Sophos Study Finds Trust Gaps in Cybersecurity Vendors

Sophos released results from a vendor-agnostic study examining cybersecurity trust and how it affects operational risk and board-level decision making. The findings center on whether organizations can verify what they are buying and how that uncertainty shows up in security governance.

The study, based on responses from 5,000 organizations across 17 countries, reported widespread gaps in trust toward cybersecurity vendors. It also linked those gaps to anxiety about the likelihood of a significant cyber incident and to challenges in assessing new and existing vendor trustworthiness.

Respondents reported that 95% do not have full trust in their cybersecurity vendors. The research also found that 79% struggle to assess the trustworthiness of new cybersecurity partners, and that 62% find it challenging even for existing vendors. More than half of respondents, 51%, reported increased anxiety about the likelihood of a significant cyber incident as a direct result of lack of trust.

Ross McKerchar, CISO at Sophos, said, “Trust is not an abstract concept in cybersecurity, it’s a measurable risk factor,” said Ross McKerchar, CISO at Sophos. “When organizations can’t independently verify a vendor’s security maturity, transparency, and incident handling practices, that uncertainty flows directly into boardrooms and security strategies.” Phil Harris of IDC added, “With regulatory pressure increasing globally, organizations must be able to demonstrate due diligence in vendor selection — especially where AI is involved,” said Phil Harris, Research Director, Governance, Risk and Compliance Solutions at IDC. “Trust is shifting from a marketing message to a defensible compliance requirement.” The report highlighted verifiable security artifacts, including independent assessments, certifications, and demonstrated operational maturity, as a driver of vendor trust.