New Sophos Trust Center: Q&A with Ross McKerchar, Sophos CISO

Ross McKerchar, Sophos Vice President and Chief Information Security Officer (CISO), today announced the launch of the Sophos Trust Center. We caught up with Ross to learn about this new resource, and how it fits with Sophos’ broader vision for the cybersecurity industry.

Q. What is the goal of the Trust Center? Why did Sophos create it?

A. Our mission at Sophos is to protect people from cybercrime. Establishing trust in our people, technologies and threat intelligence is essential if we are to achieve this goal.

We created the Trust Center to make it easy for our customers, partners, and the wider security community to understand our approach to, and delivery of cybersecurity, and to quickly access important resources. By sharing materials, from our incident response plan and responsible disclosure program, to our policies and secure development lifecycle, people can better make informed decisions about their security.

We believe that the recent US Executive Order on Improving the Nation’s Cybersecurity states the need for this perfectly: “Trust in digital infrastructure should be proportional to that infrastructure’s transparency and trustworthiness, and the consequences should that trust be misplaced.”

Q. Who do you envisage will use the Trust Center?

A. We had many different users in mind when we built the Trust Center. First and foremost were our customers and partners. We hope that the Trust Center will quickly become a go-to resource where they can get the information they need to meet their security and compliance goals, and help us to help them maintain the highest level of security.

For prospective customers who are considering Sophos, the Trust Center will enable them to gain a deep understanding of Sophos and how we align to their security, compliance, and policy, in partnership with their business requirements, standards, and goals.

It will also be a useful resource for our business partners, industry analysts, and the security research community. Basically, anyone who has an interest in establishing and maintaining strong trust-based relationships with the various kinds of relationships and interdependencies that exist in our ecosystem.

Q. Which Sophos experts contributed to the Trust Center?

A. The Trust Center project was a great example of cross-company collaboration. We brought together security and product experts from many different groups across Sophos, including product teams, data protection and privacy, risk management, architecture, application security, and security operations. While we all already deliver on our shared approach to security in our day-to-day activities, it was exciting to see so many different parts of the Sophos ecosystem coming together so effectively in the Trust Center.

Q. Do you have plans to develop the Trust Center further?

A. Absolutely! This is the first version of the Trust Center; we were keen to share it with customers, partners and the wider security community as soon as possible so everyone can start using it. We plan to expand the breadth of information available on product security and privacy, and dive deeper into how we build security into our product development process. Our next Trust Center project is software bill of materials (SBOM). If you have particular topics you would like us to include, please let us know using the comments section below.

Q. How does the Trust Center complement other freely available cybersecurity resources from Sophos?

A. The Trust Center is about transparency, openness, and providing a clear view into how we do security and privacy at Sophos. Similarly, Sophos is committed to sharing tools and information whenever they can benefit our customers and partners. This includes advisory material on industry wide incidents (where applicable modelled on our internal response) and tools that we develop internally that may also be of use to the community.

Q. More broadly, how does the Trust Center fit with Sophos’ vision for the cybersecurity industry?

A. We believe the cybersecurity industry should lead the way in openness. In fact, cybersecurity should be the most transparent industry given the critical role it plays in every organization and every household.

At Sophos we want to lead by example: not just talking about sharing and openness, but also delivering it day in, day out. We want to set the bar for transparency and demonstrate just what is possible in a competitive commercial environment. That means we want to share more and share first. For example, the incident response plan we’ve provided is the most detailed and transparent we have seen on a public site. The Trust Center is an important step on our journey and we invite other organizations to walk this path alongside us.

Q. And a final word?

A. I’d like to encourage everyone to bookmark and to share their thoughts and suggestions for future Trust Center topics in the comments below.

Latest Posts