Third-party cyber risk continues to dominate CISO agendas, and the stakes are only getting higher. The evolving cyber landscape, marked by sophisticated supply chain attacks and increased regulatory scrutiny, demands a renewed focus on securing external ecosystems. But are current strategies truly effective? Many organizations find themselves wrestling with the complexities of managing risk across an ever-expanding network of vendors. Our 2025 CISO Survey, conducted with 200 CISOs across a diverse range of industries, seeks to unpack the challenges and opportunities facing cybersecurity leaders today.
This survey dives into the critical issue of third-party cybersecurity, exploring the strategies, concerns, and priorities of CISOs on the front lines. As cyber risks become increasingly sophisticated and interconnected, organizations are more vulnerable than ever to breaches originating from their vendors. A single weak link in the supply chain can expose sensitive data, disrupt operations, and damage reputation. In this evolving landscape, it’s crucial for CISOs to understand the emerging threats and adopt proactive measures to mitigate risk. The insights from this survey offer valuable benchmarks for organizations looking to strengthen their third-party security posture.
The survey reveals some surprising gaps in how organizations are managing third-party risk, suggesting that many CISOs might be missing the mark. But don’t worry, we’re not just pointing out the problems – we’re providing actionable insights and solutions to help you succeed.
Third-Party Cybersecurity Incidents are Increasing
Third-party cybersecurity incidents are surging, with 91% of CISOs reporting an increase in the past year. Despite this, visibility into supply chain security remains critically low—only 3% of organizations have full insight across their entire supply chain, leaving them vulnerable to hidden risks.
Unresolved vulnerabilities are a major contributor to this rise. Among organizations with over 51% of vulnerabilities unaddressed, 97% reported an increase in incidents. Even those with fewer than 25% unresolved still saw 86% experiencing more breaches. As third-party relationships grow, so do attack opportunities, making proactive risk management essential.
To reduce exposure, organizations must prioritize vendor security assessments, continuous monitoring, and rapid remediation. Strengthening third-party cyber risk management isn’t just an option—it’s a necessity in today’s evolving threat landscape.
Limited Visibility Across the Supply Chain
Supply chain visibility remains a significant challenge, with only 3% of organizations reporting full insight into their third, fourth, and nth-party relationships. Meanwhile, 39% acknowledge having only limited visibility, and 33% can monitor third parties but lack insight into deeper tiers. This blind spot leaves organizations vulnerable to hidden risks and emerging threats.
Larger companies face even greater difficulties. Among organizations with 1,000–4,999 employees, only 15% have visibility beyond third parties. This figure rises to 24% for companies with 5,000–9,999 employees and 36% for those with over 10,000 employees. As supply chains expand, maintaining oversight becomes increasingly complex, making it harder to detect and mitigate risks at deeper levels.
This lack of visibility significantly increases exposure to cyber threats. Without a clear understanding of vulnerabilities within their supply chain, organizations are unable to take proactive security measures. Given that 91% of CISOs have reported a rise in third-party cyber incidents, improving supply chain visibility must be a top priority. Businesses need to invest in continuous monitoring and risk assessment across all tiers to prevent threats from escalating beyond their control.
Executive Understanding and Prioritization
A lack of executive understanding of third-party cyber risks is a major barrier to securing funding and implementing proactive measures. Only 17% of organizations report that their leadership has a complete understanding of these risks, while 51% acknowledge limited awareness. This knowledge gap makes it difficult for CISOs to communicate the urgency of third-party cybersecurity, often leading to underinvestment in critical risk management strategies.
Despite this, third-party cyber risk management is gaining traction, with 60% of CISOs identifying it as a top or high priority. Among these organizations, 49% are already leveraging AI automation, while 66% plan to adopt AI-driven solutions in the near future. This shift highlights the growing recognition that AI can help manage the complexities of third-party risks more effectively.
To bridge the executive understanding gap, cybersecurity teams must align risk discussions with business priorities, emphasizing financial, operational, and reputational impacts. Organizations with informed leadership gain a competitive edge by securing necessary resources, prioritizing risk reduction, and integrating cybersecurity into broader business strategies. Strengthening communication between security teams and executives is essential for driving meaningful action and reducing third-party cyber risk.
Unresolved Third-Party Vulnerabilities Due to Budgetary Constraints
Despite the growing threat of third-party cyber risks, 81% of organizations report insufficient budgets to manage them effectively, leaving critical vulnerabilities unaddressed. This funding gap is largely due to a lack of executive awareness—without a clear understanding of the financial, operational, and reputational risks, leadership often deprioritizes investment in third-party cyber risk management.
