Cybersecurity Trust is emerging as a major fault line. This is according to a new global study released by Sophos. Based on responses from 5,000 organizations across 17 countries, the research suggests that companies are not only worried about cyber threats, but also about whether they can truly rely on the vendors meant to protect them.
Cybersecurity Trust Becomes A Boardroom Issue
The report, The Cybersecurity Trust Reality 2026, finds that 95% of respondents do not fully trust their cybersecurity vendors. It also shows that 79% struggle to judge the trustworthiness of new security partners, while 62% say the same problem exists even with vendors they already use.
That lack of confidence is not just theoretical. More than half of those surveyed, 51%, said distrust in vendors has directly increased their fear of a major cyber incident.
Ross McKerchar, CISO at Sophos, said trust should no longer be treated as a vague idea. In practice, he said, it shapes security choices, risk management, and even what reaches the boardroom. When companies cannot confirm a vendor’s security standards, transparency, or response readiness, uncertainty spreads across the business.
Evidence Matters More Than Assurances
The study found that organizations place the most trust in vendors that can show proof. Independent assessments, certifications, and clear signs of operational maturity ranked as the strongest trust drivers. Security leaders also value openness during incidents and steady technical performance.
Boards and senior leaders, meanwhile, are more likely to look for outside validation, recognized certifications, and analyst-backed performance.
That shift is becoming more urgent as artificial intelligence spreads across cybersecurity tools and services. Companies are increasingly asking not only whether AI works, but whether it is being used responsibly and under clear governance.
Phil Harris, Research Director for Governance, Risk and Compliance Solutions at IDC, said rising regulation means businesses now need to prove they have done proper checks on vendors, especially where AI is involved.
Cybersecurity trust can no longer rest on promises alone. It now depends on evidence, transparency, and the ability to stand up to scrutiny.
