‘This is a really strong statement for us,’ says Rob Harrison, senior vice president of product management at Sophos. ‘It doubles down on our vision for the industry: moving from just tools and alerts to helping customers truly understand risk, measure ROI and run security as a disciplined business program. That’s what we want to achieve.’
Sophos has acquired U.K.-based Arco Cyber to expand beyond traditional threat detection and response and into cybersecurity governance, risk and compliance.
The deal marks a strategic push to help organizations measure whether their security investments are reducing risk, according to Rob Harrison, senior vice president of product management at Sophos.
“If you think about cybersecurity, there’s loads of tools and technology,” Harrison told CRN in an interview. “Organizations are investing more and more money. But the big question is: How do those investments align to your strategy? How do you know you’re actually getting a return on that investment in a transparent, repeatable way? And how do you know the controls are configured properly and actually protecting you?”
Terms of the deal were not closed. About eight employees, including the founders, are coming over in the deal.
[Related: Sophos Exec: Cybersecurity Increasingly Complex As Criminals Become Organized, Sophisticated]
With Sophos’ CISO Advantage strategy paired with Arco’s advanced capabilities, the U.K.-based cybersecurity vendor is “doubling down, but from a risk and controls perspective,” Harrison said.
The vision, he added, is to transform Sophos Central from a place partners log into for alerts or endpoint hygiene into a platform that becomes the single source of truth for their entire security program.
“Imagine logging into Sophos Central and not just seeing detections,” Harrison said. “You’re seeing your full security program. You can report to your board on your risk profile. You understand whether your investments are delivering the ROI you expected. If they’re not, you can see why. And if they are, you know what to invest in next based on your industry or risk profile.”
That shift moves Sophos beyond traditional security tooling and into governance, risk and compliance territory, he said.
“I don’t see many vendors in our position, with 600,000 customers, also helping solve compliance and enabling MSPs to have risk-based discussions with their customers,” Harrison said. “We’re almost creating our own category, bringing together threat intelligence, operational security knowledge and layering a broader risk program on top.”
AI will also play a role in that evolution. Sophos already uses AI to drive efficiencies in its MDR operations, including AI assistants that translate complex investigations into plain language.
Harrison believes similar use cases in compliance and risk management will emerge.
“Imagine asking the platform, ‘SOC 2 is relevant to my business, how compliant am I, and what do I need to do next?’” he said. “AI can automate parts of that, surface the right data and guide next steps. It’s an efficiency accelerator and an outcome accelerator.”
Paul Reilly, head of cyber resilience and consulting at U.K.-based Saepio, said the acquisition reflects how organizations address cyber risk alongside technical security controls.
“The acquisition … represents a meaningful evolution in how Arco has been highly regarded for its analytical and insightful reporting capabilities, and integrating that expertise into Sophos’s broader security portfolio strengthens the end-to-end value proposition,” he told CRN in an email. “From a partner perspective, we are looking forward to deeper platform integration and the ability to deliver a more joined-up security strategy for our clients. … This will combine detection, response and risk management into a single, coherent cyber resilience offering.”
Sophos is planning a phased rollout of Arco’s technology with an initial launch in the U.K. market, where Arco has the deepest regulatory framework coverage. Within one quarter, the vendor will expand into North America and Europe, working with select MSPs in early access programs before moving to a global rollout within 12 months.
“This is a really strong statement for us,” Harrison said. “It doubles down on our vision for the industry: moving from just tools and alerts to helping customers truly understand risk, measure ROI and run security as a disciplined business program. That’s what we want to achieve.”
