looking for work in cybersecurity.” The problem is the demand is not for the people straight out of college with a piece of paper but no experience, but for people with both experience and combined emotional and business intelligence. The skills gap is at the senior level rather than the graduate level.

Advertisement. Scroll to continue reading.

Part of this is the continuing tendency for companies to ramp up security only after an attack. As a result, the security team suddenly leaps from two to a dozen in rapid time – and at such times, the employer wants seasoned professionals rather than newbie grads.

This creates a double problem for CISOs. Firstly, although there are more people looking for positions, the positions available are not looking for those people – those positions are more attractive to the people you already have. This is the second problem: managing and maintaining the existing team. “You have to hang on to your team members because they could go – they could leave and get another job tomorrow.”

So, finding a good team is hard, but keeping it is just as hard. McKerchar’s approach is to encourage his team members to be the best version of themselves possible. “You hire smart people to tell you what to do. The role of the leader is to get the obstacles out of their way so they can do just that.” This doesn’t mean absolute carte blanche for the team. The leader must keep a light touch on the tiller to keep the team and its direction in line with the company’s business objectives. But the aim is to manage a happy and fulfilled team, because happy people stay when unhappy people leave.

However, the one constant in cybersecurity is change. There’s this new thing called AI. And one of the most often touted effects of AI will be an increase in the automation of expertise, and a corresponding reduction of the need for human experts – and by extension, a narrowing of the skills gap. McKerchar is reserving judgment.

“I spend a lot of time talking to my CISO peers,” he explains, “and I have to say the current narrative we’re hearing from the media and business leaders is very different from the one I’m hearing from peers.” He suggests that whatever reduction in hiring we’ve seen so far has been from firms taking a gamble – betting that in a year’s time they won’t need the hire, so they’re not doing it now.

He also suspects that some firms are now reversing that bet. “It’s been an interesting time. The LLMs are trained on public data, and it’s a challenge to get them to work well within an organization where organizational rather than public context is everything in triaging alerts. My human ops analysts really understand the business, and where to go and who to speak to – they almost have a sixth sense over whether an alert is more or less serious than is obvious. AI will get there, but it’s not there yet.” It’s tempting to describe current AI as high in knowledge, but low in understanding.

Nevertheless, adversarial use of AI is something that all defenders are watching closely. Cybersecurity is, by its nature, largely reactive. It is the attacker that is proactive, always looking for and developing new ways to attack; and the defender that must react with new ways to defend against new and previously unknown attack methodologies. AI is still a developing technology, and nobody yet knows its future capabilities.

“That’s the million dollar question,” says McKerchar. “Where’s it going to land?” He gives two suggestions. The first is the current primary adversarial use of AI: developing more advanced lures for phishing. “There is some evidence of it being used to automate attacks at scale, but the quality of the phishing isn’t yet at the level of a sophisticated attacker. It’s just the volume that has been significantly increased.”

He is more concerned with AI’s ability to find new vulnerabilities, and the attackers are bound to use this ability. Finding zero days is expensive, so when they are found by attackers, they tend to be used somewhat sparingly against high value targets with supply chain potential. But if the cost of the zero day is reduced and there are more of them, they will be used against smaller firms with weaker defenses. Those smaller firms with proprietary software are not typical targets for zero days; but as the cost of zero days comes down, so their attractiveness will go up.

Mental health

This doesn’t change the reactive nature of cyber defense – the difficulty is that it will increase the pressure on defenders through increased volume and sophistication of attacks. And this adds to the work of the CISO. Both the CISO and the security team will need to cope with increasing pressure. This isn’t new, but it’s getting worse. And sustained pressure is a primary cause of the mental health issue known as burnout.

“Burnout is a real thing in cybersecurity,” comments McKerchar. It is complete mental exhaustion and withdrawal from work, and is described by the World Health Organization as ‘a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed.’ Cybermindz uses a technique known as I-Rest to treat burnout, which affects both CISOs and the entire security team. I-Rest is also used by the military to treat PTSD, so it is tempting to consider burnout as a form of slow burn PTSD caused by long term unmitigated stress. But as with all illnesses, prevention is better than cure.

“Take my own situation,” continues McKerchar. “I’ve been continuously on call for 18 years.” He applies the same formula to the entire cybersecurity workforce, from the day each employee starts employment until now, and still ongoing. “The worst thing about cybersecurity is there’s nearly always something brewing that makes you uneasy – and it always seems to get worse on a Friday.” Being on call in cybersecurity is 24/7, including every Saturday and Sunday. “Even when not in the office, there’s this constant unease that something could blow up at any time.”

Preventing burnout requires reducing base stress levels and ensuring periods of zero stress. “You can’t expect people to put in a sprint when they’re running a constant marathon. So, I try to reduce the workload and increase the fun element. It’s not simply a case of insisting on decent work hours but also allowing people to work on the projects they want to work on – so the fun stuff as well as the critical projects.”

