Secret CSO: Ross McKerchar, Sophos

What do you feel is the most important aspect of your job? “Undoubtably, the most important aspect of my job is finding, training and retaining smart and motivated people.”


Name: Ross McKerchar

Organisation: Sophos

Job title: CISO

Date started current role: March 2018

Location: Oxford, United Kingdom

Ross McKerchar has spent the last 13 years at Sophos advancing through the organisation to his current role of CISO, which he has held for the previous two years. In this role he runs the organisation’s security operations as well as the assurance and product security functions. His team consists of world-class security experts who help protect Sophos through innovative and cutting-edge tools and techniques.

What was your first job? My first ever job? I grew up on a farm in Scotland. When I was 13, the farmer paid me £15/week to walk around the fields twice a day and make sure that no sheep had rolled over and were stuck on their backs!

My first tech job was building websites for small, local business in the mid-late 90s.

How did you get involved in cybersecurity? It sounds a little shallow, but I first got interested in Cybersecurity when I was younger. I always thought that it was the “coolest” area in tech. If you were at a party and told someone you were in IT their eyes would glaze over. But even in the early 2000s, if you started talking about cybersecurity, people would immediately get interested. Either they experienced or saw a problem themselves or they were interested in hearing if you were “a hacker”.

What was your education? Do you hold any certifications? What are they? I have a BSc in Computer Science from Edinburgh. I also have a CISSP.

Explain your career path. Did you take any detours? If so, discuss. I began as an IT generalist for a small civil engineering firm, starting part time while at University. It was a great way to start as it allowed me to get involved in loads of different areas. I was on my own, without anyone overseeing me, so I dove in and tried to solve everything myself – from networking through to developing some bespoke software for the organisation. In hindsight, I tried to re-invent the wheel and built way too many custom programs when it would have been more sensible to buy, but it was a great learning experience and a good practical counter-balance to my very theoretical degree.

After working at this firm fulltime for a couple years, I moved to Sophos. I actually applied for a development job and didn’t get it, but the company offered me a job as a Linux system engineer instead. I’m still not sure why as I barely mentioned Linux on my CV! I took it, since I knew I wanted to work in security full-time and I figured that the best place to be was at a company that had security in its DNA.

It was an incredibly fortuitous decision, even if it didn’t go quite as planned. My intention was to join the internal security team as quickly as possible once I started, but I hit a snag when I realised that they didn’t have a security team! This was 13 years ago when Sophos was a much smaller and very different company.

So rather than join the security team, I made it my mission to build one! The timing turned out to be perfect as Sophos was just beginning to realise that it needed its own dedicated cybersecurity function. I was able to lead it from the very start and grow my career and team in tandem with the company.

Was there anyone who has inspired or mentored you in your career? I remember reading Mike Rothman’s, The Pragmatic CISO, when I was making the transition from being a security techy to leading a security team. It was a great introduction to balancing risk and business priorities with security. I’ve also had the opportunity to work with and make some great connections at Sophos, such as Gerhard Eschelbeck, our former CTO, who went onto lead security for Google.

What do you feel is the most important aspect of your job? Undoubtably, the most important aspect of my job is finding, training and retaining smart and motivated people.

What metrics or KPIs do you use to measure security effectiveness? As an industry, I think we’re pretty bad at finding and sharing meaningful metrics. We spend a lot of time measuring the process rather than the outcomes. And when we do measure outcomes, it’s often not meaningful. A good example are phishing stats – the amount of people that click on phishing links is pretty meaningless if you don’t also define how sophisticated the phishing attack was. A much better phishing metric is how many people who get assessed report it to the security team and how quickly can they take that report and use it to find out if anyone else has fallen for the same attack? These are the types of measurements we prioritise at Sophos.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We’re lucky enough that over the years we’ve built up enough momentum that hiring isn’t as big a challenge as it is for most organisations. Once you get over the barrier of structuring the complete basics, hiring gets easier as you have an attractive proposition. Most people want to do the fun and more cutting-edge stuff, not just the basics!

Cybersecurity is constantly changing – how do you keep learning? Nowadays, I mostly learn from my team! They’re always doing cool, new things and are way ahead of me. Beyond that, I’m a big fan of podcasts as it’s easy to listen while cooking, driving, etc.

What conferences are on your must-attend list? I actually prefer the smaller conferences where you get to have good conversations and it’s just real practitioners. For example, there are some really good B-sides conferences out there.

What is the best current trend in cybersecurity? The worst? Best: I think the way we handle identity and authentication has seen huge improvements in the last few years – both on the business and consumer side. It’s not going to happen overnight, but all the great work FIDO has been doing with WebAuthN has the potential to get us away from our heavy reliance on passwords. That would be great for everyone.

Worst: All these heavily marketed, consumer VPN services. They are sold as all you need to protect you and your family from cyberattacks. VPNs can be useful in specific scenarios but there are other more important things you need to do to stay secure online.

What's the best career advice you ever received? “Executives don’t like surprises”. In the cybersecurity profession, you’re often the bearer of bad news. This advice helped me figure out how to best deliver that bad news.

What advice would you give to aspiring security leaders? Communication skills, an understanding of the business and its finances and pragmatism are the three areas where I think most security professionals struggle. They all go together, as you can only truly explain a risk or an incident well if you can put it in terms that makes sense to non-security leaders. This is typically most effective when you explain the business impact (or opportunity!). Furthermore, technically equivalent risks can have hugely different business impact, so understanding the business well allows you to be pragmatic and focus on the one that really matters.

What has been your greatest career achievement? Developing the team I have now has been my greatest career achievement. It’s been an incredible opportunity to build a team from scratch, especially bringing on people with the promise of career development opportunities. Being able to fulfil that promise and watch them develop expertise and skills far exceeding my own has been incredibly satisfying.

Looking back with 20:20 hindsight, what would you have done differently? Acted more boldly and thought bigger. At multiple times in my career, in hindsight, I’ve seen opportunities on which I didn’t fully capitalise. This was typically because I wrongly assumed that someone more senior than me had already thought about it and decided not to do it for reasons I wasn’t aware of.

I’ve since learned to never assume someone else is thinking about a risk or an opportunity that you see and it’s always worth raising. Worst case, if someone else has already thought of it, you’ll learn something and refine your own thinking through talking to them about it.

What is your favourite quote? It’s not particularly inspirational but I really like “Easy things should be easy, hard things should be possible” from the inventor of Perl. I’m not a big Perl fan but I think this a great concept for product design. Obviously with overseeing security for a security vendor, I regularly get involved in Sophos product discussions and inevitably end up quoting this as it’s a great principle to guide interface design.

What are you reading now? Business Adventures by John Brooks.

In my spare time, I like to… I’m a very keen rock climber and happiest when dangling above the sea on some overhanging limestone. However, having recently bought a Victorian-era house and having a very young daughter, I find a lot more of my time recently has been spent on DIY and parenting!

Most people don't know that I… Have never eaten at McDonalds. No particularly big reason why. I was brought up vegetarian so my parents never took me as a kid and now, even though I do eat a bit of meat (and I guess they have veggie options now!), it’s just never appealed to me.

Ask me to do anything but… Sing a song in tune.