Sophos has acquired Arco Cyber. The addition of the British security company is intended to bring AI-powered governance capabilities to organizations lacking security leadership. The deal should help MSPs and MSSPs deliver “CISO-level guidance” at scale. This could be a potential boon to many, as Sophos highlights that fewer than 32,000 of the world’s 359 million organizations have a Chief Information Security Officer.
Sophos characterizes the acquisition as being part of its “Sophos CISO Advantage” strategy. This initiative combines agentic AI, integrated platforms, and human expertise delivered through managed service providers to democratize security governance. In essence, everything a CISO is tasked with organizing inside these select 32,000 companies can be brought over to those lacking one such executive.
Arco Cyber’s platform validates whether security controls actually work, maps them to risk and compliance frameworks, and generates executive-ready reports. “What’s missing for most organizations is the ability to govern those tools, understand whether controls are actually working, and make informed decisions about risk,” Sophos CEO Joe Levy says.
Closing the leadership gap
This isn’t just a case of organizations choosing to do without CISOs. The CISO shortage remains acute in 2026, driven by burnout and overwhelming responsibilities. With endless unfilled positions in cybersecurity as a whole, organizations struggle to staff security leadership roles while demands for boardroom-level risk management intensify. Just as roles for day-to-day operations remain unfilled, so do positions to lead them.
Sophos positions its CISO Advantage as a solution for both scenarios. As a result, organizations with security leaders gain more efficient risk management tools, while those without receive practical guidance that fills in the gap somewhat where a security-focused executive would have acted. The approach relies heavily on MSPs and MSSPs to translate insight into action and deliver “CISO-level leadership as a service.”
“Most organizations rely on trusted partners to translate insight into action, provide context, and guide day-to-day decision-making,” Levy explained. The platform equips partners with AI-driven governance, continuous assurance, and clear risk insight, allowing them to elevate their role from technology operators to strategic security advisors.
From activity to proof
“Arco was founded to help organizations move from assumption to proof in cybersecurity,” said Matt Helling, CEO and co-founder of Arco Cyber. “By joining Sophos, we can reach far more customers who are struggling to demonstrate control effectiveness, prioritize risk, and justify security decisions.”
Arco will integrate into Sophos Central, the platform that already delivers MDR, advisory services, and partner-delivered capabilities. The combined offering aims to connect operations, assurance, and risk-based outcomes in a way that aligns with how organizations actually function.
For MSPs and MSSPs, this means new tools to help clients navigate operational resilience at scale rather than just perimeter defense. Organizations with or without dedicated CISOs can now access governance capabilities designed to turn security into a “managed, defensible business discipline,” according to Helling.
Also read: Rise of AI transforms CISO’s role: from technical to strategic input