Cyber Means Business: Ross McKerchar on When Security Vendors Become the Risk

In this edition of Cyber Means Business, Ross McKerchar, chief information security officer at Sophos, explains how attacks against cybersecurity vendors themselves are reshaping how organizations think about risk, trust, and responsibility. Drawing on Sophos’ experience responding to a long-running nation-state attack, McKerchar argues that security vendors must be evaluated not only on the protection they offer customers, but on the security and transparency of their own operations.

When cybersecurity vendors themselves become targets, the consequences extend beyond the risk of technical failure into trust, accountability, and business risk.

That issue sits at the center of Ross McKerchar’s work as chief information security officer at Sophos. Over more than 18 years at the company, he has progressed through infrastructure, network, and security leadership roles, and today is responsible for corporate, infrastructure, and product security. That scope has given him a front-row view into how tightly suppliers, internal systems, products, and customers are now connected.

Those connections were tested during what Sophos refers to as the Pacific Rim incident. Beginning in 2020, a long-running, nation-state-linked cyber campaign targeted Sophos firewall products. The attackers exploited vulnerabilities in network security devices that were widely deployed at customer organizations around the world. Because those devices operate at the edge of corporate networks, a successful compromise created the risk that attackers could gain access to customer environments, potentially exposing internal systems, traffic, or data - as well as creating operational and reputational risk for Sophos itself.

Sophos identified the activity, removed attacker access, and publicly disclosed details of the intrusion. The company also worked closely with government partners and invested heavily in strengthening product security, detection, and response. For McKerchar, the experience underscored how closely tied reputational risk, customer impact, and long-term business outcomes are when trust is the core asset.

Joan Goodchild: When security vendors become targets, as was the case in the Pacific Rim incident, how does that change a CISO’s understanding of business risk and responsibility?

Ross McKerchar: Every vendor in your supply chain is a risk, and cybersecurity vendors are no different. It is easy to think of a security vendor as something that simply mitigates risk, but even the most secure vendor introduces new exposure into your organization. Security tools are still third parties, and they need to be evaluated in terms of both what they reduce and what they add.

That means CISOs have to approach onboarding decisions with the same rigor they would apply to any other supplier. You have to weigh the pros and cons, understand where new trust boundaries are being created, and be honest about the tradeoffs. A security product can lower certain risks while increasing others, and that balance has to be clearly understood at a business level.

How did this become such a central focus of your work at Sophos?

We learned, through painful experience, the importance of product security. After the Pacific Rim incident that began in 2020, we realized this was not just a Sophos problem. It was an industry problem. Many security vendors, including Sophos, had built products that were rich in features but not always built to be secure by modern standards.

What became clear was that we were not alone. We were seeing other security companies experience very similar incidents, which reinforced the idea that this was systemic. That realization drove a significant investment in both our security teams and our product security practices, along with a decision to be much more open about what we were doing and why.

How does that experience challenge the traditional separation between product security, corporate security, and customer risk?

They are intrinsically linked. I often describe it as a continuum that starts with suppliers, moves through corporate environments, then product environments, and ultimately reaches customers. In reality, these are not separate domains. They are all connected parts of a single digital ecosystem.

Many organizations over index on upstream supply chain risk and spend far less time thinking about downstream risk. But when something goes seriously wrong, it is customers who feel the impact. Thinking about security as a connected system allows you to design layered controls that assume compromise and prevent issues in one area from cascading into others.

What should boards and executives take away from attacks on security vendors when thinking about systemic and supply chain risk?

When a cybersecurity vendor is breached, it is often viewed as a failure of competence, not just a failure of security. This is what security companies do, so expectations are higher. That immediately raises questions about trust and reputation, which can be difficult to translate into business impact.

One way to frame it is through growth. Most cybersecurity companies are growing, and even a small reduction in growth following an incident carries forward year over year. That compounding effect means reputational damage can translate into significant long term financial impact. Boards also need to recognize that trust, more than source code or intellectual property, is the primary asset cybersecurity companies are protecting.

How should security leaders in every enterprise balance transparency with commercial risk, especially in cases involving nation state activity?

There is significant commercial risk in not being transparent. Major incidents have a habit of coming out eventually. The real question is whether you disclose on your own terms or allow customers to discover the issue years later and ask why you did not say anything.

Transparency can be the commercially smart decision, but only if it is paired with competence. Once you start communicating, expectations rise. Customers expect timely updates, clear explanations, and evidence that you understand what happened and how you are addressing it. If you have not invested in those capabilities, transparency becomes much harder to sustain.

If defenders themselves are prime targets, what does secure by design mean at the business strategy level?

Secure by design provides a way for companies to explain how they are investing in security in a way that resonates with customers. It is less about compliance and more about transparency. It gives organizations a framework to talk about the practices and decisions that shape how products are built and maintained.
For cybersecurity companies, the importance of this is amplified. Initiatives like the Cybersecurity and Infrastructure Security Agency’s secure by design principles create an opportunity to be explicit about how security is prioritized and embedded. It allows vendors to demonstrate their commitment through concrete actions rather than marketing claims.

What is one challenge the industry has not fully reckoned with yet?

Legacy software and hardware remain a major challenge. Older devices present significant risk, but maintaining and patching them indefinitely is often extremely expensive or technically impractical. In some cases, the hardware simply cannot support modern security controls.

Vendors that push customers toward modern, supported platforms may lose business to competitors who are willing to maintain older products longer. Those competitors may appear more accommodating in the short term, even though they are increasing risk. This creates a situation where vendors can be penalized for acting first, and it highlights the need for clearer industry standards.

There is also an unresolved question around how far private companies should go in actively defending themselves against sophisticated attackers. In Sophos’ case, taking a proactive approach imposed real cost on adversaries, but it required executive support and a willingness to accept risk in order to protect trust.