CISO survey: 6 lessons to boost third-party cyber-risk management

Third-party cybersecurity incidents are on the rise, but organizations face challenges in mitigating risks arising for the software supply chain, a survey of 200 chief information security officers (CISOs) has found.

The survey, from the security firm Panorays, found that more than nine out of 10 CISOs reported an increase in third-party cybersecurity incidents in 2024. Nearly three-quarters of them experienced a moderate increase in incidents, and nearly one-quarter encountered a significant escalation of events.

Panorays CEO Matan Or-El said in a statement:

This year’s survey reveals a troubling story. Third-party risks are growing faster than the resources organizations have to address them. As supply chains become more complex and interconnected, the need for smarter, AI-driven solutions is no longer optional, it’s critical for businesses to stay secure.

Here are six key lessons from the "2025 CISO Survey for Third-Party Cyber Risk Management" report.

Download: 2025 Software Supply Chain Security ReportSee the SSCS Report Webinar

1. Organizations lack deep visibility into the software supply chain

The survey found that only 3% of the surveyed organizations have full insight across their entire supply chain (including fourth-party suppliers and beyond), and 33% could see only as far as third parties. "This lack of comprehensive oversight leaves organizations unable to identify and address vulnerabilities effectively, increasing their risk of breaches," the report said.

Mike McGuire, senior security solutions manager at Black Duck Software, said the most significant takeaway from the report is that, on the software side of third-party risk, blind spots are prevalent when it comes to open-source dependency management. "We’ve stressed for some time the importance of eliminating these blind spots," he said.

Parth Patel, chief product officer and co-founder of Kusari, said traditional third-party cyber-risk management (TPCRM) hasn’t kept pace with the complexity and speed at which modern software is developed, particularly when open-source dependencies are involved.

[TPCRM] efforts often overlook the complexities of open-source software, treating it the same as commercial software. But unlike proprietary software, open-source components are maintained by distributed communities, meaning organizations may not have a direct relationship with the vendor.

Parth Patel

Without proper governance and visibility, dependencies can introduce risks that may not be immediately apparent to security teams or business leaders, Patel said. "Many organizations only focus on direct dependencies but fail to track transitive dependencies — indirectly pulled-in software that can introduce vulnerabilities outside their control," he said.

Georgia Cooke, a digital security analyst with ABI Research, said there are myriad factors contributing to the lack of visibility into the software supply chains, but the core problem is cost — and responsibility for that cost.

It’s often remarked that while many would love full visibility, they’re not willing to pay for it. Supply chain security is a matter of increasing prominence in regulation, but until robust, cohesive requirements are in place across all industries, it is likely that other problems will take greater priority.

Georgia Cooke

2. Lack of resources means most risks go unresolved

The widespread resource shortage leaves organizations unable to address critical vulnerabilities, significantly increasing their exposure to risk, the report noted. To minimize potential losses from breaches, it recommended investing in efficient tools and processes to resolve software risk at scale.

Amit Zimerman, co-founder and chief product officer at Oasis Security, said the critical concern today stems from third-party, open-source dependencies.

A key issue is the extended remediation timeline for third-party flaws, which poses a growing risk as these vulnerabilities can remain unaddressed for prolonged periods.

Amit Zimerman

To mitigate those risks, Zimerman recommends that organizations adopt a proactive approach that includes regular dependency scanning and prioritizes fixes based on their potential impact.

Aparna Achanta, principal lead for IBM and a member of ISACA's Emerging Trends Working Group, said understaffed security teams are struggling to keep up with the increasing number of third-party risks that need attention.

Interestingly, 29% of CISOs in this survey mention they are struggling with other priorities, leading to the neglect of third-party vulnerabilities in their organization’s security strategy.

Aparna Achanta

3. Business leaders do not prioritize third-party risk

Many business executives do not understand the risks, which limits funding and support for TPCRM initiatives, the report explained. It asserted that closing that executive awareness is essential to aligning organizational priorities and implementing effective risk-mitigation strategies, ultimately reducing long-term costs.

Frank Balonis, CISO of Kiteworks, said that one key risk to the enterprise, data loss, can get the attention of leadership.

Nothing can kill a company quicker than a loss of data. If your leadership understands that, your board understands that, it makes things a lot easier to enhance and continue to mature a program to understand third-party risk.

Frank Balonis

IBM's Achanta said it's crucial for CISOs to use hard numbers to demonstrate the disastrous consequences of third-party risks in terms of financial loss, reputation damage, downtime, data breaches, and fines due to noncompliance with standards such as HIPAA, GDPR, and FedRAMP.

4. AI automation helps manage third-party risks

About one-quarter of CISOs in the survey said they rely on AI automation for vendor assessments. An additional 69% plan to adopt it within the next year. This reflects a growing recognition of AI's ability to enhance efficiency and scalability, equipping organizations to manage the complexities of modern supply chains, the report noted.

