As businesses rely more and more on data, trust ought to be a defining factor in cybersecurity decision-making. Yet new research from Sophos reveals that nearly all organizations lack full confidence in their cybersecurity vendors, and many struggle to assess vendor trustworthiness in the first place.
The study finds that 95 percent of respondents say they don’t have full trust in their cybersecurity vendors. In addition 79 percent struggle to assess the trustworthiness of new cybersecurity partners, and 62 percent even find this challenging for their existing vendors.
In addition 51 percent of respondents report increased anxiety about the likelihood of a significant cyber incident as a direct result of lack of trust.
These findings underscore a critical reality, that cybersecurity effectiveness can’t be measured by technological performance alone, but also by the confidence that organizations have in the partners defending their business. For CISOs, trust gaps create operational friction, slower decision-making, and higher vendor turnover. Having trusted cybersecurity partners helps reduce risk and build more resilient organizations.
“Trust is not an abstract concept in cybersecurity, it’s a measurable risk factor,” says Ross McKerchar, CISO at Sophos. “When organizations can’t independently verify a vendor’s security maturity, transparency, and incident handling practices, that uncertainty flows directly into boardrooms and security strategies.”
The survey highlights verifiable security artifacts, including independent assessments, certifications, and demonstrated operational maturity, as the single greatest driver of vendor trust. CISOs prioritize transparency during incidents and consistent technical performance, while boards and senior leadership place greater weight on independent validation, certifications, and analyst performance.
As artificial intelligence becomes embedded in cybersecurity tools, services, and workflows, organizations are not only evaluating whether security solutions are effective, but also whether AI is deployed responsibly, transparently, and with appropriate governance. Trust is no longer optional. It is foundational.
“CISOs are being asked to prove trust, not assume it,” adds McKerchar. “Cybersecurity providers must do the same. Respondents to the survey cited a lack of accessible, sufficiently detailed information as the primary barrier to making confident trust assessments. Trust must be earned continuously through transparency, accountability, and independent validation.”
The full report is available from the Sophos site.
Image credit: Siphotography/depositphotos.com
![how-the-role-of-ciso-is-evolving-[q&a]](https://thetechbriefs.com/wp-content/uploads/2025/03/8174-how-the-role-of-ciso-is-evolving-qa.jpg)
