Most IT Leaders Don’t Fully Trust Their Cybersecurity Vendors

New global research shows that while organisations rely heavily on cybersecurity providers, only a small minority fully trust them, exposing a growing gap between dependence and confidence.

A Critical Dependency (With Limited Confidence)

Cybersecurity vendors essentially sit at the heart of modern business operations, responsible for protecting systems, data, and day-to-day continuity. For many organisations, particularly those without large internal IT teams, these providers effectively act as an extension of the business itself.

However, new research from Sophos suggests that this reliance is not matched by confidence. Its Cybersecurity Trust Reality 2026 report, based on a survey of 5,000 IT and security leaders across 17 countries, found that only 5 per cent of respondents say they fully trust their cybersecurity vendors.

This disappointing statistic suggests that businesses are placing critical operational resilience in the hands of providers they don’t completely trust, which raises questions about how risk is actually being managed in practice.

Why Is There A Trust Issue?

One of the most striking findings is not just the lack of trust, but how difficult organisations find it to assess vendors in the first place.

According to the report, 79 per cent of organisations struggle to evaluate the trustworthiness of new cybersecurity providers, while 62 per cent report the same challenge with vendors they already use. This suggests that trust gaps do not disappear once a contract is signed.

The reasons for this are largely practical rather than emotional. For example, many organisations report that vendor information is either not detailed enough, difficult to interpret, or inconsistent across sources. Others admit they lack the internal expertise needed to properly assess technical claims.

As the report explains, organisations are often left trying to validate complex security capabilities without clear, standardised evidence, making meaningful comparisons between providers difficult.

This is where trust begins to shift from a perception issue to a structural one. If organisations cannot independently verify what vendors claim, trust becomes inherently fragile.

Trust As A Measurable Risk Factor

The report makes the important point that, within organisations, trust is no longer seen as a soft or abstract concept, but as something that directly influences risk.

As Sophos notes, “Trust is not an abstract concept in cybersecurity, it’s a measurable risk factor,” highlighting how uncertainty around vendor capability feeds directly into business risk assessments and decision-making.

The report reinforces this further, stating that “CISOs are being asked to prove trust, not assume it,” reflecting the growing expectation that confidence in vendors must be backed by evidence rather than reputation.

This is reflected in how organisations report the impact of low trust. More than half, 51 per cent, say it increases concern that they are more likely to experience a significant cyber incident.

Other consequences are more operational. For example, 45 per cent say it makes them more likely to switch vendors, while others report increased oversight requirements and reduced confidence in their overall security posture.

In effect, a lack of trust doesn’t just create anxiety, it drives cost, complexity, and ongoing disruption.

A Disconnect Between IT And Leadership

Another layer of complexity seems to come from internal misalignment. The report found that 78 per cent of organisations experience differences of opinion between IT teams and senior leadership when assessing vendor trustworthiness.

This reflects the different priorities at play. For example, technical teams tend to focus on performance, reliability, and day-to-day effectiveness, while leadership is more concerned with accountability, compliance, and reputational risk.

When those perspectives do not align, decision-making becomes more difficult. Vendor selection, contract renewal, and incident response planning can all be affected by differing views on how much confidence should be placed in a provider.

What Builds Trust?

The research also highlights a clear shift in what organisations look for when evaluating vendors.

Across both IT teams and senior leadership, the strongest driver of trust is no longer brand reputation or marketing claims, but verifiable evidence. This includes independent certifications, third-party assessments, documented vulnerability disclosures, and demonstrable operational maturity.

Transparency also plays a central role. Organisations increasingly expect clear communication during incidents, visibility into how security processes operate, and evidence that issues are identified and resolved effectively.

As the report makes clear, trust is something that must be demonstrated continuously, not assumed.

This becomes even more important as AI is integrated into cybersecurity tools. Organisations are now asking not just what a system does, but how it makes decisions, how it is governed, and how risks are managed.

What Does This Mean For Your Business?

For UK businesses, this research highlights a critical issue that often sits beneath the surface of cybersecurity strategy.

Most organisations assume that choosing a reputable vendor is enough to reduce risk. In reality, the challenge is not just selecting a provider, but being able to verify, monitor, and validate what that provider is doing over time.

This means trust can no longer be treated as a one-off decision made during procurement. It needs to be actively maintained through ongoing oversight, clear reporting, and defined accountability.

It also suggests that businesses should place greater emphasis on evidence when assessing vendors. Certifications, independent testing, and transparent disclosure practices are becoming essential, not optional.

There is also a need to address internal alignment. Ensuring that IT teams and leadership share a common understanding of vendor risk can help avoid fragmented decision-making and improve overall resilience.

Ultimately, the findings show that cybersecurity is not just about technology, but about confidence in the organisations delivering it. When that confidence is missing, even the most advanced tools can leave businesses feeling exposed.