Report: 95% of Organisations do not Have Full Trust in Cybersecurity Vendors

The report examines one of cybersecurity’s most urgent and overlooked necessities: trust.

Sophos, a global security solutions firm, have published their findings from a vendor-agnostic study, based on responses from 5,000 organisations across 17 countries.

The Cybersecurity Trust Reality 2026 report reveals a critical challenge facing CISOs: Trust in cybersecurity vendors is fragile, difficult to measure, and increasingly shaping risk posture at both operational and board levels.

At a time of relentless cyber threats, heightened regulatory scrutiny, and accelerating AI adoption, trust has become a defining factor in cybersecurity decision-making.

However, the research reveals that nearly all organisations report lacking full confidence in their cybersecurity vendors, and many struggle to assess vendor trustworthiness in the first place. The report revealed that 95% of respondents do not have full trust in their cybersecurity vendors.

This is heightened by challenges to assess trustworthiness of new cybersecurity partners for 79% of respondents, with over six in ten (62%) even finding it challenging to assess their existing vendors.

More than half (51%) report increased anxiety about the likelihood of a significant cyber incident as a direct result of lack of trust.

These findings underscore a critical reality: cybersecurity effectiveness cannot be measured by technological performance alone. The confidence that organisations have in their partners to defend their business is also crucial.

For CISOs, trust gaps create operational friction, slower decision-making, and higher vendor turnover. In contrast, trusted cybersecurity partners reduce risk and build more resilient organisations.

“Trust is not an abstract concept in cybersecurity, it’s a measurable risk factor,” said Ross McKerchar, CISO at Sophos.

“When organisations can’t independently verify a vendor’s security maturity, transparency, and incident handling practices, that uncertainty flows directly into boardrooms and security strategies.”

The survey identifies verifiable security artifacts, including independent assessments, certifications, and demonstrated operational maturity, as the single greatest driver of vendor trust. CISOs prioritise transparency during incidents and consistent technical performance, while boards and senior leadership place greater weight on independent validation, certifications, and analyst performance.

The report consistently emphasises that organisations want transparency backed by evidence, not blanket assurances.

“With regulatory pressure increasing globally, organisations must be able to demonstrate due diligence in vendor selection — especially where AI is involved,” said Phil Harris, Research Director, Governance, Risk and Compliance Solutions at IDC.

Recommended reading

• AI Ushering in A “Digital Divide” in Cybersecurity, NCSC Warns

• Cybersecurity Budget Growth Hits Five-Year Low, Hiring Slows

• New Report Reveals AI Trust Divide in Cybersecurity

• AI in Cybersecurity: A Risk or an Opportunity?

As AI becomes embedded in cybersecurity tools, services, and workflows, organisations are not only evaluating whether security solutions are effective, but whether AI is deployed responsibly, transparently, and with appropriate governance.

“CISOs are being asked to prove trust, not assume it,” added McKerchar.

“Cybersecurity providers must do the same. Respondents to the survey cited a lack of accessible, sufficiently detailed information as the primary barrier to making confident trust assessments. Trust must be earned continuously through transparency, accountability, and independent validation.”

The report concludes that these findings elevate trust from a brand attribute to a strategic imperative.