Sophos has published the results of a global, independent study based on responses from 5,000 organizations in 17 countries, which analyzes one of the most urgent – and often ignored – needs in cybersecurity: trust in suppliers.
The Cybersecurity Trust Reality 2026 report is positioned as one of the most complete analyzes of trust in cybersecurity providers and its impact on operational risk and decision-making at the management level. The study highlights a key challenge for CISOs: trust in suppliers is fragile, difficult to measure and increasingly determining the risk posture of organizations.
Difficulty assessing reliability
In a context marked by constant threats, increased regulatory pressure and rapid adoption of artificial intelligence, trust in suppliers has become a decisive factor. However, research reveals that most organizations do not fully trust their cybersecurity providers and have difficulty assessing their reliability from the outset.
The independent study concludes that:
- 95% of respondents say they do not have full confidence in their cybersecurity providers.
- 79% acknowledge difficulties in evaluating the reliability of new suppliers, and 62% indicate that it is even difficult for them to evaluate their current suppliers.
- More than half (51%) show greater concern about the possibility of suffering a serious incident due to a lack of trust in their suppliers.
These data reflect a key reality: the effectiveness of cybersecurity does not depend solely on technology, but also on the trust that organizations place in their providers. For CISOs, a lack of trust in suppliers creates operational friction, slows down decision making, and encourages constant supplier turnover. On the contrary, having reliable suppliers helps reduce risks and build more resilient organizations.
“Trust is not an abstract concept in cybersecurity, but rather a quantifiable risk factor,” said Ross McKerchar, CISO at Sophos. “When organizations cannot independently verify the security maturity, transparency and response capabilities of their vendors, that uncertainty translates directly into business strategy.”
The survey identifies verifiable elements – such as certifications, independent audits and operational maturity – as key factors in strengthening trust in suppliers. CISOs prioritize transparency and technical consistency from their vendors, while boards of directors especially value external validation and regulatory compliance from these vendors.
Compliance requirement
The message is clear: organizations are looking for vendors that offer evidence-backed transparency, not just promises.
“As regulatory pressure increases, organizations must demonstrate that they have performed due diligence in vendor selection, especially in the field of artificial intelligence,” said Phil Harris, research director at IDC. “Trust in suppliers is no longer a commercial argument and is becoming a compliance requirement.”
As AI is integrated into tools and services, companies are not only evaluating the effectiveness of solutions, but also the responsibility and transparency with which providers develop and implement these technologies. Trust in suppliers is no longer optional: it is a critical element.
For CISOs, lack of trust in suppliers generates operational friction and encourages constant supplier turnover
“CISOs today are required to demonstrate trust in their suppliers, not assume it,” adds McKerchar. “Therefore, suppliers must rely on transparency, accountability and independent validation as pillars to build solid relationships.”
The results of the Cybersecurity Trust Reality 2026 report consolidate trust in suppliers as a strategic imperative. In this context, Sophos reinforces its commitment to transparency through initiatives such as its Trust Center, designed to help organizations better evaluate their suppliers and make more informed decisions in an increasingly complex environment.
