Lack Of Verifiable Transparency Undermines Cyber Security Decision-Making

Sophos, a global leader of innovative security solutions for thwarting cyber attacks, has released findings from a global, vendor-agnostic study (based on responses from 5,000 organizations across 17 countries), examining one of cyber security’s most urgent and overlooked necessities: Trust.

The Cybersecurity Trust Reality 2026 report is one of the most comprehensive studies of trust in cybersecurity and the impact on operational risk and board-level decision-making. It reveals a critical challenge facing CISOs: Trust in cyber security vendors is fragile, difficult to measure and increasingly shaping risk posture at both operational and board levels.

At a time of relentless cyber threats, heightened regulatory scrutiny and accelerating AI adoption, trust has become a defining factor in cyber security decision-making. Yet new research reveals that nearly all organizations report lacking full confidence in their cyber security vendors, and many struggle to assess vendor trustworthiness in the first place.

The independent study has found that:

• 95% of respondents said they do not have full trust in their cyber security vendors.
• 79% struggle to assess the trustworthiness of new cyber security partners, and over six in ten (62%) even find it challenging for their existing vendors.
• More than half (51%) report increased anxiety about the likelihood of a significant cyber incident as a direct result of lack of trust.

These findings underscore a critical reality: cyber security effectiveness cannot be measured by technological performance alone, but also by the confidence that organizations have in the partners defending their business. For CISOs, trust gaps create operational friction, slower decision-making and higher vendor turnover.  Trusted cyber security partners reduce risk and build more resilient organizations.

Ross McKerchar, CISO at Sophos

“Trust is not an abstract concept in cyber security, it’s a measurable risk factor,” says Ross McKerchar, CISO at Sophos. “When organizations can’t independently verify a vendor’s security maturity, transparency and incident handling practices, that uncertainty flows directly into boardrooms and security strategies.”

The survey identifies verifiable security artifacts, including independent assessments, certifications and demonstrated operational maturity, as the single greatest driver of vendor trust. CISOs prioritize transparency during incidents and consistent technical performance, while boards and senior leadership place greater weight on independent validation, certifications and analyst performance.

The common thread is clear. Organizations want transparency backed by evidence, not blanket assurances.

Phil Harris, Research Director, Governance, Risk and Compliance Solutions at IDC

“With regulatory pressure increasing globally, organizations must be able to demonstrate due diligence in vendor selection — especially where AI is involved,” says Phil Harris, Research Director, Governance, Risk and Compliance Solutions at IDC. “Trust is shifting from a marketing message to a defensible compliance requirement.”

As artificial intelligence becomes embedded in cyber security tools, services and workflows, organizations are not only evaluating whether security solutions are effective, but whether AI is deployed responsibly, transparently and with appropriate governance. Trust is no longer optional. It is foundational.

“CISOs are being asked to prove trust, not assume it,” avers McKerchar, adding: “Cyber security providers must do the same. Respondents to the survey cited a lack of accessible, sufficiently detailed information as the primary barrier to making confident trust assessments. Trust must be earned continuously through transparency, accountability and independent validation.”