Sophos: 95% of Firms Don’t Fully Trust Cybersecurity Providers

Sophos, a global leader in security solutions, has released findings from a comprehensive global study examining the state of trust within the cybersecurity industry. The Cybersecurity Trust Reality 2026 report is based on responses from 5,000 organizations across 17 countries. Released on March 31, 2026, from Oxford, United Kingdom, the vendor-agnostic study highlights a critical challenge facing Chief Information Security Officers (CISOs) regarding operational risk and board-level decision making.

The most revealing data from the independent study indicates that trust in cybersecurity vendors is fragile and difficult to measure. Only 5% of organizations report having full trust in their cybersecurity vendors. Conversely, 95% of respondents said they do not have full trust in their cybersecurity vendors. This positions trust as one of the main weak points of the sector, occurring in a context where threats are increasing and technological complexity continues to grow.

An increasingly complex and difficult to evaluate environment

In 2026, the combination of more sophisticated cyberattacks, regulatory pressure and the accelerated integration of artificial intelligence has raised the bar for security operations. Companies not only need effective solutions but also require clear guarantees that those solutions work and are well managed. However, the problem persists that many organizations do not know how to assess that reliability.

The study shows that 79% of organizations struggle to assess the trustworthiness of new cybersecurity partners. Over six in ten, or 62%, find it challenging to assess the trustworthiness of their existing vendors. This lack of clear criteria generates uncertainty and slows down key decisions. When transparency or maturity of a provider cannot be verified, that doubt directly impacts business strategy.

Trust is not an abstract concept in cybersecurity, but a quantifiable risk factor.

Ross McKerchar, Chief Information Security Officer at Sophos

Distrust already has real consequences

This scenario does not remain a mere perception but has direct effects on the functioning of companies. The lack of trust causes delays in decision-making, increases provider turnover, and generates internal frictions between technical teams and management. For CISOs, trust gaps create operational friction, slower decision-making, and higher vendor turnover.

more than half of respondents, specifically 51%, report increased anxiety about the likelihood of a significant cyber incident as a direct result of lack of trust. In other words, distrust not only affects the relationship with providers but also the perception of global risk. Companies thus find themselves in a complex position where they depend on external solutions to protect themselves but do not fully trust those who offer them.

The underlying problem: lack of transparency and evidence

One of the main factors behind this crisis is the lack of verifiable information. Organizations demand clear evidence on how solutions work, how incidents are managed, and what real level of protection they offer. However, in many cases, they receive generic messages or promises that are difficult to verify. This feeds the sense of opacity and complicates informed decision-making.

Companies are increasingly seeking independent certifications, external audits, and objective data to support providers’ reliability. Trust is no longer based on reputation but on the ability to demonstrate results. These findings underscore a critical reality that cybersecurity effectiveness cannot be measured by technological performance alone, but also by the confidence that organizations have in the partners defending their business.

Regulation and AI raise the bar

The regulatory context is also accelerating this change. New regulations require companies to justify their decisions in cybersecurity, which includes the choice of providers. At a time of relentless cyber threats, heightened regulatory scrutiny, and accelerating AI adoption, trust has become a defining factor in cybersecurity decision-making.

Phil Harris, an expert in governance and compliance, points out that this trend is redefining the concept of trust. He notes that trust is moving from being a marketing message to becoming a justifiable compliance requirement. Added to This represents the emergence of artificial intelligence, which introduces new doubts. Companies not only evaluate whether a tool is effective but also whether its use is transparent, ethical, and correctly supervised.

A change in the cybersecurity sector

This report makes it clear that trust has moved from being a secondary element to becoming a central pillar of cybersecurity. This proves no longer enough to have the best technology. it is necessary to continuously demonstrate that this technology is reliable. This implies a profound change for both companies and providers, who must adapt to an environment where transparency and external validation are essential.

CISOs are asked to demonstrate trust, not to take it for granted.

Ross McKerchar, Chief Information Security Officer at Sophos

The Cybersecurity Trust Reality 2026 report reveals that trust in cybersecurity vendors is increasingly shaping risk posture at both operational and board levels. As organizations navigate this landscape, the demand for vendor-agnostic studies and objective data continues to rise. The industry faces a critical necessity to address these trust gaps to reduce operational risk and improve security outcomes globally.