New York, USA: As high as 94% of CISOs are concerned with third-party cyber threats, but only 3% of CISOs have already implemented security measures revealed in the latest 2024 CISO Survey.

The 2024 CISO Survey of 200 CISOs aims to determine their sentiments around third-party security management, AI-driven solutions, and the challenges they are facing this year. Panorays, a third-party security risk management software provider conducted this CISO survey.

94% of CISOs worried

While 94% of CISOs are concerned with third-party cybersecurity threats – including 17% who view it as a top priority – only 3% have already implemented a third-party cyber risk management solution at their organisations. However, 33% of CISOs plan to implement one this year.

In 2024, 65% of CISOs expect the third-party cyber risk management budget to increase, as per the survey. Of those respondents, 40% said it would increase from 1-10% this year.

Third-party Cybersecurity Vulnerabilities

“CISOs understand the threat of third-party cybersecurity vulnerabilities, but a gap exists between this awareness and implementing proactive measures,” said Matan Or-El, Founder and CEO of Panorays.

“Empowering CISOs to swiftly fortify defenses by analyzing and addressing gaps is crucial in navigating the current cyber landscape. After all, with the speed of AI development, bad actors will continue to leverage this technology for data breaches, operational disruptions, and more,” added Or-El.

The State of Third-party Security Management

73% of CISOs at very large enterprises are more concerned about third-party cybersecurity threats compared to mid-size enterprises (47%). Only 7% of CISOs said they were not concerned at all. Of the respondents, 34% are currently implementing a third-party cyber risk management solution and 26% plan to implement a new solution in 2025 or later.

4% of CISOs said it was not a priority and 3% had never even heard of a third-party cyber risk management solution. While CISOs see the value of implementation, widespread adoption of third-party security solutions is low.

In their organisations, 54% of the teams that managed third-party risk included IT, risk, operations or privacy teams, 36% said their security was managed by back office teams (legal, finance and procurement) and 10% outsourced to external service providers. Of the respondents, 79% of the teams were 6 to 20 people and 5% had more than 20 responsible for third-party cyber risk management in their organisation.

Implementing AI Solutions

CISOs remain confident that AI solutions can improve third-party security management. Of the respondents, 80% said AI-driven solutions can prevent a significant amount of breaches. When it comes to reducing third-party threats, CISOs use a combination of tools to gain effectiveness. Out of different security options, CISOs rated cyber questionnaires for third parties (73%) compliance management tools (70%) and API monitoring of third parties in the supply chain (68%) as the most effective tools.

CISOs also believe that AI solutions are instrumental in safeguarding organisations. The respondents highlighted the effectiveness of AI-driven solutions in enhancing third-party security programs, with key priorities including:

• 23% focus on improving supply chain discovery by mapping all 3rd, 4th, and Nth parties
• 21% aim to enhance asset discovery of third parties, reducing false positives and false negatives.
• 17% prioritise the automatic mapping and classification of third parties based on business criticality.
• 17% streamline cybersecurity processes by automatically completing questionnaires
• 15% aim to increase assessment accuracy through AI-based validation
• 8% focus on predicting third-party breaches

Prioritising Third-party Security Management This Year

The top challenge CISOs see in 2024 when it comes to third-party risk management is complying with new regulations for third-party risk management (20%). Other challenges included:

• Communicating the business influence of third-party risk management: 19%
• Not enough resources to manage risk in the growing supply chain: 18%
• AI-based third parties breach increasing: 17%
• No visibility to Shadow IT usage in their company: 16%
• Prioritising the risk assessment efforts based on risk critically: 10%

When it comes to choosing the right third-party cyber risk management solution, CISOs expect a solution that has diverse capabilities to gain the most effectiveness.

In the study, 44% of CISOs said risk quantification (quantifying third-party cyber risk exposure in dollar values) is a very important capability. Receiving suggested remediation actions for gaps or emerging threats (40%), threat intelligence (39%) and integration to other systems (38%) also emerged as important to CISOs in choosing the right third-party cyber risk management solution.

“In 2024, confronting regulatory changes and escalating third-party cyber risks is paramount. Despite resource constraints and rising AI-related breaches, increased budget allocation towards cyber risk management is a positive step in the right direction,” concluded Or-El.