CISOs Reveal Third-Party Risk Management Gaps
▼ Summary
– Third-party cyber risk is a top concern for CISOs due to expanding vendor ecosystems and supply chains, which increase the organizational attack surface.
– Reported incidents are rising and often originate from deeper supply chain layers (fourth parties or beyond), where visibility and oversight are typically weak.
– Most organizations lack comprehensive visibility into their extended supply chains, complicating incident response, risk prioritization, and compliance.
– Regulatory pressure on third-party risk oversight is increasing, but most organizations are not fully prepared to meet these requirements.
– While AI vendors present distinct risks, dedicated onboarding processes for them are limited, though AI tools are increasingly used to manage vendor risk itself.
Third-party cyber risk remains a top-tier threat for security leaders, driven by expanding digital ecosystems, intricate supply chains, and the rapid integration of artificial intelligence. A recent survey of Chief Information Security Officers reveals that while incidents are climbing and regulatory pressure intensifies, most organizations still lack the visibility and resources needed to manage exposure effectively. The challenge extends far beyond direct vendors, creating significant gaps in oversight and response capabilities.
Security executives consistently rank third-party risk among their most impactful concerns. Modern business operations depend on a web of vendor relationships that handle everything from cloud storage and software development to data analytics and AI services. Every new dependency widens the organizational attack surface, multiplying the number of external parties entrusted with protecting sensitive systems and information. Leaders now recognize this exposure as a fundamental business continuity issue, where a failure at an external partner can cripple internal operations.
Reported security incidents linked to vendors have increased over the past year. These events frequently originate not just from direct suppliers but from deeper within the supply chain, involving fourth-party subcontractors or more distant affiliates. This trend highlights how attacks propagate through layered networks. Many companies concentrate their oversight efforts on immediate vendors, leaving less visible downstream connections poorly monitored. Attackers exploit these weaker links where accountability often fades.
A critical finding is that very few organizations possess clear visibility into their entire third-, fourth-, and nth-party relationships. Most operate with only partial insight, limited to direct vendors or a narrow slice of their extended supply chain. CISOs report that this limited view severely hampers incident response, makes risk prioritization difficult, and complicates compliance efforts. When a breach occurs several layers removed from a known partner, security teams can struggle to assess their own exposure, understand the timeline, and gauge the full downstream impact.
Regulatory expectations are now rising faster than many organizations can adapt. New frameworks demand that companies demonstrate thorough oversight across their entire vendor ecosystem, including indirect relationships. Only a minority of surveyed CISOs feel their programs are ready to meet these upcoming requirements without significant overhaul. Most acknowledge that work is in progress but note that further alignment of processes, tools, and internal coordination is urgently needed. Effective third-party risk management now requires tight collaboration between security, legal, procurement, compliance, and executive leadership.
Commonly used tools are often inadequate for the task. While governance, risk, and compliance platforms help with reporting and audit trails, CISOs say they frequently fail to capture the dynamic, real-time nature of risk across complex supply chains. Traditional security questionnaires suffer from similar shortcomings; they are often static snapshots that miss critical changes occurring between annual reviews. As the number of vendors grows into the thousands, reliance on manual, periodic assessments places immense strain on security teams and increases the odds that emerging threats will slip through the cracks.
The adoption of artificial intelligence introduces a new dimension to vendor risk. CISOs identify AI service providers as presenting a distinct risk profile, citing concerns over opaque data handling practices, limited model transparency, and the potential for unpredictable system behavior. Despite this awareness, many companies still onboard AI vendors using standard third-party processes, with dedicated policies for AI procurement remaining uncommon, especially at smaller firms. Concurrently, AI is becoming a tool for managing vendor risk itself, with organizations deploying AI-driven solutions to automate assessments and continuous monitoring, freeing analysts to focus on high-priority findings.
A stark preparedness gap exists in incident response. Only a small fraction of organizations have a comprehensive and tested plan specifically for breaches originating from a third party. Most either have limited plans or are still developing them. CISOs directly link this shortfall to longer containment times and greater operational disruption when vendor incidents occur. While larger enterprises generally report higher levels of readiness, effective response planning remains inconsistent across organizations of all sizes.
(Source: HelpNet Security)
