A global survey of 5,000 IT and security leaders has found that just 5% say both they and their organisation have full trust in their cybersecurity vendors - raising serious questions for CISOs, risk managers and boards about how they evaluate and manage vendor relationships.

Commissioned by cybersecurity company Sophos and conducted independently by research firm Vanson Bourne, the survey covered 17 countries. The resulting report, The Cybersecurity Trust Reality in 2026, found widespread difficulty in assessing vendor trustworthiness - both before and after contracts are signed.

Seventy-nine per cent of respondents said it is challenging to assess the trustworthiness of new cybersecurity vendors or partners. Sixty-two per cent reported the same difficulty with vendors they are already working with.

Fifty-one per cent of respondents said a lack of vendor trust increases their concern about experiencing a significant cyber incident.

Forty-five per cent said it makes them more likely to switch vendors - a costly and disruptive process. Other reported impacts included increased oversight requirements (42%), reduced peace of mind about cyber posture (41%), and concern about incorrect vendor selection (38%).

Barriers to Trust Assessment

The report identified several barriers to evaluating vendor trustworthiness. Nearly half (47%) said the information vendors provide is not factual or detailed enough.

Forty-five per cent found vendor information hard to interpret. Forty-three per cent said they lacked the skills or knowledge to assess vendors effectively. A further 41% encountered conflicting information, and 38% struggled simply to find the information they needed.

A significant internal alignment challenge also emerged. Seventy-eight per cent of respondents said their IT team and senior leadership or board differ in opinion on the trustworthiness of their cybersecurity vendors.

Nearly one-third said those disagreements happen "often." The finding is particularly relevant for CIOs and CISOs who must navigate competing assessments when seeking board sign-off on vendor contracts and technology investment.

Despite these differences, senior leadership remains closely involved in cybersecurity purchasing. Just 1% of organisations reported that their board or senior leadership plays no role in cybersecurity purchasing decisions.

The report found that both IT teams and senior leadership ranked the same factor as the top driver of vendor trust: verifiable artefacts indicative of cybersecurity maturity.

These include bug bounty programmes, public Trust Centres, advisories documenting product vulnerabilities and remediations, third-party assessments and certifications - the kinds of independently verifiable evidence that procurement and compliance teams can reference during due diligence.

"Transparency and timely communications during incidents and disclosures" ranked second for senior leadership and third for IT teams. Consistent delivery of high-quality products and services ranked second for IT teams.

The report is available at https://www.sophos.com/en-us/content/cybersecurity-trust-reality.