CISO Conversations CISO Conversations: Ross McKerchar, CISO at Sophos Sophos’ Ross McKerchar discusses leadership at scale, retaining talent, defending against AI-enabled threats, and the industry’s growing trust problem. By Kevin Townsend | April 15, 2026 (9:00 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Ross McKerchar began his Sophos career as the firm’s first security engineer 18 years ago and is now the company’s CISO. We discussed his journey and the role of the CISO. “Like most youngsters, I played video games as a child. By the time I was 16, I was already convinced that IT would be a good, solid career – so I went on to take a computer science degree at the University of Edinburgh.” But then came a realization. “I’m probably going to offend a lot of people with this, but much of IT is quite boring.” When you talk about IT, people’s eyes glaze over, he continues. But if you talk about cybercrime, they become engaged. “It’s whole of world rather than just the box in the computer room. It’s geopolitical, it’s adversarial, and it affects everybody, everywhere.” Conflict, he adds, makes for good stories – so, he shifted his interest from IT to cybersecurity. The path to leadership and team management How and why did he become a leader in cybersecurity? There is always a question over whether leadership is a genetic quality or something that can be learned: nature, or nurture – or both. McKerchar’s short answer is that it can be learned, but only if you enjoy it. For himself, he suggests, there was an element of both growing into it, and growing with it. “When I joined Sophos 18 years ago, I was basically the first internal cybersecurity employee. In that sense, I was always the leader – of a team of one. Now I am the CISO with a much larger team.” Ross McKerchar, Chief Information Security Officer (CISO) at Sophos. Along that route, he has had to acquire or learn skills that cannot be gained from a degree in computer science: how to recruit quality team members in an age typically described as a skills gap; how to manage that team to provide optimum performance; and how to maintain the team at that optimum performance. “The skills gap is real,” he says, “but I think it is mischaracterized both in number and effect. The cybersecurity profession is growing faster than most others. So, in this sense there is an ever-increasing demand. Education is responding with more training in security fundamentals, so there are more people looking for work in cybersecurity.” The problem is the demand is not for the people straight out of college with a piece of paper but no experience, but for people with both experience and combined emotional and business intelligence. The skills gap is at the senior level rather than the graduate level. Advertisement. Scroll to continue reading. Part of this is the continuing tendency for companies to ramp up security only after an attack. As a result, the security team suddenly leaps from two to a dozen in rapid time – and at such times, the employer wants seasoned professionals rather than newbie grads. This creates a double problem for CISOs. Firstly, although there are more people looking for positions, the positions available are not looking for those people – those positions are more attractive to the people you already have. This is the second problem: managing and maintaining the existing team. “You have to hang on to your team members because they could go – they could leave and get another job tomorrow.” So, finding a good team is hard, but keeping it is just as hard. McKerchar’s approach is to encourage his team members to be the best version of themselves possible. “You hire smart people to tell you what to do. The role of the leader is to get the obstacles out of their way so they can do just that.” This doesn’t mean absolute carte blanche for the team. The leader must keep a light touch on the tiller to keep the team and its direction in line with the company’s business objectives. But the aim is to manage a happy and fulfilled team, because happy people stay when unhappy people leave. However, the one constant in cybersecurity is change. There’s this new thing called AI. And one of the most often touted effects of AI will be an increase in the automation of expertise, and a corresponding reduction of the need for human experts – and by extension, a narrowing of the skills gap. McKerchar is reserving judgment. “I spend a lot of time talking to my CISO peers,” he explains, “and I have to say the current narrative we’re hearing from the media and business leaders is very different from the one I’m hearing from peers.” He suggests that whatever reduction in hiring we’ve seen so far has been from firms taking a gamble – betting that in a year’s time they won’t need the hire, so they’re not doing it now. He also suspects that some firms are now reversing that bet. “It’s been an interesting time. The LLMs are trained on public data, and it’s a challenge to get them to work well within an organization where organizational rather than public context is everything in triaging alerts. My human ops analysts really understand the business, and where to go and who to speak to – they almost have a sixth sense over whether an alert is more or less serious than is obvious. AI will get there, but it’s not there yet.” It’s tempting to describe current AI as high in knowledge, but low in understanding. Nevertheless, adversarial use of AI is something that all defenders are watching closely. Cybersecurity is, by its nature, largely reactive. It is the attacker that is proactive, always looking for and developing new ways to attack; and the defender that must react with new ways to defend against new and previously unknown attack methodologies. AI is still a developing technology, and nobody yet knows its future capabilities. “That’s the million dollar question,” says McKerchar. “Where’s it going to land?” He gives two suggestions. The first is the current primary adversarial use of AI: developing more advanced lures for phishing. “There is some evidence of it being used to automate attacks at scale, but the quality of the phishing isn’t yet at the level of a sophisticated attacker. It’s just the volume that has been significantly increased.” He is more concerned with AI’s ability to find new vulnerabilities, and the attackers are bound to use this ability. Finding zero days is expensive, so when they are found by attackers, they tend to be used somewhat sparingly against high value targets with supply chain potential. But if the cost of the zero day is reduced and there are more of them, they will be used against smaller firms with weaker defenses. Those smaller firms with proprietary software are not typical targets for zero days; but as the cost of zero days comes down, so their attractiveness will go up. Mental health This doesn’t change the reactive nature of cyber defense – the difficulty is that it will increase the pressure on defenders through increased volume and sophistication of attacks. And this adds to the work of the CISO. Both the CISO and the security team will need to cope with increasing pressure. This isn’t new, but it’s getting worse. And sustained pressure is a primary cause of the mental health issue known as burnout . “Burnout is a real thing in cybersecurity,” comments McKerchar. It is complete mental exhaustion and withdrawal from work, and is described by the World Health Organization as ‘a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed.’ Cybermindz uses a technique known as I-Rest to treat burnout, which affects both CISOs and the entire security team. I-Rest is also used by the military to treat PTSD, so it is tempting to consider burnout as a form of slow burn PTSD caused by long term unmitigated stress. But as with all illnesses, prevention is better than cure. “Take my own situation,” continues McKerchar. “I’ve been continuously on call for 18 years.” He applies the same formula to the entire cybersecurity workforce, from the day each employee starts employment until now, and still ongoing. “The worst thing about cybersecurity is there’s nearly always something brewing that makes you uneasy – and it always seems to get worse on a Friday.” Being on call in cybersecurity is 24/7, including every Saturday and Sunday. “Even when not in the office, there’s this constant unease that something could blow up at any time.” Preventing burnout requires reducing base stress levels and ensuring periods of zero stress. “You can’t expect people to put in a sprint when they’re running a constant marathon. So, I try to reduce the workload and increase the fun element. It’s not simply a case of insisting on decent work hours but also allowing people to work on the projects they want to work on – so the fun stuff as well as the critical projects.” Even without burnout, people’s effective IQ drops through simple tiredness. “The last thing you need is a team that is sitting there and operating at 60% of their intellect when they’re trying to do the most important work of their careers. So, when we have a big incident, it is important that we define shift rotations and handovers and prevent people from overworking. There’s always some who just want to work – they want to keep going. But identifying them and making sure they don’t feel all the weight is solely on their shoulders, and insisting they understand that they must work in a sustainable fashion because we need them sharp – that’s very important for me.” Managing stress levels, raising spirits, and avoiding constant tiredness is McKerchar’s way to prevent burnout. Hacking back A separate recurring theme in cybersecurity is whether cyber defenders should have the same right of retaliation as kinetic defenders. Few neutral observers question the right of Ukraine to retaliate in kind following the Russian invasion of 2022. Should cyber defenders have the same right f