Research from cyber consultancy CyXcel has revealed what it calls a ‘critical shortfall’ in the UK’s digital risk landscape: nearly three in ten (27%) of UK risk managers surveyed report they don’t have enough trust in third-party vendors to confidently manage their most critical threats, increasing their risk factors and threatening their businesses.
This trust gap is both a vendor problem and a visibility problem, according to the research, which highlights that more than a quarter (28%) of UK respondents do not fully understand the risks they’re responsible for managing, making it almost impossible to assess whether vendors are fit for purpose.
As organisations continue to outsource key areas such as cyber incident response (26%), AI adoption (20%), and geopolitical risk management (21%), the lack of both trusted partners and internal clarity creates a fragile risk posture.
Layered onto this is the intensifying convergence of threats, AI-driven attacks, rising geopolitical instability, and increasingly sophisticated cybercriminal tactics. These forces demand far more than robust contracts and a one-time vendor review. They require intelligence-led, continuously validated partnerships, supported by internal systems that can assess, question, and course-correct in real time.
“Organisations are stuck between needing external support and not having enough partners they truly trust,” said Megha Kumar, Chief Product Officer and Head of Geopolitical Risk at CyXcel. “It’s a tension we’re seeing across sectors, and it’s leaving risk ecosystems fragmented and vulnerable. Without stronger internal understanding, risk leaders are flying blind, placing responsibility in the hands of vendors they can’t fully vet. What’s needed now is a shift toward integrated intelligence, not just compliance checklists. Businesses must empower their teams to assess threats clearly and select partners confidently.”
Despite investing, on average, between £75,000 and £100,000 in risk management tools and strategies annually, many organisations are still unsure whether these investments are effective. Nearly one in four risk managers (24%) say they feel overwhelmed by the volume and complexity of threats they’re tasked with navigating. This growing pressure is prompting critical questions: Are organisations outsourcing because it’s strategic or because they don’t understand the risk well enough to manage it themselves?
“We see this pattern again and again,” said Ngaire Guzzetti, Technical Director – Supply Chain at CyXcel. “Organisations are handing over the keys to their digital resilience—but don’t have the internal visibility to know if those partners are steering in the right direction. Risk managers are drowning in complexity, yet leaving the handling of the lifeboat to vendors they barely trust. Resilience doesn’t start with spend; it starts with clarity. The more you understand the threat, the better equipped you are to evaluate who should be helping you manage it.”
Photo by Ronda Dorsey on Unsplash
