
The Cyber Interview: Chester Wisniewski, Sophos


The Cyber Interview: Chester Wisniewski, Sophos

CISOs today are facing a storm and frontier AI is to blame.
With novel models sniffing out more bugs in our critical software than ever before, security patches are piling up and if the mood of the industry can be summarised in a single word, it would be âstressedâ.
Not Chester Wisniewski. The Global Field CISO at Sophos is excited to steer his ship through the sea of possibilities that AI has to offer.
âWell trained, it is an incredibly efficient way of looking for malicious things,â Chet says.
The greatest benefit to security practitioners from the technology, Chet notes, is when it is paired with humans who are combing through massive datasets.
In Chetâs words: âHumans are terrible at dealing with terabytes of information and trying to figure out which interesting thing to make decisions about.â
The solution here is an intelligent division of labour, with AI doing the grunt work to get precise answers to the security questions of human analysts, who are digging through a vast variety of information sources to help the human brain make smarter decisions.
âThe last time I checked there were four million malicious files a day coming into our labs for analysis,â Chet recalls.
âObviously humans canât look at four million files, but 20 of them are probably really interesting â they could be a nation state attack from an adversary or they could be a new strain of ransomware.
âWhat we as humans really struggle with is finding that needle in a haystack.â
The malicious files in its millions are just the tip of the iceberg, another major hurdle in security is staffing. The industry is generally short staffed and with the mounting volumes, AI is a real lifesaver.
One thing that everybody is unsure about however are hallucinations. But Chet is unfazed, he says that as long as AI helps to get the numbers down from a billion to a hundred, and of these, if 80 are interesting, thatâs a big win in his books.
The criminal surveillance machine
When you mess up in the age of AI, there is little that can help.
âEverything is being scanned constantly and even a minor slip up will be exploited by someone,â the CISO says, describing the thorny reality developers face.
âIf you accidentally publish your API key on your Github repo, when playing on a weekend project writing some code, something will discover that in five seconds. That key is burnt, itâs gone.
âEverything that isnât nailed to the floor is being stolen instantly on the internet.â
Chet describes AI as smart automation and it is unfortunately being deployed by cybercriminals to âscan everything, all the timeâ.
He recalls an instance when a key published in Github was stolen in three seconds!
âI donât think people realise that everything is under surveillance on the internet,â Chet puts to words todayâs harsh reality.
These stolen credentials and stolen API keys are leading causes of data breaches as criminals are ânot hacking into things, they are logging into themâ.
The exploding threat of machine identities
Data from Sophos State of identity Report highlights the growing problem of non-human identities (NHI), which Chet predicts will be the biggest security challenge in the next couple of years.
Enter agentic AI. Chet says that âsome of our customers who use our identity threat detection service have ratios like a 100 machine identities for every one human identity.â
This means NHI growth has been massive and greatly outnumbers humans in the ecosystem, thereby opening the door to a range of new threats.
Chet recalls the biggest cybercriminals hits of 2025 and early 2026, many of them he says were the result of NHI based attacks â specifically, Salesforce tokens stolen by organised cybercriminals gangs like Scattered Spider and Shiny Hunters.
- 100:1 â the ratio of non-human to human identities in certain environments
- 67% of ransomware incidents were linked to identity compromise or identity-based attacks
- 3 seconds - Chet says there was an instance when a key published in Github was stolen in 3 seconds!
- 4 million - the number of malicious files coming into the Sophos lab per day
So whatâs the solution? According to Chet, the saving grace is automating the key rotation and doing it every five minutes while monitoring for anomalous behaviour.
When asked about the link between ransomware deployment and identity threat, Chet says that criminals are simply doing the âthe easiest possible thing to break inâ, which usually is by exploiting identity. However, this equation changes if there is a large scale exploit, in which case, criminals are known to switch tacks.
Sophos data shows that 67% of ransomware incidents were linked to identity compromise or identity-based attacks, while about 16% of initial access methods involved vulnerability exploitation.
âCriminals are lazy, and if you have money they will come for you,â Chet says. âThe easiest way to get in is the thing that they are going to do.â
Does Mythos prove Linusâ Law?
Unlike many in the industry, Chet doesnât seem all that impressed with Anthropicâs world class model.
His initial reaction to hearing the news of Mythos and its prowess being summed up in two words â âSo what?â.
While he notes that his stance on the topic has since evolved, Chet says: âItâs not doing anything that humans werenât doing before, itâs just doing it faster and more thoroughly.â
Referring to Linusâ Law â named in honour of the founder of the Linux OS â he states that âgiven enough eyeballs, all bugs are shallowâ.
The argument here is that open source projects should be more secure than proprietary systems, simply by virtue of the number of expert eyes looking at it.
Chet notes that this was never true, because there werenât enough eyes and those that were present, were not all that effective at looking
But what Mythos is doing today, in Chetâs eyes, is making Linusâ law from 30 odd years ago, actually come true.
âHumans can only look at a hundred thousand permutations of memory misuse before they get bored,â he says.
âThe machine doesnât get bored. Mythos doesnât get bored. It will keep looking to make sure there arenât any vulnerabilities and Iâm kind of excited about that.â
The tech debts we owe
According to Chet, what Mythos is finding are âtech debtsâ, which he describes as âthose little mistakes we made along the way that nobody could be bothered to go back and find or fixâ.
With Mythos in the loop, these debts are being paid back as infrastructure is being broken and rebuilt, more hardened than ever, making it even more difficult to exploit.
In the short term, however, things are less than ideal.
âItâs going to be painful for a while,â he exclaims, weighing the huge amount of effort it takes for humans who have to fix and validate these flaws.
IT teams are already behind on patching as is, and with new patches rolling in faster, the situation puts a lot of stress on engineering teams.
These frontier models may also make the internet a more dangerous place, leading to internet-facing devices becoming more vulnerable.
âAs an industry we need to evolve in quite a few different ways to make this less painful,â Chet says.
An example of this evolution would be to make internet-facing equipment self patching, so humans need not worry about disruptions or piling loads of patches.
Ultimate defender advantage
AI and agents bring a great capability to the defender table.
âItâs going to help us make smart decisions faster,â the CISO says.
The world of security forever has been a cat and mouse game, with defenders reluctantly staying on the backfoot while attackers invent novel malwares and exploits.
The asymmetry has been severe. With AI, however, those tables have perfectly turned. Chet believes that âthis is the first time defenders have an advantageâ.
âWe are ahead of the game on the defence side,â he says. âThere is very little evidence of criminal adoption at scale outside of attacking humans.â
Chet is referring here to deepfakes, grammatically correct phishing emails and similar threats.
âWhat they donât have is all the GPUs to train their own models,â he says.
âThey donât have access to data. Weâve got smart scientists, people building cool tools and weâve got money to pay for Mythos.â
A much overdue advantage for sure.
Looking ahead, Chet is very optimistic and excited about the possibilities, noting that: âAs fast as this is moving, there are a lot of opportunities for human creativity to find solutions to problems.â
In a landscape historically defined by defensive fatigue, this shift marks a turning point. AI may be the engine driving this new era but human creativity remains the compass. The asymmetry of cyber warfare has finally shifted, and the defenders are ready.
Chester Wisniewski
Permanent Full-time
Chester Wisniewski is Director, Global Field CISO at security leader Sophos. With more than 30 years of security experience, his interest in security and privacy first peaked while learning to hack from bulletin board text files in the 1980s, and has since been a lifelong pursuit.
Chester works with Sophos X-Ops researchers around the world to understand the latest trends, research and criminal behaviors. This perspective helps advance the industry's understanding of evolving threats, attacker behaviors and effective security defenses. Having worked in product management and sales engineering roles earlier in his career, this knowledge enables him to help organizations design enterprise-scale defense strategies and consult on security planning with some of the largest global brands.
Based in Vancouver, Chester regularly speaks at industry events, including RSA Conference, Virus Bulletin, Security BSides (Vancouver, London, Wales, Perth, Austin, Detroit, Los Angeles, Boston, and Calgary) and others. He’s widely recognized as one of the industry’s top security researchers and is regularly consulted by press, appearing on BBC News, ABC, NBC, Bloomberg, Washington Post, CBC, NPR, and more.
When not busy fighting cybercrime, Chester spends his free time cooking, cycling, and mentoring new entrants to the security field through his volunteer work with InfoSec BC. Chester is also available on Mastodon (@[email protected]).




