Gartner® CISO Playbook for Commercial Software Risk: 3 key insights

Here are the takeaways CISOs and other security leaders should consider for their TPCRM strategies.

Carolynn van Arsdale, Writer, ReversingLabs.

Software supply chain attacks on open-source software (OSS) platforms have dominated the threat landscape in recent years. These incidents can be catastrophic and far reaching, as was the case for the registry-native Shai-hulud worm that took npm by storm twice in 2025.

A lot of focus in recent years has been on OSS threats — and more recently, AI coding. Now Gartner is calling attention to an equally pressing supply chain attack vector: enterprise procurement of commercial software products. "The Gartner CISO Playbook for Commercial Software Risk" addresses this gap:

Risk is not limited to OSS; the processes vendors use to build and deliver software are equally important. High-profile breaches, such as SolarWinds (2020) and 3CX (2023), exploited weaknesses in supplier development and infrastructure, underscoring the need for comprehensive supply chain oversight.

Here are the key takeaways from this new Gartner report that CISOs and other security leaders should take into account for their 2026 third-party cyber risk management (TPCRM) strategies.

Get report: Gartner® CISO Playbook for Commercial Software Risk

1. The the time to act is now

Gartner notes: “Commercial software supply chains expose organizations to a growing and complex set of risks, as attackers increasingly exploit vulnerable components and insecure vendor development practices.” But security leaders — and those at the executive level of enterprises — are waking up to the severity of the threats posed to the procurement of commercial software.

This new awareness of commercial software risk follows recent trends showing how breaches happen, as well as the material impact of such breaches. Gartner cites the 2026 Gartner Board of Directors Survey, which found that more than 90% of non-executive directors view cyber risk as a threat to shareholder value, and they expect cyber threats to continue to grow over the next two years.

This coincides with Verizon’s 2025 Data Breach Investigations Report (DBIR), which cites a 100% year-over-year increase in breaches linked to third parties. In addition, IBM found recently that the average breach cost has skyrocketed to $10.2 million in the U.S.

Gartner says that commercial software risk must be treated with “urgency,” which is why software supply chain security must be integrated into TPCRM processes.

2. Existing tools and processes leave ‘blind spots’

While the challenge of commercial software risk is apparent to the right stakeholders, existing processes and tooling for enterprise software procurement are not fit for tackling this threat landscape. As Gartner notes in this report:

Typical third-party risk management often overlooks software and software supply chain security (SSCS), leaving organizations blind to these risks, hindering vulnerability management, incident response, and accurate risk measurement.

TPCRM, a subset of third-party risk management (TPRM), is the correct vehicle for enabling software supply chain security for commercial products, since many enterprises already have security schedules or supplier security agreements in place when signing or renewing new software products, the report notes However, Gartner writes: “The software covered by these contracts is often overlooked, resulting in critical blind spots.”

While these blind spots pose great software supply chain risks, there is hope that enterprise software procurement processes are key for CISOs, because they “offer strategic leverage points to close these visibility gaps” – allowing enterprises to demand comprehensive security from software vendors. However, using this leverage to cybersecurity’s advantage means building enterprise governance.

3. Operationalize your supply chain security

The intelligence that comes with software supply chain security tools is essential for mitigating risks stemming from commercial software products, but such insights cannot be siloed from existing TPCRM processes. Rather, software supply chain security must be directly integrated into TPCRM, the Gartner report notes:

By embedding SSCS into TPCRM, organizations empower procurement, legal, and business partners with risk insights, while equipping security operations teams to prevent, detect, and respond to emerging supply chain threats.

However, operationalizing software supply chain security into TPCRM is not a one-size-fits-all approach. For cybersecurity leaders to properly address this challenge, Gartner said leaders need to establish “clear governance expectations that align with enterprise risk tolerance.” By defining organizational standards for software supply chain security, and mapping needed requirements to third-party criticality assessments (TPCAs), CISOs can confidently address various levels of commercial software risks.

The basis for such assessments should be based on software supply chain security tooling that evaluates “both the software components and the security of the development practices followed to create it,” the report notes.

To carry this out, Gartner identifies required security controls and processes for effectively managing commercial software risk:

Perform binary composition analysis to identify risks including malicious code, weak cryptography, and embedded secrets
Analyze software component risk levels using software bills of materials (SBOMs)
Assess secure software development practices against industry standards
Provide self-service SBOM generation outside of formal risk assessments.

The above security measures should provide the risk scoring CISOs need “to inform procurement decisions and determine appropriate implementation controls,” Gartner notes.

Secure software onboarding is essential

This new Gartner report positions software supply chain security — and, in particular, binary composition analysis — as key to TPCRM, allowing organizations to successfully mitigate and thwart commercial software supply chain breaches. Read "The Gartner CISO Playbook for Commercial Software Risk" in full to get a comprehensive picture of how CISOs should best lead enterprise governance for mitigating commercial software risks. The report’s “Success Measures” section also offers KPIs to measure success.

Learn how RL can help your organization carry out secure software onboarding.

Gartner, The CISO’s Playbook for Commercial Software Supply Chain Security, 11 November 2025, Jason Gross

Gartner is a trademark of Gartner, Inc., and/or its affiliates.

Keep learning

Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: Join the the webinar to discuss the findings.
Read the 2025 Gartner® Market Guide to Software Supply Chain Security. Plus: See RL's webinar for expert insights.
Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.
Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
Learn how commercial software risk is under-addressed: Download the white paper — and see the related webinar for more insights.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security