The impact of these budgetary constraints is significant. Half of organizations fail to resolve 26% to 50% of identified vulnerabilities, and 98% leave at least 10% unaddressed due to insufficient resources. Without adequate funding, CISOs struggle to close security gaps, increasing the likelihood of third-party incidents.
Multiple challenges contribute to this issue, with 29% of CISOs citing limited time or competing priorities, 27% pointing to a lack of visibility into third-party risks, and another 27% struggling with executive or board support. This highlights a systemic problem that requires more than isolated fixes.
To bridge these gaps, organizations must align cybersecurity goals with business priorities, secure leadership buy-in, and invest in comprehensive solutions that enhance visibility, streamline processes, and centralize risk management. Without these measures, unresolved vulnerabilities will continue to threaten organizational security.
Why the Adoption of AI Automation is important for TPCRM
AI automation is transforming third-party cyber risk management (TPCRM), particularly in vendor assessments. With 94% of CISOs reporting a time savings of over 25%—and an average reduction of 44%—AI is proving to be a powerful tool in streamlining risk evaluation processes. By automating assessments, organizations can free up valuable resources to focus on higher-priority security initiatives.
Time and resource constraints remain major barriers to addressing third-party vulnerabilities, with 29% of CISOs citing limited time or competing priorities and 25% struggling with vendor relationship management. AI alleviates these challenges by enhancing efficiency, reducing manual workloads, and providing deeper risk insights.
Adoption of AI in TPCRM is rapidly increasing, with 27% of organizations already using AI automation and 69% planning to implement it within the next year. This shift highlights the growing recognition of AI’s role in managing the complexities of modern supply chains. As third-party risks continue to rise, organizations that integrate AI-driven solutions will gain a strategic advantage in mitigating threats, improving visibility, and optimizing cybersecurity efforts. The future of TPCRM lies in automation, enabling businesses to keep pace with an evolving threat landscape.
TPCRM Platform Effectiveness
Third-party cyber risk management (TPCRM) platforms have emerged as the most effective solution for managing third-party risks, with 45% of organizations relying on them as their primary tool. These platforms provide specialized capabilities designed to enhance visibility, streamline vendor assessments, and automate risk mitigation processes.In contrast, Governance, Risk, and Compliance (GRC) platforms, while useful for broader compliance needs, often fall short in addressing the complexities of third-party cyber risk. Their generalized approach lacks the depth needed for continuous monitoring, risk scoring, and real-time threat detection across third, fourth, and nth-party relationships.
Selecting the right tools is critical for an effective third-party risk management strategy. Purpose-built TPCRM platforms offer organizations a tailored approach, integrating AI-driven automation and deep visibility to proactively manage risks at scale. By leveraging dedicated TPCRM solutions, companies can move beyond reactive security measures, ensuring a more resilient and efficient approach to securing their supply chain.
As third-party risks continue to evolve, organizations must prioritize solutions that align with their cybersecurity needs. Investing in a TPCRM platform ensures businesses stay ahead of emerging threats, reduce vendor-related risks, and maintain compliance in an increasingly complex regulatory landscape.
Key Recommendations for Organizations
To effectively manage third-party cyber risks, organizations must take a proactive approach by enhancing visibility, leveraging automation, and aligning cybersecurity strategies with business priorities.
- Enhance Visibility – Limited insight into fourth and nth-party relationships leaves organizations vulnerable. Investing in tools that extend monitoring beyond direct vendors ensures a more comprehensive risk management strategy.
- Embrace AI Automation – AI-powered solutions streamline vendor assessments, reducing manual effort and improving efficiency. With an average 44% reduction in assessment time, AI helps organizations overcome resource constraints and scale their third-party risk management efforts.
- Educate Leadership – A lack of executive understanding often results in inadequate funding for cybersecurity initiatives. Demonstrating the financial, reputational, and operational impacts of third-party risks can help secure necessary resources and drive organizational buy-in.
- Adopt Purpose-Built Platforms – Generalized GRC platforms often fall short in addressing the complexities of third-party risk. Transitioning to dedicated TPCRM solutions ensures organizations have the right tools to continuously monitor, assess, and mitigate risks across the supply chain.
By implementing these strategies, businesses can strengthen their third-party risk posture, improve operational resilience, and stay ahead of evolving cyber threats.The full 2025 CISO Survey is packed with trends, analysis, and recommendations to help you stay ahead of evolving risks. Download the Full Survey Here.
