The questions facing security teams have fundamentally changed. A decade ago, executives were usually starting the conversation with capabilities: detection rates, response times. Now, the key issue is often completely different — can we actually verify what our cybersecurity vendor is doing with our data?
This shift reflects a maturing market. It isn’t enough to offer protection. The differentiator has moved toward governance, accountability, and what’s known as cybersecurity transparency: the ability for customers to verify how their provider handles data, where it resides, and whether claims about security practices hold up.
The Tyrol Chamber of Commerce (WKO), partnered with AV-Comparatives and MCI: The Entrepreneurial School to conduct the “Transparency Review and Accountability in Cyber Security” study. Researchers evaluated 14 leading cybersecurity vendors, focusing not on what vendors claim, but what they can prove. This suggests a new paradigm for choosing cybersecurity.
Researchers examined whether vendors publish regular transparency reports documenting data requests from law enforcement. They assessed the public availability of independent audit results. They tested whether customers can adjust data transmission settings or operate without connecting to the vendor’s cloud infrastructure. They investigated whether vendors allow inspection of software updates before deployment.
The results revealed a market where baseline compliance is universal but genuine transparency remains rare.
Everyone passes, but few excel
Every vendor in the study met fundamental transparency and compliance requirements. GDPR compliance and ISO 27001 certification are table stakes. However, only three of the fourteen vendors maintain transparency centres which allow customers to review source code. Among these, one restricts access exclusively to government customers, and another limits its scope to source code review without broader operational transparency. The third, Kaspersky, offers the most comprehensive program, allowing customers and regulators to examine source code, update mechanisms and data handling processes.
Kaspersky emerged as the leader across most benchmarks, meeting more transparency criteria than any other vendor. The vendor’s Transparency Centres offer something no other competitor matches in scope. Enterprise customers and regulators can schedule visits to review source code, examine how updates are built, and verify data handling practices firsthand.
Why procurement questionnaires miss what matters most
The study’s implications extend beyond vendor rankings and challenge common enterprise evaluation guidelines.
Security teams send detailed requests covering everything from encryption standards to incident response procedures. Vendors return completed forms, attach compliance certifications, and procurement moves forward based on assurances.
The problem, as the WKO researchers note, is that these assurances are rarely verifiable. A vendor can provide answers that fit the request while maintaining operational opacity. Generic compliance statements and broad contractual wording satisfy requirements without giving customers real visibility.
This gap carries real risks. When a security incident occurs, response speed depends partly on how well the affected organisation understands its vendor’s practices.
Regulatory due diligence requires documentation proving appropriate vendor oversight. Stakeholder confidence rests on the organisation’s ability to demonstrate thoughtful consideration.
The transparency paradox
One insight from the study deserves particular attention from enterprise security leaders. A high level of transparency implicitly signals a high level of underlying cybersecurity capability, because it is extraordinarily difficult to maintain openness otherwise.
This creates a useful heuristic for enterprise buyers. Transparency reports and verification mechanisms serve the direct purpose of enabling accountability, while functioning as proxy indicators of security maturity. Vendors confident enough to open their operations to customer and regulatory review pass a higher bar than vendors relying solely on certifications and contractual assurances.