Third-party cybersecurity incidents are on the rise, but organizations face challenges in mitigating risks arising for the software supply chain, a survey of 200 chief information security officers (CISOs) has found.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
The survey, from the security firm Panorays, found that more than nine in 10 CISOs reported an increase in third-party cybersecurity incidents in 2024. Nearly three-quarters of them experienced a moderate increase in incidents, and nearly a quarter encountering a significant escalation in events.
Panorays CEO Matan Or-El said in a statement:
“This year’s survey reveals a troubling story. Third-party risks are growing faster than the resources organizations have to address them. As supply chains become more complex and interconnected, the need for smarter, AI-driven solutions is no longer optional, it’s critical for businesses to stay secure.”
Here are six key lessons from the "2025 CISO Survey for Third-Party Cyber Risk Management" report.
[ Download Today: 2025 Software Supply Chain Security Report | Join the SSCS Report Webinar ]
1. Organizations lack deep visibility into the software supply chain
The survey found that only 3% of the organizations had full insight across their entire supply chain (including fourth-party and beyond), while 33% could only see as far as third-parties. "This lack of comprehensive oversight leaves organizations unable to identify and address vulnerabilities effectively, increasing their risk of breaches," the report said.
Mike McGuire, senior security solutions manager at Black Duck Software, said the most significant takeaway from the report was that on the software side of third-party risk, blind spots are prevalent when it comes to open source dependency management. "We’ve stressed for some time the importance of eliminating these blind spots," he said.
Parth Patel, chief product officer and co-founder of Kusari, said the reality is that traditional third-party cyber risk management (TPCRM) hasn’t kept pace with the complexity and speed at which modern software is developed, particularly when open-source dependencies are involved.
"[TPCRM] efforts often overlook the complexities of open-source software, treating it the same as commercial software, but unlike proprietary software, open-source components are maintained by distributed communities, meaning organizations may not have a direct relationship with the vendor."
—Parth Patel
Without proper governance and visibility, dependencies can introduce hidden risks that may not be immediately apparent to security teams or business leaders, Patel said. "Many organizations only focus on direct dependencies but fail to track transitive dependencies — indirectly pulled-in software that can introduce vulnerabilities outside their control," he said.
Georgia Cooke, a digital security analyst with ABI Research, said there are myriad factors contributing to the lack of visibility into the software supply chains, but the core problem is cost — and responsibility for that cost.
"It’s often remarked that while many would love full visibility, they’re not willing to pay for it. Supply chain security is a matter of increasing prominence in regulation, but until robust, cohesive requirements are in place across all industries, it is likely that other problems will take greater priority."
—Georgia Cooke
2. Lacking resources means most risks go unresolved
The widespread resource shortage leaves organizations unable to address critical vulnerabilities, significantly increasing their exposure to risk, the report noted. To minimize potential losses from breaches, it recommended investing in efficient tools and processes to resolve software risk at scale.
Amit Zimerman, co-founder and chief product officer at Oasis Security, said the critical concern today stems from third-party, open-source dependencies. "A key issue is the extended remediation timeline for third-party flaws, which poses a growing risk as these vulnerabilities can remain unaddressed for prolonged periods," he said.
To mitigate those risks, Zimerman recommended organizations adopt a proactive approach that includes regular dependency scanning, then prioritizing fixes based on their potential impact.
Aparna Achanta, principal lead for IBM and ISACA's Emerging Trends Working Group, said security teams are already understaffed, and struggling to keep up with the increasing number of third-party risks that need attention.
"Interestingly, 29% of CISOs in this survey mention they are struggling with other priorities, leading to the neglect of third-party vulnerabilities in their organization’s security strategy."
—Aparna Achanta
3. CISOs prioritize third-party risk, but business leaders do not
A lack of executive understanding limits funding and support for TPCRM initiatives, the report explained. It asserted that closing that gap is essential to aligning organizational priorities and implementing effective risk mitigation strategies, ultimately reducing long-term costs.
Frank Balonis, CISO of Kiteworks, said a key risk to the enterprise was data loss — and that can get the attention of leadrship.
"Nothing can kill a company quicker than a loss of data. If your leadership understands that, your board understands that, it makes things a lot easier to enhance and continue to mature a program to understand third-party risk."
—Frank Balonis
IBM's Achanta said it's crucial for CISOs to focus on demonstrating the disastrous consequences of third-party risks in number terms, including financial loss, reputation damage, downtime, data breaches, and fines due to non-compliance with standards like HIPAA, GDPR, FEDRAMP
4. AI automation deployed to manage third-party risks
About one quarter of CISOs in the survey said they rely on AI automation for vendor assessments. An additional 69% plan to adopt it within the next year. This reflects a growing recognition of AI's ability to enhance efficiency and scalability, equipping organizations to manage the complexities of modern supply chains, the report noted.
Lorri Janssen-Anessi, director for external cybersecurity assessments at BlueVoyant, said that AI automation is revolutionizing third-party risk management by enabling organizations to swiftly and effectively manage risks within their supply chains.
"There are AI-driven platforms that can analyze vast amounts of unstructured data from vendors, suppliers, and service providers in seconds, rather than months. This rapid analysis allows organizations to identify non-compliant vendors and recommend remediation actions before adverse events occur."
—Lorri Janssen-Anessi
5. AI automation offers significant time savings
AI automation is proving to be a game-changer for vendor assessments, significantly reducing the time and effort required, the report noted. On average, assessment efforts are reduced by nearly half, with the vast majority of CISOs reporting meaningful time savings. AI-driven automation not only streamlines these processes, it added, but also frees up resources for higher-value tasks, making it an indispensable tool in modern TPCRM, Achanta said.
"The survey findings show that using AI for vendor evaluations can drastically cut down the time and effort needed for assessments by about 44%, which is significant. This means vendors must no longer spend hours filling out forms and security teams can skip the tedious process of manually checking every vendor for major risks, saving time and work for other mission-critical tasks."
—Aparna Achanta
6. Governance, risk, and compliance (GRC) falls short on TPCRM
Although widely used, the report noted that GRC platforms often fail to fully address the complexities of TPCRM. While 27% of CISOs rely on GRC platforms as their primary solution, more than half admit these tools only somewhat, minimally, or do not accurately represent third-party risks. This highlights the need for more specialized solutions to improve visibility and risk management, the report added.
Janssen-Anessi said that given the limitations of current GRC platforms, there is a pressing need for more specialized solutions to address TPCRM.
"Industry-specific tools could possibly effectively tackle unique risk factors by tailoring their features to the specific needs and challenges of different sectors. For instance, healthcare organizations might benefit from solutions that focus on patient data protection and regulatory compliance, while financial institutions may require tools that emphasize fraud detection and transaction security."
—Lorri Janssen-Anessi
Piyush Pandey, CEO of Pathlock, said that with the increase in regulatory and security requirements, GRC data volumes will continue to grow at what will eventually be an unmanageable rate. "Because of this, AI and ML will increasingly be used to identify real-time trends, automate compliance processes, and predict risks," he said.
"Continuous, automated monitoring of compliance posture using AI can, and will, drastically reduce manual efforts and errors. More granular, sophisticated risk assessments will be available via ML algorithms, which can process vast amounts of data to identify subtle risk patterns, offering a more predictive approach to reducing risk and financial losses."
—Piyush Pandey
Key components of effective TPCRM
A recent Gartner report noted that successful TPCRM depends on a security organization’s ability to influence overall business decision making and to deliver on three outcomes: resource efficiency, risk management, and resilience. However, the report says that enterprises struggle to be effective in two out of those three outcomes and that only 6% of organizations are effective in all three.
Gartner recommends four actions that security and risk management leaders should take to increase the effectiveness of their TPCRM programs, adding that organizations that have implemented any of these actions saw a 40% to 50% increase in TPCRM effectiveness:
- Regularly review how effectively third-party risks are communicated to the business owner of the third-party relationship. Chief information security officers (CISOs) need to regularly review how well the business understands their messaging around third-party risks to ensure they are providing actionable insights around those risks.
- Track third-party contract decisions to help manage risk acceptance by business owners. Business owners will often choose to engage with a third party even if they are well-informed about associated cybersecurity risks. Tracking decisions helps security teams align compensating controls for risk acceptances and alerts security teams to particularly risky business owners that may require greater cybersecurity oversight.
- Conduct third-party incident response planning, such as playbooks and tabletop exercises. Effective TPCRM goes beyond identifying and reporting cybersecurity risks. CISOs must ensure that the organization has strong contingency plans in place to prepare for unexpected scenarios and to be able to recover well in the wake of an incident.
- Work with critical third parties to mature their security risk management practices as necessary. In a hyperconnected environment, a critical third party’s risk is also an organization’s risk. Partnering with critical third parties to improve their security risk management practices helps promote transparency and collaboration.
Charlie Jones, director of product management at ReversingLabs, said that, far too often, organizations make the mistake of building a one-size-fits-all all program to monitor third-party security risk.
“Although this may make it easy to compare the security posture of one-third party to another — an apples-to-apples comparison — it overlooks the uniqueness of the relationship, product, or service that is provided that contributes to its risk profile.”
—Charles Jones
Jones said one-size-fits-all programs could be detrimental to the comparison of the security maturity of two third parties that are inherently different because "it may negatively influence procurement decisions if the comparison is built off a correlation with no significance."
Article Link: CISO survey: 6 lessons for improving your TPCRM