Vendor Decoder: Sophos/Arco Cyber Acquisition Turns Security Governance Into a Vendored Service

This artifact examines structural pressure created by a significant vendor action.

In partnership with:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ operates as an External Cybersecurity Judgment of Record.
Vendor Pressure artifacts examine structural control shifts and decision exposure created by major vendor moves. These analyses inform, but do not themselves constitute, published judgments.

Sophos announced February 10, 2026 the acquisition of UK-based Arco Cyber, a cybersecurity assurance company, for an undisclosed price. Arco Cyber built a cloud platform that correlates data across security systems to validate whether controls are functioning, maps controls to risk and compliance frameworks, and generates executive-ready reporting. Arco will integrate into Sophos Central and operate as a dedicated team within a new initiative Sophos calls "CISO Advantage."

Sophos CEO Joe Levy framed the acquisition around a market gap: fewer than 32,000 of an estimated 359 million organizations worldwide have a dedicated CISO. CISO Advantage combines agentic AI, integrated platforms, and human expertise delivered through MSPs and MSSPs to provide CISO-level governance to organizations that lack one.

IDC's Phil Harris described the combination as "a new category of platform-led cybersecurity that connects operations, assurance, and risk-based outcomes."

A detection and response vendor acquired a governance assurance company and declared its intent to replace the CISO function itself with a vendored service layer delivered through channel partners. The product is not a tool. The product is judgment.

The bet: security governance can be industrialized and delivered as a managed service without a human executive accountable for the output.

Sophos is wagering that organizations without a CISO will accept automated control validation, compliance mapping, and risk reporting produced by the same vendor ecosystem that sells them the controls being validated. The assumption: the market that cannot afford a CISO will pay for a software-mediated substitute, and regulators, insurers, and boards will treat that substitute as equivalent to human executive judgment for accountability purposes.

The actual exposure surface is narrower than the 359 million figure suggests. The pressure concentrates in organizations between $10M-$500M revenue: large enough to face regulatory and insurance scrutiny, too small to employ a dedicated CISO. Within that band, NIS2-scope entities (estimated 160,000+ across EU member states), SEC-reporting companies subject to Item 106 cybersecurity disclosure rules, and cyber insurance policyholders with governance conditions at renewal represent the organizations where vendored governance will be tested against accountability requirements. This is Sophos's actual target band and the band where the accountability gap concentrates.

The secondary assumption: MSPs and MSSPs can transition from technical operators to strategic governance advisors using vendored tooling. Sophos is positioning its channel partners as the delivery layer for CISO-grade risk decisions. The partners do not employ CISOs. The platform replaces the function the CISO would perform.

Every organization that adopts CISO Advantage and later faces a regulatory inquiry, breach investigation, or insurance claim where the question becomes: who made the governance decision?

The CISO function exists because someone must be accountable for risk acceptance, control prioritization, and residual exposure. That accountability is personal. It attaches to a named individual who can be deposed, questioned, and held responsible. When governance becomes a vendored service, the accountability boundary dissolves. The MSP delivered the platform output. Sophos produced the validation logic. Arco built the control mapping. The customer consumed the report. No single actor owns the judgment.

Virtual CISO (vCISO) providers face competitive pressure, but the structural difference is not liability assumption. Most vCISO contracts explicitly disclaim liability, operate advisory-only, and are indemnified. The accountability gap already exists in vCISO engagements. The difference is contestability. A vCISO produces a judgment that can be questioned, challenged, overridden, and attributed. The judgment has a provenance chain: this named person reviewed these inputs and reached this conclusion. That chain is discoverable, deposable, and auditable. Platform governance produces an output with no contestability surface. It cannot be cross-examined. It cannot explain why it weighted one risk over another. It cannot testify to what it considered and rejected. The vCISO gap is contractual. The platform gap is epistemic.

The vendored platform is the only model where economic independence and contestability are simultaneously absent.

GRC vendors (ServiceNow, Archer, OneTrust) face category confusion. If Sophos bundles governance assurance into its detection platform at no incremental cost, standalone GRC becomes harder to justify as a separable budget line.