Sophos: Evaluating the Trust Vector in Cybersecurity Vendors

According to a major new study from Sophos, confidence in cybersecurity partners is wearing thin and the implications are rippling from IT teams right up to the boardroom. 

Based on insights from 5,000 organisations across 17 countries, Sophos' Cybersecurity Trust Reality 2026 report paints a stark picture of an industry grappling with a problem that is both intangible and critical: trust.

At a time when cyber threats are intensifying, regulations are tightening and AI is rapidly reshaping the security landscape, trust is no longer a soft metric. 

Instead, it is emerging as a decisive factor in how organisations choose, evaluate and retain their cybersecurity providers.

Yet the findings suggest that this trust is fragile at best. 

An overwhelming 95% of respondents admitted they do not fully trust their cybersecurity vendors.

Even more striking is how difficult many organisations find it to evaluate trustworthiness in the first place, with 79% struggling to assess new partners and 62% facing similar challenges with existing ones.

A measurable risk, not just a perception

The research highlights a growing recognition that trust directly influences operational risk. 

More than half of respondents (51%) reported increased anxiety about the likelihood of a major cyber incident specifically due to a lack of trust in their vendors.

This is not simply about perception. Trust gaps are creating tangible problems for Chief Information Security Officers, from slower decision-making to increased vendor churn. 

In effect, organisations are finding that even the most advanced technology cannot compensate for uncertainty about the people and processes behind it.

“Trust is not an abstract concept in cybersecurity, it’s a measurable risk factor,” says Ross McKerchar, CISO at Sophos. 

“When organisations can’t independently verify a vendor’s security maturity, transparency and incident handling practices, that uncertainty flows directly into boardrooms and security strategies.”

The message is clear: cybersecurity effectiveness is no longer judged solely by performance metrics or technical capability. Confidence in a provider’s integrity, transparency and accountability now plays an equally important role.

Evidence over assurances 

One of the report’s most significant insights is what actually builds trust.

Organisations are increasingly looking for verifiable proof rather than marketing claims. 

Independent assessments, certifications and demonstrated operational maturity were identified as the strongest drivers of confidence.

However, priorities differ depending on the role. CISOs tend to focus on transparency during incidents and consistent technical delivery, while boards and senior leaders place greater emphasis on external validation and analyst recognition.

Despite these differences, there is a shared expectation running through all levels of an organisation: vendors must provide clear, evidence-based assurances rather than vague promises.

“With regulatory pressure increasing globally, organisations must be able to demonstrate due diligence in vendor selection – especially where AI is involved,” says Phil Harris, Research Director, Governance, Risk and Compliance Solutions at IDC. 

“Trust is shifting from a marketing message to a defensible compliance requirement.”

AI raises the stakes for transparency

The rise of artificial intelligence is adding a new layer of complexity to the trust equation.

As AI becomes embedded in cybersecurity tools and workflows, organisations are not just questioning whether solutions work, but how they work.

Concerns around responsible deployment, transparency and governance are becoming central to vendor evaluation. In this context, trust is evolving from a desirable attribute into a foundational requirement.

“CISOs are being asked to prove trust, not assume it,” adds Ross. 

“Cybersecurity providers must do the same. Respondents to the survey cited a lack of accessible, sufficiently detailed information as the primary barrier to making confident trust assessments. 

“Trust must be earned continuously through transparency, accountability and independent validation.”

For Sophos, the findings reinforce the need to embed trust into every layer of its offering. Initiatives such as its Trust Center are designed to give security leaders the clarity they need to make faster, more defensible decisions in an increasingly hostile digital environment.

Ultimately, the report signals a shift in how cybersecurity is evaluated. Trust is no longer an abstract ideal or a branding exercise.

It is a strategic necessity, one that could determine how well organisations withstand the growing tide of cyber risk.