Sophos Exec: Cybersecurity Increasingly Complex As Criminals Become Organized, Sophisticated

‘We’re seeing a massive amount of burnout, cybersecurity burnout, in the MSP space, in the cybersecurity space, in general. The top cause of burnout? The constantly evolving threats. It is never-ending,’ says Scott Barlow, Sophos’ chief evangelist and global head of community.

A combination of international cybercrime organizations and cartels and burnout from a constantly changing security environment is making it increasingly difficult to keep up with the latest cybersecurity threats.

That’s the word from Scott Barlow, chief evangelist and global head of community at U.K.-based Sophos who told an audience of MSP executives at this week’s XChange NexGen 2025 conference that security professionals can quickly fall behind when it comes to keeping up with the changing threat environment.

XChange is hosted by CRN parent company The Channel Company.

Sophos has more than 600,000 customers and works exclusively via the channel, Barlow said.

“Our mission is to enable MSPs to deliver better cybersecurity outcomes,” he said. “You guys can put everything you can have in defense in depth, you can do all kinds of stuff, but at the end of the day, it’s about delivering a superior cybersecurity outcome while helping you accelerate your growth and accelerate your profitability.”

The challenge around cybersecurity is complex, Barlow said.

“It’s difficult, and it moves so fast that organizations, including a lot of MSPs that we work with, just can’t keep up effectively on your own.”

For instance, Barlow said, adversaries are not breaking into customers’ organizations. About 56 percent of attacks seen by Sophos’ counterintelligence unit are a result of adversaries actually logging into networks, not breaking in, he said. About 32 percent of attacks come via exploited vulnerabilities, which means an MSP or a customer did not patch systems, while 23 percent were via compromised credentials, meaning the adversaries logged in because they found a username and a password on the dark web. Nineteen percent came via malicious emails, and business email compromise is still the number one threat factor, he said.

These attacks are coming at a difficult time for the security industry, Barlow said.

“We’re seeing a massive amount of burnout, cybersecurity burnout, in the MSP space, in the cybersecurity space, in general,” he said. “The top cause of burnout? The constantly evolving threats. It is never-ending. That’s where AI comes in to assist Sophos but also assist you in delivering those cybersecurity outcomes.”

Another issue is the volume of alerts, Barlow said.

“Everybody is sick of too many alerts,” he said. “It’s alert fatigue. We see it day in and day out. And then regulatory pressure changes, all of that stuff. And the consequence is basically vulnerability. You are going to be vulnerable because somebody’s burnt out there. They could even be sleeping at their PC at the end of the day.”

Security professionals are not fighting that proverbial lone wolf hacker in a hoodie in their mother’s basement, Barlow said. “We’re actually fighting something that’s a lot more complex,” he said.

Adding to the complexity is the growing impact of international criminal organizations, Barlow said, including:

Maksim Yakubets, a Ukrainian-born Russian national who after the breakup of the Soviet Union saw opportunity out of the misery caused by skyrocketing inflation, evaporation of savings, and food shortages. Barlow said Yakubets became an entrepreneur who allegedly went on to found several criminal organizations including Evil Corp, which developed the Dridex malware and stole hundreds of millions of dollars from financial institutions around the world. Yakubets, who drives a custom Lamborghini with a license plate reading “Thief” in Russian, has the protection of Russia’s FSB or Federal Security Service, according to authorities.
Ekaterina Zhdanova, a Russian socialite who made the cover of a Russian fashion magazine, is a crypto consultant and the head of the Smart Group, a payment organization that allegedly provides global banking services for Evil Corp and others in the underworld, including the Kinahan Mafia and the FSB’s spy network, Barlow said. Zhdanova is currently in prison in France on unrelated charges.
LockBit’s ransomware-as-a-service has 194 affiliates.
DragonForce is a cartel-style offering that provides ransomware-as-a-service hosting and self-branding to stay under the radar.
Qilin is another sophisticated ransomware-as-a-service operation.

LockBit, DragonForce, and Qilin just this month formed a strategic alliance, Barlow said. “So we’re not fighting individuals anymore,” he said. “We are fighting that business model.”

Sophos has gone on the offensive against such organizations, Barlow said. The company five years ago encountered China-based threats, and used the UTM technology it got with its 2014 acquisition of Cyberoam to identify and block those threats, he said.

“But we didn’t immediately eliminate that threat,” he said. “We observed the threat. We watched it over the course of five years, and then we went on the offense. We were able to uncover the tactics and techniques and procedures that this Chinese nation state were using, and then we were able to produce a lot of information behind the scenes in order to make our products a lot more secure. You might have heard of Volt Typhoon, APT31, and APT41. Knowing the attackers’ playbook actually empowers us to provide more proactive services.”

This all ties into the NIST (National Institute of Standards and Technology) cyber resiliency framework, which has four components, Barlow said: anticipate, withstand, recover, and adapt.

Defeating these threats requires businesses have defense in depth in order to contain and isolate and respond and recover and then adapt,” he said.

“What is the threat intelligence that’s out there?” he said. “Is [there] a modern cybersecurity operation center? And are you looking at risk management at each of the individual customers out there today? So what we’re focused on is MDR and XDR expansion, next-gen SIEM (security information and event management), agentic AI, human in the loop, and then the CISO (chief information security officer) advantage.”

Sophos has built defense in depth, Barlow said.

“We have the threat intelligence that feeds into a data lake,” he said. “We have threat prevention and controls. Then we have a variety of Sophos products and services, including endpoint, XDR, MDR, firewall, identity, email, network, cloud. We also have switches, wireless access points, etc., built on the XDR, MDR, SIEM, all those technologies with some services that you can actually take and sell to your end customer. And we just launched a variety of different adversary services like pen testing, security assessment, red team exercises, as well as incident response.”

MSPs who are currently using multiple different vendors for these different technologies can achieve significant savings by consolidating to one individual vendor, Barlow said.

“You also have the ability to integrate whatever products and services you’re using today into our data lake, so you don’t have to completely rip and replace all of the technologies that are out there today,” he said. “We can actually work with those technologies by taking the 350 integrations and integrating that into our data lake, normalizing it, and now offering a better picture of actually what’s happening within your customers’ environments.”

Josh Thomas, vice president of sales and marketing at Superior TurnKey Solutions Group, a Plano, Texas-based IT services provider, told CRN that his company doesn’t use Sophos, but has customers that like it.

“They seem to be a good company,” he said. “It’s just not part of our stack.”

Barlow did a good job of showing how cyberattacks have become organized as a business model, Thomas said.

“Yeah, I’m wrestling with how you put that all together,” he said. “I’m here to listen and learn.”