Nearly all organizations report having only limited confidence in their cybersecurity suppliers, according to a new global study released by Sophos. The Cybersecurity Trust Reality 2026 report, based on responses from 5,000 organizations across 17 countries, is described as one of the largest independent examinations of trust in the cybersecurity sector. Conducted on a vendor-agnostic basis, the research highlights how fragile supplier confidence is influencing both day-to-day operations and board-level decisions at a time of rising cyber threats, stricter regulation, and the growing use of artificial intelligence.[1]
The study found that 95% of respondents said they do not have full trust in their cybersecurity vendors. A majority also reported difficulties in evaluating suppliers. Some 79% struggle to assess the trustworthiness of potential new partners, while 62% face similar challenges with existing vendors. 51% of respondents said the lack of trust had increased their concern about the possibility of a major cyber incident.
The report states that cybersecurity effectiveness depends not only on technical capabilities but also on the level of confidence organizations place in the companies that protect them. Gaps in trust are said to create operational delays, slower procurement processes and higher rates of vendor change.
The Chief Information Security Officer at Sophos, Ross McKerchar, commented: “Trust is not an abstract concept in cybersecurity; it’s a measurable risk factor. When organizations can’t independently verify a vendor’s security maturity, transparency, and incident handling practices, that uncertainty flows directly into boardrooms and security strategies.” According to the research, the most important factor in building trust is the availability of verifiable security information, such as independent assessments, certifications, and evidence of operational maturity.
Chief information security officers place particular emphasis on transparency during security incidents and on consistent technical performance. Boards and senior executives, meanwhile, attach greater importance to independent validation, certifications, and analyst evaluations.
The report notes that organizations seek evidence-based transparency rather than general assurances. Phil Harris, research director for governance, risk, and compliance solutions at IDC, said: “With regulatory pressure increasing globally, organizations must be able to demonstrate due diligence in vendor selection, especially where AI is involved. Trust is shifting from a marketing message to a defensible compliance requirement.”
As artificial intelligence is integrated into security tools and processes, the study indicates that organizations are scrutinizing not only whether solutions work but also whether AI is being used responsibly, with clear governance and openness.
Mr. McKerchar added: “CISOs are being asked to prove trust, not assume it. Cybersecurity providers must do the same. Respondents to the survey cited a lack of accessible, sufficiently detailed information as the primary barrier to making confident trust assessments. Trust must be earned continuously through transparency, accountability, and independent validation.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/over-90-of-organisations-distrust-cybersecurity-vendors-9247.html
Comments