Bottom line: Three of four organizations cannot reliably assess the trustworthiness of new security providers, which directly increases the risk of cyberattacks.
A Sophos survey of 5,000 organizations across 17 countries shows that 95 percent do not fully trust their cybersecurity providers. CISOs cite lack of transparency and missing independent validation options as primary obstacles.
The study “Cybersecurity Trust Reality 2026” reveals a fundamental trust deficit: 95 percent of surveyed organizations report not fully trusting their cybersecurity providers. This means only five percent have unqualified trust in their service providers. Ross McKerchar, CISO at Sophos, summarizes the implication: When organizations cannot independently verify a provider’s security maturity, transparency, and incident response practices, this uncertainty flows directly to boards and into security strategies.
The core problem lies in assessability: 79 percent of organizations struggle to assess the trustworthiness of new security partners at all. For existing providers, 62 percent still consider this assessment a challenge. 51 percent attribute increased concern about severe cyber outages directly to this lack of trust. The main issue: there is a lack of accessible, sufficiently detailed information about providers’ operational maturity and actual security capabilities.
As a solution approach, organizations identify verifiable evidence — independent assessments, certifications, and demonstrable operational maturity. CISOs prioritize transparency on security incidents and consistent technical performance, while boards and executives place greater weight on independent validation by analysts. The common denominator is clear: evidence instead of blanket assurances.
An additional uncertainty factor comes from the increasing use of AI in security products and services. Organizations no longer merely verify functional performance but also whether AI is deployed responsibly, transparently, and with appropriate governance. According to Phil Harris, Research Director for Governance, Risk and Compliance at IDC, this heightens the requirements: with rising regulatory pressure, organizations must be able to demonstrate due diligence in provider selection — particularly where AI is deployed. Trust evolves from a marketing message to a demonstrable compliance requirement.
CISOs are thus tasked with proving trust rather than assuming it — and security providers must do the same. In this context, trust becomes a continuously acquired factor that must be strengthened through transparency, accountability, and independent validation.
Source: www.it-daily.net · Published June 3, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.2.9.