Joe Levy is the CEO of Sophos and a 30-year cybersecurity veteran who has held technical and executive roles across some of the industry’s most recognizable brands. In this episode, we dig into a stat that should reframe how the entire industry thinks about its mission: out of roughly 359 million businesses worldwide, fewer than 32,000 have a CISO. That’s less than one in 10,000 organizations with a security strategy leader, and it’s a number Joe worked with Cybersecurity Ventures to quantify for the first time.
We explore what that structural gap means for how vendors build products, why the cybersecurity market is a 40-year-old market failure where spending goes up every year but outcomes don’t improve, and how Sophos is betting that agentic AI can deliver CISO-level intuition to the hundreds of millions of organizations that could never conceive of hiring one. Joe breaks down where AI is genuinely delivering in security operations, and where the industry is overselling — drawing from Sophos’s experience running the world’s largest MDR service with 36,000 customers.
We also get into Sophos’s Pacific Rim disclosure, a five-year engagement with a Chinese nation-state actor targeting their firewalls that Joe calls the highest form of threat intelligence sharing. He walks through the calculus of going public with that story, including the kernel-level monitoring they deployed on a handful of devices to stay one step ahead of the attacker. Plus, we discuss the SecureWorks acquisition, the CTO-to-CEO transition, competing with hyperscalers like Microsoft, and what the next chapter looks like for a billion-dollar PE-backed security company approaching maturity with Thoma Bravo.
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 31,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
Show Notes
The cybersecurity poverty line quantified: out of 359 million businesses worldwide, fewer than 32,000 have a CISO, less than one in 10,000, and this leadership gap compounds with the skills shortage and what Joe calls an “AI-enhanced market for lemons” where information asymmetry between buyers and vendors is getting worse
The real problem isn’t missing technology, most organizations already have endpoints and firewalls, it’s misconfigurations, ignored alerts, undeployed agents, and no SOC to respond, which is why secure-by-default design and hybrid product-service models like MDR create more predictable outcomes than tools alone
AI in the SOC is overhyped but not hype: Sophos runs 36,000 MDR customers and says the vast majority of Tier 1 (triage, false positive management) and Tier 2 (investigation, response) can now be performed by agents — but the industry lacks standard vocabulary for metrics like MTTR, letting vendors be “intentionally opaque” about what “response” actually means
Joe introduces the concept of “humans as the accountability API” in an agentic world, AI can approximate analyst intuition, but someone still needs to be held accountable for remediation decisions, and a fully autonomous SOC may just be “a protection product with a very long data pipeline”
The Pacific Rim story: Sophos spent five years engaged with a Chinese nation-state actor targeting their firewalls, deployed a kernel implant on fewer than a handful of attacker-controlled devices to observe exploit development in real time, and concealed targeted fixes among 150 other patches to avoid tipping off the adversary
Sophos’s CISO Advantage program aims to deliver the intuitions of a skilled security leader to the hundreds of millions of organizations that could never hire one, Joe calls it fixing a 40-year-old market failure and says they’re shipping it this year
The SecureWorks integration lesson: technology and service convergence were the straightforward parts, the hardest challenge was harmonizing two completely different go-to-market models (100% channel vs. historically 100% direct) and different market segments (SMB vs. enterprise), plus the interior workflows and operational mechanics that never show up in due diligence
On competing with Microsoft: Joe argues any zero-sum game with a hyperscaler is a losing strategy, instead, Sophos builds MDR on top of Microsoft’s stack using Graph Security API, giving customers with lower-tier licenses the same security outcomes as E5/E7 subscribers, making the hyperscaler better rather than trying to replace them
