The fragile state of trust in cybersecurity vendors: a 2026 insight

Sophos has released the Cybersecurity Trust Reality 2026 report, a global study examining the role of trust in cybersecurity.

Based on responses from 5,000 organisations across 17 countries, the report explores levels of confidence in cybersecurity vendors and the impact on operational risk and board-level decision-making.

The findings show that 95% of organisations do not have full confidence in their cybersecurity vendors, while 79% report difficulty assessing the trustworthiness of both new and existing partners. The data also indicates that a lack of trust is associated with increased concern about the likelihood of significant cyber incidents, influencing decision-making and vendor relationships.

The report highlights that trust gaps can contribute to operational challenges, including slower decision-making and changes in vendor relationships. It also notes that cybersecurity effectiveness is not assessed solely on technological performance, but also on factors such as transparency and the availability of supporting evidence.

Organisations are placing importance on verifiable security artifacts, including independent assessments, certifications, and demonstrated operational maturity, when evaluating vendors. The report also identifies differences in priorities, with CISOs focusing on transparency and performance, while boards and senior leadership place greater emphasis on independent validation and certifications.

With increasing regulatory scrutiny and the growing use of AI in cybersecurity, the report notes that organisations are expected to demonstrate due diligence in vendor selection. This includes considerations around transparency, governance, and the responsible use of AI.