Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialThird-party cybersecurity incidents are on the rise, but organizations face challenges in mitigating risks arising for the software supply chain, a survey of 200 chief information security officers (CISOs) has found.
The survey, from the security firm Panorays, found that more than nine out of 10 CISOs reported an increase in third-party cybersecurity incidents in 2024. Nearly three-quarters of them experienced a moderate increase in incidents, and nearly one-quarter encountered a significant escalation of events.
Panorays CEO Matan Or-El said in a statement:
This year’s survey reveals a troubling story. Third-party risks are growing faster than the resources organizations have to address them. As supply chains become more complex and interconnected, the need for smarter, AI-driven solutions is no longer optional, it’s critical for businesses to stay secure.
Here are six key lessons from the "2025 CISO Survey for Third-Party Cyber Risk Management" report.
Download: 2025 Software Supply Chain Security ReportSee the SSCS Report Webinar
The survey found that only 3% of the surveyed organizations have full insight across their entire supply chain (including fourth-party suppliers and beyond), and 33% could see only as far as third parties. "This lack of comprehensive oversight leaves organizations unable to identify and address vulnerabilities effectively, increasing their risk of breaches," the report said.
Mike McGuire, senior security solutions manager at Black Duck Software, said the most significant takeaway from the report is that, on the software side of third-party risk, blind spots are prevalent when it comes to open-source dependency management. "We’ve stressed for some time the importance of eliminating these blind spots," he said.
Parth Patel, chief product officer and co-founder of Kusari, said traditional third-party cyber-risk management (TPCRM) hasn’t kept pace with the complexity and speed at which modern software is developed, particularly when open-source dependencies are involved.
Parth Patel[TPCRM] efforts often overlook the complexities of open-source software, treating it the same as commercial software. But unlike proprietary software, open-source components are maintained by distributed communities, meaning organizations may not have a direct relationship with the vendor.
Without proper governance and visibility, dependencies can introduce risks that may not be immediately apparent to security teams or business leaders, Patel said. "Many organizations only focus on direct dependencies but fail to track transitive dependencies — indirectly pulled-in software that can introduce vulnerabilities outside their control," he said.
Georgia Cooke, a digital security analyst with ABI Research, said there are myriad factors contributing to the lack of visibility into the software supply chains, but the core problem is cost — and responsibility for that cost.
Georgia CookeIt’s often remarked that while many would love full visibility, they’re not willing to pay for it. Supply chain security is a matter of increasing prominence in regulation, but until robust, cohesive requirements are in place across all industries, it is likely that other problems will take greater priority.
The widespread resource shortage leaves organizations unable to address critical vulnerabilities, significantly increasing their exposure to risk, the report noted. To minimize potential losses from breaches, it recommended investing in efficient tools and processes to resolve software risk at scale.
Amit Zimerman, co-founder and chief product officer at Oasis Security, said the critical concern today stems from third-party, open-source dependencies.
Amit ZimermanA key issue is the extended remediation timeline for third-party flaws, which poses a growing risk as these vulnerabilities can remain unaddressed for prolonged periods.
To mitigate those risks, Zimerman recommends that organizations adopt a proactive approach that includes regular dependency scanning and prioritizes fixes based on their potential impact.
Aparna Achanta, principal lead for IBM and a member of ISACA's Emerging Trends Working Group, said understaffed security teams are struggling to keep up with the increasing number of third-party risks that need attention.
Aparna AchantaInterestingly, 29% of CISOs in this survey mention they are struggling with other priorities, leading to the neglect of third-party vulnerabilities in their organization’s security strategy.
Many business executives do not understand the risks, which limits funding and support for TPCRM initiatives, the report explained. It asserted that closing that executive awareness is essential to aligning organizational priorities and implementing effective risk-mitigation strategies, ultimately reducing long-term costs.
Frank Balonis, CISO of Kiteworks, said that one key risk to the enterprise, data loss, can get the attention of leadership.
Frank BalonisNothing can kill a company quicker than a loss of data. If your leadership understands that, your board understands that, it makes things a lot easier to enhance and continue to mature a program to understand third-party risk.
IBM's Achanta said it's crucial for CISOs to use hard numbers to demonstrate the disastrous consequences of third-party risks in terms of financial loss, reputation damage, downtime, data breaches, and fines due to noncompliance with standards such as HIPAA, GDPR, and FedRAMP.
About one-quarter of CISOs in the survey said they rely on AI automation for vendor assessments. An additional 69% plan to adopt it within the next year. This reflects a growing recognition of AI's ability to enhance efficiency and scalability, equipping organizations to manage the complexities of modern supply chains, the report noted.
Lorri Janssen-Anessi, director for external cybersecurity assessments at BlueVoyant, said AI automation is revolutionizing third-party risk management by enabling organizations to swiftly and effectively manage risks within their supply chains.
Lorri Janssen-AnessiThere are AI-driven platforms that can analyze vast amounts of unstructured data from vendors, suppliers, and service providers in seconds, rather than months. This rapid analysis allows organizations to identify noncompliant vendors and recommend remediation actions before adverse events occur.
AI automation is proving to be a game changer for vendor assessments, significantly reducing the time and effort required, the report noted. On average, assessment efforts are reduced by nearly half, with the vast majority of CISOs reporting meaningful time savings. And, the report said, AI-driven automation not only streamlines these processes, but it also frees up resources for higher-value tasks. That makes it an indispensable tool in modern TPCRM, Achanta said.
Aparna AchantaThe survey findings show that using AI for vendor evaluations can drastically cut down the time and effort needed for assessments by about 44%, which is significant. This means vendors must no longer spend hours filling out forms, and security teams can skip the tedious process of manually checking every vendor for major risks, saving time and work for other mission-critical tasks.
Although widely used, governance, risk, and compliance (GRC) platforms often fail to fully address the complexities of TPCRM, the report noted. While 27% of CISOs rely on GRC platforms as their primary solution, more than half say that these tools represent third-party risks either somewhat, minimally, or inaccurately. This highlights the need for more specialized solutions to improve visibility and risk management, the report added.
Janssen-Anessi said that given the limitations of current GRC platforms, there is a pressing need for more specialized solutions to address TPCRM.
Lorri Janssen-AnessiIndustry-specific tools could possibly effectively tackle unique risk factors by tailoring their features to the specific needs and challenges of different sectors. For instance, health care organizations might benefit from solutions that focus on patient data protection and regulatory compliance, while financial institutions may require tools that emphasize fraud detection and transaction security.
Piyush Pandey, CEO of Pathlock, said that with the increase in regulatory and security requirements, GRC data volumes will continue to grow at what will eventually be an unmanageable rate. "Because of this, AI and ML will increasingly be used to identify real-time trends, automate compliance processes, and predict risks," he said.
Piyush PandeyContinuous, automated monitoring of compliance posture using AI can, and will, drastically reduce manual efforts and errors. More granular, sophisticated risk assessments will be available via ML algorithms, which can process vast amounts of data to identify subtle risk patterns, offering a more predictive approach to reducing risk and financial losses.
A recent Gartner report noted that successful TPCRM depends on a security organization’s ability to influence overall business decision making and to deliver on three outcomes: resource efficiency, risk management, and resilience. However, the report says that enterprises struggle to be effective in two out of those three outcomes and that only 6% of organizations are effective in all three.
Gartner recommends four actions that security and risk management leaders should take to increase the effectiveness of their TPCRM programs, adding that organizations that have implemented any of the following actions saw a 40% to 50% increase in TPCRM effectiveness:
Charlie Jones, director of product management at ReversingLabs, said that far too often organizations make the mistake of building a one-size-fits-all program to monitor third parties.
Charles JonesAlthough this may make it easy to compare the security posture of one-third party to another — an apples-to-apples comparison — it overlooks the uniqueness of the relationship, product, or service that is provided that contributes to its risk profile.
Jones said one-size-fits-all programs could be detrimental to the comparison of the security maturity of two third parties that are inherently different because "it may negatively influence procurement decisions if the comparison is built off a correlation with no significance."
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial