95% of organizations don’t fully trust their cybersecurity vendors – here’s why

An overwhelming majority of organizations lack full confidence in their cybersecurity vendors, research from Sophos has revealed, highlighting growing challenges around trust and transparency.

The firm’s vendor-agnostic Cybersecurity Trust Reality 2026 report, which is based on responses from 5,000 organizations across 17 countries, dives into how trust is influencing sector risk and decision-making.

The study found that 95% of participants do not have full trust in their cybersecurity providers, while 79% said they struggle to assess the trustworthiness of new partners.

Almost two-thirds (62%) said they even find it challenging for their existing vendors. Additionally, more than half (51%) reported increased anxiety around the likelihood of a significant cyber incident as a direct result of this trust gap.

According to Sophos, the findings reflect a broader shift in how organizations evaluate cybersecurity effectiveness – with trust now a key factor alongside technical performance.

“Trust is not an abstract concept in cybersecurity, it’s a measurable risk factor,” explained Ross McKerchar, CISO at Sophos.

“When organizations can’t independently verify a vendor’s security maturity, transparency, and incident handling practices, that uncertainty flows directly into boardrooms and security strategies.”

Trust as a decision-making factor

Sophos’ report shows that organizations are increasingly looking for verifiable evidence when assessing cybersecurity vendors, rather than relying on marketing claims or blanket assurances.

The survey identified verifiable security artifacts as the most important driver of trust, including independent certifications, third-party assessments, and demonstrated operational maturity.

While CISOs prioritize transparency during incidents and consistent technical performance, senior leadership was found to place greater importance on independent validation, certifications, and analyst performance.

According to Phil Harris, IDC’s research director for governance, risk, and compliance solutions, the findings underline the growing pressure on businesses to validate vendor credibility as regulatory scrutiny and AI adoption continues to increase.

“With regulatory pressure increasing globally, organizations must be able to demonstrate due diligence in vendor selection – especially where AI is involved,” he commented. “Trust is shifting from a marketing message to a defensible compliance requirement.”

Transparency in the AI era

As AI continues to become more widely embedded in cybersecurity tools, services, and workflows, organizations are placing a greater focus on how vendors are deploying and governing these new technologies.

Sophos’ report found that a lack of accessible and sufficiently detailed information remains a critical barrier to making trust assessments, with survey respondents calling for greater transparency, accountability, and ongoing validation from providers.

“CISOs are being asked to prove trust, not assume it,” added McKerchar. “Cybersecurity providers must do the same.”

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.