A global Sophos study shows that only 5 percent of IT leaders fully trust their cybersecurity vendors. Verifiable evidence, transparency, and clear communication are central to trust.
Only 5 percent of respondents say that both they and their organization fully trust their cybersecurity vendors. At the same time, 79 percent find it difficult to assess new providers, and 62 percent struggle to evaluate the vendors they already use. The result is a structural problem: companies buy protection, but often can only partly verify the quality of that protection.
A major barrier is the lack of clarity in vendor claims. Forty-seven percent say the information provided is not factual or detailed enough, and 45 percent find it hard to interpret. Another 43 percent say they lack the skills or knowledge to assess vendors properly, 41 percent face conflicting information, and 38 percent struggle to find the information they need. Small and mid-sized businesses appear to face a greater skills gap and fewer resources.
The effects are not only operational but also psychological. Fifty-one percent link low trust to anxiety about a major cyber incident. Forty-five percent say it makes a vendor switch more likely, 42 percent see more oversight requirements, and 41 percent report less peace of mind about their security posture. For 38 percent, it raises doubts about whether the wrong vendor was chosen.
There is also a clear divide between operational IT teams and senior leadership. Seventy-eight percent say those groups disagree on the trustworthiness of cybersecurity vendors, and nearly one-third say the disagreement happens often. Leadership is still heavily involved in purchasing decisions, while only 1 percent of organizations say senior management plays no role at all.
The study also points to what builds trust. At the top are verifiable signs of security maturity, such as bug bounty programs, Trust Centers, vulnerability advisories, third-party assessments, and certifications. Transparent, timely communication during incidents and clear information about internal security processes also matter. In this context, trust is built through evidence, not claims.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de