Even without burnout, people’s effective IQ drops through simple tiredness. “The last thing you need is a team that is sitting there and operating at 60% of their intellect when they’re trying to do the most important work of their careers. So, when we have a big incident, it is important that we define shift rotations and handovers and prevent people from overworking. There’s always some who just want to work – they want to keep going. But identifying them and making sure they don’t feel all the weight is solely on their shoulders, and insisting they understand that they must work in a sustainable fashion because we need them sharp – that’s very important for me.”

Managing stress levels, raising spirits, and avoiding constant tiredness is McKerchar’s way to prevent burnout.

Hacking back

A separate recurring theme in cybersecurity is whether cyber defenders should have the same right of retaliation as kinetic defenders. Few neutral observers question the right of Ukraine to retaliate in kind following the Russian invasion of 2022. Should cyber defenders have the same right following a cyberattack (a cyber invasion of their systems)? That is, should there be a right to hack back?

It’s a perennial question, but the consensus is that such a right belongs only to the government and not to individual companies. That said, McKerchar and Sophos took the question to its limits in a project it calls Pacific Rim. It discovered Chinese hackers attacking Sophos firewalls, and increased its own observation and telemetry while improving its firewalls’ security. Over time, it discovered a compromised device that was being used by the attackers to develop exploits. It responded by putting its own kernel implant on the device so that it could monitor the attackers’ activity.

At a superficial level, this implant could be viewed as a form of hacking back even though it involved a local rather than foreign device – but it wasn’t ‘hacking’. Sophos obtained legal counsel and liaised with both the US NSA and the UK NCSC to ensure conformance with privacy regulations, and legality through the compromised device’s EULA with Sophos.

“I wouldn’t call it ‘hacking back’,” says McKerchar, “but we took some unusually robust actions to defend ourselves against this adversary. It’s more an example of walking the line, surveilling the adversaries while they developed exploits on our own devices, but keeping our customers safe from the actions we took.”

Mentoring

Advice, or ‘mentoring’ in the professional jargon, is another important facet of a CISO’s role. While not written into the job description, most CISOs happily advise members of their team on how to succeed with their own ambitions. This begs one question: what was the best mentoring, or advice, this CISO received in the early stages of his career?

For McKerchar, it was the simple statement, “Executives don’t like surprises.” It didn’t sound profound, but he came to realize it was all about communication. Security must often deliver bad news to, or highlight failings in, other departments. How you deliver that news is important.

“How you communicate these issues and how you bring people on board and get them working with you is remarkably hard. You must have good relationships. They must trust you, and you must be able to have one-on-one conversations first – there’s almost an order of how you want to tell people and it’s almost like a saving-face thing. That simple bit of advice helped me understand the importance of stakeholder and relationship management.”

‘Communication’ and ‘trust’ were recurring themes throughout our conversation with McKerchar.

The advice he gives to his own team is individual, depending upon the person concerned. But the most common is, “Understand what it is you really want to achieve. People,” he continues, “tend to tell you what they think you want to hear. They’ll typically say, ‘I want to be a CISO, a leader’.” They don’t necessarily know whether they want to be a hands-on technical leader, or a hands-off theorist, a business leader, or a consultant. They’re basically just saying ‘I want to be a success’. But you must know the destination before you can choose the best route to get there.

His second piece of advice is not to concentrate purely on technical skills. “I see so many people who just over-index on technical skills and don’t build up the emotional intelligence, the cross-functional execution and communication skills required to get stuff done in a large organization. That’s the number one thing I see holding people back.”

Threats

We always close these conversations with a simple question: what are the biggest threats we’ll likely face over the next few years? Certain themes are relatively consistent, such as AI. But McKerchar diverges.

“I should probably say ‘AI’, but I’m going to say ‘Trust’; and especially within the cybersecurity industry. I think the cybersecurity industry has a bad and growing trust problem. And the reason is a distinct and continuing trend for cybersecurity products to be the cause of breaches.”

He has a point. Recent examples include F5, SonicWall, Okta, Barracuda ESG, Codecov, MOVEit, Kaseya, 3CX, and of course SolarWinds.

“As someone deep in the cybersecurity industry, the obvious response could be to stand aside and look on with some weird form of schadenfreude at the tribulations of our competitors. But the real problem is it creates a trust issue for the whole industry. Collectively, we need to up our game in how we build and develop our own products; and I don’t know how that’s going to happen, because the market incentives don’t typically push vendors in that direction.”

If customers cannot trust the security products they use to defend themselves, everybody suffers – and this concern perhaps helps to explain the extreme measures he and his firm took to protect his own products, and his clients, from Chinese APTs during the Pacific Rim episode.

Originally published by SecurityWeek