When it comes to cybersecurity expertise, leadership, and forward-thinking, look no further than Ross McKerchar— CISO at Sophos. Based in the southwest of the UK, McKerchar has built and led Sophos’ security team for almost 17 years. Founded near Oxford, Sophos is a global cybersecurity company, leading the industry in managed threat detection and response, as well as endpoint, network, email, and cloud solutions.

As the CISO of Sophos, McKerchar oversees all aspects of Sophos’ cybersecurity posture, including corporate, infrastructure, and product security.

McKerchar believes in building a security program with authenticity and transparency as its core values. His mission is simple—“I want to make Sophos the most trusted brand in cybersecurity.”

A transparent approach to cybersecurity

In his long tenure in the security space, McKerchar has witnessed a lot of FUD (fear, uncertainty, and doubt) tactics and tropes such as web pages promising “military grade encryption,” boasts of having never been hacked, and cliches promising the organization takes security seriously.

He believes in taking the opposite approach. “At Sophos, we like to talk about the issues we may have. If you’re transparent about issues and how you’re overcoming them, it shows strength in your security program,” McKerchar says.

This approach focuses on the fluctuating nature of the modern attack surface. New challenges are always surfacing, and it is unrealistic to expect security teams to constantly outpace these challenges on their own.

“Security is never ‘done.’ Every company has to work really hard to maintain their security posture. By taking a different approach, leaning in to demonstrate continual efforts with facts and actions instead of just words, organizations can better respond to security challenges,” McKerchar says.

Demonstrating trust up and downstream

As the CISO of a cybersecurity vendor, McKerchar needs to think both about the risk from his “upstream” suppliers and the risk to his “downstream” customers.

First, from a downstream perspective, Sophos has over 600,000 customers and is the world’s most widely-used MDR provider. For these organizations, McKerchar and his teams work continuously to foster trust and ensure that Sophos’ products are as secure as possible.

From an upstream perspective, McKerchar must evaluate the security of vendors in his own supply chain. After all, an organization is only as strong as its weakest link.

One unique method he uses to evaluate vendor security is a bug bounty engagement.

“Bug bounty programs are an underutilized way of evaluating a vendor. Security teams send out those long security questionnaires, but ultimately, words are cheap, it can be very hard for teams to understand the underlying security posture of potential vendors. To get a good signal on a vendor, my team looks at their bug bounty program. Like our own program, we are looking for a wide scope, competitive rewards, and good engagement levels. You can’t fake a good bug bounty engagement.”

Zooming out on risk

Sophos is a large organization with a very diverse set of products. This naturally creates a large attack surface that requires protection in a variety of different ways.

One strategy McKerchar leverages to do this is by “zooming out on risk” to see the bigger picture. “I’ve seen organizations get caught up in the perceived risk of security protection measures such as bug bounty engagements. They feel like by using crowdsourced solutions, they’re inviting attacks. If you worry too much about that, you’re missing the bigger risk—the potential impact of serious vulnerabilities across your organization.”

By zooming out to look at the bigger picture, the Sophos team reduces risk overall, and in turn, becomes more secure. This is especially crucial now, when the time that threat actors take to exploit vulnerabilities on an organization’s perimeter has dropped from weeks to days to hours to minutes.

Sophos takes a multi-layered approach to attack surface management. Common misconfigurations and weaknesses are managed via bespoke tooling combined with Sophos Managed Risk, providing 24/7 support to identify and address high-priority issues. By partnering with Bugcrowd, Sophos uses a Bug Bounty program to spot the hidden and emerging issues that tools can miss. “The hacker community can outrun threat actors at an unprecedented pace. It’s like having hundreds of extra people working for you and keeping an eye on your perimeter, without the logistics and challenges of actually hiring people. Not even the largest security teams can do what a well-managed bug bounty engagement can achieve.”

To get more expert advice from CISOs, check out Bugcrowd’s newest report, Inside the Mind of a CISO