Cyber Means Business: Ross Mckerchar On When Security Vendors Become The Risk
Sophos, Wednesday, February 25th, 2026
In this edition of Cyber Means Business, Ross McKerchar, chief information security officer at Sophos, explains how attacks against cybersecurity vendors themselves are reshaping how organizations think about risk, trust, and responsibility. Drawing on Sophos' experience responding to a long-running nation-state attack, McKerchar argues that security vendors must be evaluated not only on the protection they offer customers, but on the security and transparency of their own operations.
When cybersecurity vendors themselves become targets, the consequences extend beyond the risk of technical failure into trust, accountability, and business risk.
That issue sits at the center of Ross McKerchar's work as chief information security officer at Sophos. Over more than 18 years at the company, he has progressed through infrastructure, network, and security leadership roles, and today is responsible for corporate, infrastructure, and product security. That scope has given him a front-row view into how tightly suppliers, internal systems, products, and customers are now connected.