A global study backed by Sophos found that only 5% of organizations have full confidence in their cybersecurity providers, highlighting a growing trust gap that is shaping risk decisions at both operational and board levels.
The report, based on responses from 5,000 organizations across 17 countries, shows that skepticism toward security vendors is widespread.
About 95% of respondents said they do not fully trust their cybersecurity partners, while 79% said they struggle to assess the trustworthiness of new vendors. Even existing providers are not exempt, with 62% saying evaluating them remains difficult.
More than half, or 51%, also reported increased anxiety about the likelihood of a major cyber incident due to this lack of trust.
The findings point to a deeper issue beyond technology performance, as organizations increasingly factor transparency and accountability into cybersecurity decisions.
“Trust is not an abstract concept in cybersecurity, it’s a measurable risk factor,” said Ross McKerchar, chief information security officer at Sophos.
“When organizations can’t independently verify a vendor’s security maturity, transparency, and incident handling practices, that uncertainty flows directly into boardrooms and security strategies.”
The study found that organizations are looking for verifiable proof — such as independent assessments, certifications, and demonstrated operational maturity — when choosing vendors. CISOs tend to prioritize transparency during incidents and consistent technical performance, while boards place more weight on certifications and third-party validation.
“Organizations want transparency backed by evidence, not blanket assurances,” the report noted.
Analyst firm IDC echoed the shift, noting that trust is increasingly tied to compliance requirements as regulations tighten and artificial intelligence becomes more embedded in security systems.
“With regulatory pressure increasing globally, organizations must be able to demonstrate due diligence in vendor selection — especially where AI is involved,” said Phil Harris, research director for governance, risk, and compliance solutions at IDC.
“Trust is shifting from a marketing message to a defensible compliance requirement.”
The report added that as AI becomes more widely used in cybersecurity tools and workflows, companies are now evaluating not just effectiveness, but also whether such technologies are deployed responsibly and transparently.
“CISOs are being asked to prove trust, not assume it,” McKerchar said. “Cybersecurity providers must do the same. Respondents to the survey cited a lack of accessible, sufficiently detailed information as the primary barrier to making confident trust assessments. Trust must be earned continuously through transparency, accountability, and independent validation.”
