Ross McKerchar is our newly appointed CISO. We met up with him to find out more about why he took on the role, how his career led up to this, and what we can expect to see in cybersecurity in the coming months.
Hi Ross! So, what does being the CISO of a security company actually entail?
The CISO is a very broad role. Ultimately, you’re the guy who has to look at, and be responsible for, cybersecurity across the whole organisation. If I describe my team structure it will give you an idea of what we do.
Firstly, I’ve got my Risk and Strategy team. Their role is to try and prevent any problems happening in the first place. They do this by ensuring we focus our resources in the right areas, build and run our systems securely and keep everything in-line with our policies.
Secondly, I have a Security Assurance function. These guys have a really fun job: their role is to try and break things, to test that our controls are working. As well as testing individual components we run purple teaming exercises. These are simulations of a real-world attack.
You may have heard of red teaming – purple teaming is a similar activity but is conducted in close-collaboration with the defenders (the “blue team”). The goal is not simply to break in, it’s to ensure that the blue team learns how to spot and defend against any identified weakness.
The Security Operations Centre (SOC) is our blue team. Its job is to actively defend against attacks by closely monitoring alerts and metrics from our infrastructure, as well as hunting for potential problems and keeping a close eye on emerging external threats.
Finally, I’ve got my Security Engineering function. They play with and deploy new security tools and products across our environment. This is an especially important role in a security company as our security engineering team plays a big part in developing and testing the effectiveness of our products. This ranges from working with our R&D teams to test out early stage proof-of-concept tools and techniques, through to ensuring that we have wide deployments of our products internally.
I’m really passionate about helping Sophos deliver products that are designed in conjunction with, and tested by, real-world security practitioners.
My role is to find really smart people to join these teams and to ensure that they function well together. Finding great people is hard so, to help us recruit, I try and make sure that everyone in the industry knows that Sophos is a fun and challenging place to work.
What do you think makes a great CISO?
Haha, this is maybe a better question for my boss!
The CISO is a very varied role and the day-to-day responsibilities can be very different in different companies.
Sophos is, at heart, a technology company so having a strong technical understanding is an important part of my role. It allows me to take some of the highly technical concepts that are required to really understand security and clearly explain them to others outside my team.
You sometimes hear the phrase “a mile wide, an inch deep”, but security people need to be a mile wide and a mile deep – they really do need to have a lot of knowledge.
However, technical knowledge alone is certainly not enough. Good communication and leadership skills are absolutely critical as you have to be able to work closely with the executive team, whilst running an organisation that gets stuff done.
When security is viewed as a silo that you can bolt on, it doesn’t work. It has to be something that’s woven in across the whole organisation. You can’t do that unless the C-suite understands the value of cybersecurity – how it links to core business capabilities and initiatives – and trusts you to execute it.
How long have you been at Sophos? Talk us through your career progression.
I’ve been at Sophos a very long time. I joined the company a couple of years after graduating with a Computer Science degree. I’ve always been interested in security.
I started off as a bit of a generalist, which is actually really good for a security guy because you need that wide understanding of everything – applications, networks, databases, virtualisation, etc.
I started at Sophos as a Linux guy with security on the side. I flipped that around within a couple of years and started doing much more security and grew the team from there. In one way, I’m almost doing the same thing I was doing eight to ten years ago, except on a completely different scale (and hopefully more effectively than I was all those years ago!) As the team grew, I slowly moved up the ranks, becoming Director, Senior Director and then CISO.
Everyone seems to be talking about ransomware and cryptojacking. But what are you and your team most worried about?
What concerns me is application security. Making sure applications are built and run securely is quite tough. When you have lots of them the surface area increases and, with that, the risks.
In particular, I think we’ll continue to see mega breaches tied back to organisations that have to run legacy applications. It’s like driving a car made in the 1970s down the motorway – no matter how good the road surface is or how many safety features you add on, you’re still driving down the fast lane in a car that isn’t designed for the modern environment.
The problem is, a lot of companies are really dependent on these legacy apps, and it’s dangerous. There’s only so much you can do to turn a 1970s car into something that’s good for a modern motorway without rebuilding it entirely, which is incredibly expensive.
Finally, I’d say supply-chain attacks. We’re seeing more and more situations where companies are getting breached via their supply-chain. Whilst this technique used to be more associated with nation-state groups, it’s increasingly used by criminal organisations too.
What do you like doing in your spare time?
I’m a keen rock climber and just love the outdoors. People think it’s quite dangerous but there’s actually a lot of analogies to computer security; it’s taking something that’s inherently risky and trying to make it as safe as possible. If you do it right, you can control the risks to an acceptable level.
I’m quite a news geek as well. These days, security and geopolitics are far more entwined than they used to be. It’s interesting to see how current events really influence your day job. When I first got interested in security the attackers often just wanted to highlight weakness or show-off their skills, now it’s more about financial or political gain.
I’ve also just bought a house so I’m getting into home automation. There are all sorts of cool little projects I’d like to attempt, but I’ve got far too much basic DIY to do first.
What can’t you live without?
I’m addicted to my smartphone, I look at it about 700 times a day. Infosec is such a fast-moving profession that there’s always something new going on but it’s now turned into such a habit that I do it subconsciously.
I love good food and hate it when food is prepared badly. Whenever I go travelling I actively seek out nice, wholesome, vegetable-heavy dishes. I also try to keep up my exercise routine – it’s easy to get out of shape when you’re travelling a lot.
So food, my smartphone, exercise and, oh, coffee. I do drink a lot of coffee, which is stereotypical of working in IT, I guess. It has to be good coffee as well, I’m a coffee snob for sure.
What can you advise others to do to keep their employees safe and secure?
I’m a big advocate of the essentials. Foundational security and good hygiene will get you a long way, especially if you’re not a specific target.
A big problem with phones and older computers is that they stop receiving updates after a while, so you need to make sure you’re still getting those updates – that’s really important.
You also need to make sure you’re running some sort of endpoint security software. Choosing strong passwords is a must and, particularly for mobile devices like laptops and phones, you want to make sure you’re data is encrypted.
Those are the absolute basics for keeping your devices secure.
And, lastly ensuring your employees are appropriately vigilant when receiving call, texts, emails, etc. Training is important but there’s more to it than that. You need to have simple and well-managed IT systems, such that you can boil advice down to simple rules.
If, for example, you have dozens of systems that ask for your password in different ways, it’s hard to explain to employees when it’s safe to type in their password. Unfortunately this problem is getting harder to solve not easier, so multi-factor authentication is also a must these days.
Finally, do you have any security tips for at home?
Besides using Sophos Home, you mean?
Yes I do – be cautious about your privacy settings. Realise that every single communication medium is used by the bad guys. Often, people who are very good at spotting scams in one area can get caught off guard in another.
It’s also good to remember that everyone’s got assets that the criminals care about. You should never think ‘it doesn’t matter because I’ve got nothing of value’. That’s a very big misunderstanding, and I’ll always call people out if they say that. You still have an obligation to protect your friends’ contact details, at the very least. Consider how bad you would feel if a vulnerable friend or family member got scammed because a criminal harvested their contact details from one of your devices!
Also, have an awareness of all the devices that can be attacked. Your average family home will have laptops and smartphones, but take some time to count up all the IoT devices you have and think ‘are they all definitely being kept up to date?’ The chances of your internet-connected toaster being hacked might be slim at the moment, but it’s good to be aware and make sure your devices are up to date.