Every organization—regardless of size or industry—is facing essentially the same threat landscape. The attackers don’t care if you’re a Fortune 500 company or a 200-person manufacturer. But out of roughly 359 million organizations worldwide, fewer than 32,000 have a chief information security officer. Most companies simply don’t have the skills, tools, or resources to effectively defend themselves against the threats they’re up against.
Sophos announced today that it has acquired UK-based Arco Cyber, a cybersecurity assurance company focused on helping organizations validate their security controls and stay ahead of compliance requirements. The deal is central to what Sophos is calling “Sophos CISO Advantage”—an effort to deliver strategic security leadership to organizations that don’t have access to it, and to streamline it for those that do.
I spoke with Rob Harrison, senior vice president of Product Management at Sophos, about the acquisition and where it fits in the company’s broader evolution. Harrison oversees everything MDR, advisory services, and emerging tech—which puts him at the center of the strategy behind moves like this.
The Next Step After MDR
If you’ve followed Sophos over the past several years, you’ve watched the company evolve from an endpoint security vendor into a security operations platform. The shift to MDR was a recognition that most organizations didn’t have the resources or skills to run security operations on their own. That category has matured, and by most accounts, it has improved outcomes for a lot of companies.
But even with 24/7 detection and response in place, most organizations still can’t answer the upstream questions. Which security controls do I actually need? Are the ones I have working? What compliance frameworks apply to me? How do I prove that my security investments are delivering results?
Those aren’t detection and response questions. Those are governance and strategy questions. And that’s the gap Sophos says it’s trying to close.
Harrison framed it as a natural progression. Sophos went from endpoint to MDR, integrating with third-party tools to help organizations get value from what they already had. Now the question is how to address those pain points from a more strategic perspective. As he put it, “How do we productize and solve… basically helping customers with, ‘Which security controls do I need?’ And really importantly, ‘Are they working?’”
What Arco Brings to the Table
Arco Cyber was built around the idea of moving organizations from assumption to proof in cybersecurity. According to the company, its platform continuously validates whether security controls are effective, maps those controls to risk and compliance frameworks like NIST CSF and NIS2, and presents it in a way that executives and board members can actually understand.
Matt Helling, CEO and co-founder of Arco Cyber, explained the rationale for joining Sophos: “By joining Sophos, we can deliver against that mission and reach far more customers who are struggling to demonstrate control effectiveness, prioritize risk, and justify security decisions.”
Sophos cites data from Arco Cyber to underscore the need: 90% of breaches stem from gaps in existing defenses, and 40% of cyber insurance claims are denied due to non-compliance with policy requirements. If those numbers hold up, it suggests organizations aren’t just failing to prevent attacks—they’re failing to prove they tried.
Phil Harris, research director for Governance, Risk and Compliance Solutions at IDC, described the combination as “a new category of platform-led cybersecurity that connects operations, assurance, and risk-based outcomes.”
AI Where It Actually Matters
It’s 2026, so I felt obligated to ask Harrison about the agentic AI angle. He told me that Sophos has made a deliberate decision not to require AI as part of the core platform just for the sake of AI. The AI use cases are being layered in where they add genuine value, not bolted on for the sake of a press release.
That’s the kind of thing I keep pushing vendors on. There’s a lot AI can do, and probably a lot it should do, but we need to separate that from the hype. Some of the over-promising is giving AI a bad name, and then you get people who dismiss the whole thing because a few claims didn’t hold up.
Harrison’s description of the approach Sophos is taking is more practical: use AI to help MSPs and customers have smarter conversations about risk, compliance, and ROI. According to Harrison, the vision is that users could log in and ask something like, “I need to be SOC 2 compliant—where do I stand?” and get a clear answer with next steps. Or find out a peer in their industry was breached and immediately assess how their own risk profile compares. If Sophos can deliver on that, it would be genuinely useful.
The Case for Outsourcing Security
This is a drum I’ve been beating since my days working with Alert Logic. Organizations are weirdly protective about doing security in-house. Most companies hire someone to handle janitorial services. They outsource landscaping. They work with outside medical providers. Nobody builds an in-house hospital. But when it comes to security, there’s this instinct to say, “No, we need to do this ourselves because it’s our data and our network.”
That logic is backward. It’s like saying, “I’m feeling symptoms, but this is my body, so I’m going to handle it myself instead of seeing a doctor.” The fact that it’s important and sensitive is exactly why you should trust professionals who do it for a living.
Harrison made a point that resonated: “I don’t think they should even think about it. A business of that size must have a mission. And the mission is very unlikely to be a security mission. It could be financial services, healthcare… anything. Security is critical for them staying safe and operating, but it’s not critical as their mission of why they exist.”
That thinking is at the heart of why Sophos designed CISO Advantage to work primarily through MSPs and MSSPs. The idea is to give those partners the tools to move beyond just managing alerts and incidents and start having more strategic conversations with their customers about governance, compliance, and risk. Whether partners embrace that expanded role remains an open question, but the logic behind it makes sense.
What Comes Next
Harrison said the product will roll out in the second half of 2026, with an early access program and phased regional rollout. Sophos plans to establish a CISO advisory board to get feedback from practitioners, and they’re investing in micro-training through Sophos Academy so partners can get up to speed without a heavy lift.
He was also candid that they may not get everything right on the first pass—especially around something as subjective as codifying “CISO-level” decision-making. But the intent is to establish consistent language, consistent reporting, and consistent measures across the fragmented pieces of a security program. That’s a worthwhile goal, even if the execution takes some iteration.
The problem Sophos is going after here is real. Most organizations can’t articulate their risk posture, can’t prove their controls work, and can’t translate security activity into business terms. Combining AI-driven assurance with human expertise and delivering it through trusted partners is a practical approach.
