According to a recent ISC2 survey, organizations of different sizes and industries have limited visibility into their extensive networks of third-party providers and partners.
Due to the increasing importance of cybersecurity in the supply chain, ISC2 conducted a global survey of 1,062 cybersecurity professionals. The aim was to assess the current status of this pressing issue and its impact on cybersecurity.
Supply chain security concerns
Table of Contents
In the survey, 70 percent said their organizations are very or extremely concerned about cybersecurity risks in their supply chains. Organizations that have experienced a cybersecurity incident from a third-party provider or supplier are significantly more likely to report high levels of concern (75 percent).
The results also show that 28 percent of respondents have experienced a third-party cybersecurity incident in the last two years. However, not all incidents involving third parties have a direct impact on your own company. 47 percent of participants said their organizations were not directly affected when their suppliers experienced a cybersecurity incident.
Supply chain security challenges
When asked about the biggest challenges in security against cyber threats in the supply chain, the lack of visibility or control of suppliers dominated. Many respondents are also concerned about the complexity of their supply chains, noting that they do not know who their suppliers are or all possible entry points.
Respondents also confirmed that threats to the supply chain do not necessarily only come from outside. 29 percent rate insider threats from external service providers as disruptive for their organizations.
Minimizing risk for the supply chain
One of the biggest challenges companies face with their supply chains is the lack of information about the inherent risk that a supplier or chain of suppliers poses. To mitigate this risk, a large number of organizations (70 percent) carry out risk assessments on a regular basis, for example at the time of contract renewal or annually. Additionally, 49 percent of organizations closely scrutinize their suppliers during initial assessment or onboarding, 26 percent during incidents, and 25 percent when monitoring tools alert them to a threat.
Active supply chain risk management
The organizations surveyed take different approaches to supply chain risk management. 54 percent say their organization has a dedicated risk management program. This percentage rises significantly to 70 percent for large companies. However, many organizations pursue supply chain risk management less formally or, surprisingly, not at all. Around 20 percent rely on contracts or service level agreements (SLAs), and 16 percent treat risks on a case-by-case basis. Additionally, 10 percent do not have a formal program or dedicated approach to managing supply chain risk – although 8 percent of these respondents are currently developing one.
5 recommendations for more security in the supply chain
It is the responsibility of cybersecurity to prioritize supply chain protection. The top five pieces of advice for organizations and cybersecurity professionals include:
- Third-party risk assessments: As the software supply chain becomes increasingly important to organizations, third-party risk assessments are common practice to identify potential security issues. These assessments often include vulnerability scans and misconfiguration checks.
- Risk management of critical infrastructure: Attacks on critical infrastructure (CI) can have a significant impact on public safety – with knock-on effects on other CI sectors because supply chains are tightly interconnected. Prioritizing CI supply chain security through formal onboarding and ongoing assessments is essential.
- Zero trust architecture: Security doesn’t just mean guarding the perimeter; it’s about having security protocols on every flank. A Zero Trust approach provides constant assurance that everyone is where they need to be and can only access what they need and are authorized to do – from on-premises to the cloud.
- Supplier contract checks: Reviewing and evaluating supplier contracts is an important task for cybersecurity teams and budget holders. As an important supply chain stress test, this provides an opportunity to identify and address weaknesses and changing needs. A good contract with clear deliverables and expectations is part of a cybersecurity strategy, alongside people and technology.
- