We wanted to truly understand what’s happening with third-party cyber risk in organizations today. So to get the real story, we asked 200 CISOs to share their challenges, blind spots, and struggles – giving us an unfiltered look at how organizations are managing risks from third-party vendors, AI, and enterprise digital tools. The 2026 CISO Survey gathered insights from CISOs leading mid-to-large enterprises across the finance, healthcare, and technology sectors. The results, available in our full report, both confirmed existing realities and presented surprising new findings too.

Read on to discover some of the biggest challenges for CISOs in 2026.

Truth 1: We Can’t See Half of Our Attack Surface

You can’t protect what you can’t see. Sounds familiar, right? Yet, despite acknowledging the critical nature of the threat, 85% of CISOs surveyed admitted they do not have full visibility across their entire supply chain.

Our data shows that 50% of the incidents these CISOs faced originated beyond their direct third-party vendors, often stemming instead from fourth parties, nth parties, and other external affiliates.

The majority of organizations are not looking deep enough.

  • Only 41% monitor fourth parties.
  • Just 13% track nth-party vendors.

By failing to map the extended supply chain, organizations are effectively flying blind to where half their actual risk lies. Achieving true supply chain visibility requires moving beyond direct vendor relationships and mapping much deeper into their digital ecosystem.

Truth 2: Our Tools Are Failing Us

Security leaders are investing heavily in tools, but they aren’t seeing the return on investment.

While 61% of surveyed CISOs use Governance, Risk, and Compliance (GRC) platforms, a staggering 66% admitted these tools are only “somewhat effective” at accurately reflecting their risk. The tools built for compliance checklists are not keeping up with real-world threats.

The sentiment toward vendor risk assessment questionnaires is even worse. 71% of CISOs admitted that traditional questionnaires fall short in capturing real risk.

When risk lacks actionable context, security teams often end up treating them all the same. This can overwhelm resources and force teams to rely on inefficient workarounds, making it difficult to focus on what truly matters. Security teams struggle to distinguish what truly demands attention amid the noise, increasing the risk that critical vulnerabilities go unaddressed.

Truth 3: We Are Using AI, But We Don’t Know How to Secure It

CISOs are rushing to leverage AI to solve their own efficiency problems. Our survey revealed that 66% have already adopted AI solutions to streamline their risk assessments. However, securing the AI vendors themselves is a different story.

While 60% of CISOs view AI vendor risk as “uniquely risky” compared to traditional software providers, their onboarding processes do not reflect that caution.

  • 52% admitted they still use general-purpose onboarding processes for AI vendors.
  • Only 22% have developed a dedicated, documented policy for evaluating AI risk.

At the end of the day, treating an AI vendor like a standard SaaS provider is not wise. Effective third-party cyber risk management in the AI age requires specialized governance that accounts for model training data, privacy controls, and algorithmic transparency.

Truth 4: The Regulators Are Coming, and We Aren’t Ready

The regulatory landscape is heating up. 62% of CISOs reported an increase in regulatory pressure over the last 12 months, driven by frameworks like the SEC rules and imminent DORA compliance deadlines.

Despite the heat, only 22% feel “fully prepared” to meet these new requirements.

Perhaps the most alarming admission is the lack of a safety net. 79% of CISOs admitted they have limited or no formal incident response plan for third-party breaches. They know the risk is high, but they lack the operational playbook to handle a crisis when it hits.

Time for Change

The collective voice of these 200 CISOs is a wake-up call. The “blind spots” are too large, and the “compliance-first” tools are too slow to handle today’s threats. 

This year demands that security leaders must move beyond static, manual questionnaires and limited supply chain visibility. The data proves that CISOs and security leaders need to embrace a critical shift toward full supply chain visibility (fourth/nth party), AI-driven automation, and specialized,context driven governance across their vendors.

Download the full 2026 CISO Survey to see the more CISO survey findings, benchmark your organization against your peers, and learn how to future-proof your third-party cyber risk management strategy.