Lorri Janssen-Anessi, director for external cybersecurity assessments at BlueVoyant, said AI automation is revolutionizing third-party risk management by enabling organizations to swiftly and effectively manage risks within their supply chains.

There are AI-driven platforms that can analyze vast amounts of unstructured data from vendors, suppliers, and service providers in seconds, rather than months. This rapid analysis allows organizations to identify noncompliant vendors and recommend remediation actions before adverse events occur.

Lorri Janssen-Anessi

5. AI automation offers significant time savings

AI automation is proving to be a game changer for vendor assessments, significantly reducing the time and effort required, the report noted. On average, assessment efforts are reduced by nearly half, with the vast majority of CISOs reporting meaningful time savings. And, the report said, AI-driven automation not only streamlines these processes, but it also frees up resources for higher-value tasks. That makes it an indispensable tool in modern TPCRM, Achanta said.

The survey findings show that using AI for vendor evaluations can drastically cut down the time and effort needed for assessments by about 44%, which is significant. This means vendors must no longer spend hours filling out forms, and security teams can skip the tedious process of manually checking every vendor for major risks, saving time and work for other mission-critical tasks.

Aparna Achanta

6. Governance, risk, and compliance falls short on TPCRM

Although widely used, governance, risk, and compliance (GRC) platforms often fail to fully address the complexities of TPCRM, the report noted. While 27% of CISOs rely on GRC platforms as their primary solution, more than half say that these tools represent third-party risks either somewhat, minimally, or inaccurately. This highlights the need for more specialized solutions to improve visibility and risk management, the report added.

Janssen-Anessi said that given the limitations of current GRC platforms, there is a pressing need for more specialized solutions to address TPCRM.

Industry-specific tools could possibly effectively tackle unique risk factors by tailoring their features to the specific needs and challenges of different sectors. For instance, health care organizations might benefit from solutions that focus on patient data protection and regulatory compliance, while financial institutions may require tools that emphasize fraud detection and transaction security.

Lorri Janssen-Anessi

Piyush Pandey, CEO of Pathlock, said that with the increase in regulatory and security requirements, GRC data volumes will continue to grow at what will eventually be an unmanageable rate. "Because of this, AI and ML will increasingly be used to identify real-time trends, automate compliance processes, and predict risks," he said.

Continuous, automated monitoring of compliance posture using AI can, and will, drastically reduce manual efforts and errors. More granular, sophisticated risk assessments will be available via ML algorithms, which can process vast amounts of data to identify subtle risk patterns, offering a more predictive approach to reducing risk and financial losses.

Piyush Pandey

Key components of effective TPCRM

A recent Gartner report noted that successful TPCRM depends on a security organization’s ability to influence overall business decision making and to deliver on three outcomes: resource efficiency, risk management, and resilience. However, the report says that enterprises struggle to be effective in two out of those three outcomes and that only 6% of organizations are effective in all three.

Gartner recommends four actions that security and risk management leaders should take to increase the effectiveness of their TPCRM programs, adding that organizations that have implemented any of the following actions saw a 40% to 50% increase in TPCRM effectiveness:

• Regularly review how effectively third-party risks are communicated to the business owner of the third-party relationship. CISOs need to regularly review how well the business understands their messaging around third-party risks to ensure they are providing actionable insights around those risks.
  
• Track third-party contract decisions to help manage risk acceptance by business owners. Business owners will often choose to engage with a third party even if they are well informed about associated cybersecurity risks. Tracking decisions helps security teams align compensating controls for risk acceptances and alerts security teams to particularly risky business owners that may require greater cybersecurity oversight.
  
• Conduct third-party incident response planning, such as playbooks and tabletop exercises. Effective TPCRM goes beyond identifying and reporting cybersecurity risks. CISOs must ensure that the organization has strong contingency plans in place to prepare for unexpected scenarios and to be able to recover well in the wake of an incident.
  
• Work with critical third parties to mature their security risk management practices as necessary. In a hyperconnected environment, a critical third party’s risk is also an organization’s risk. Partnering with critical third parties to improve their security risk management practices helps promote transparency and collaboration.

Charlie Jones, director of product management at ReversingLabs, said that far too often organizations make the mistake of building a one-size-fits-all program to monitor third parties.

Although this may make it easy to compare the security posture of one-third party to another — an apples-to-apples comparison — it overlooks the uniqueness of the relationship, product, or service that is provided that contributes to its risk profile.

Charles Jones

Jones said one-size-fits-all programs could be detrimental to the comparison of the security maturity of two third parties that are inherently different because "it may negatively influence procurement decisions if the comparison is built off a correlation with no significance."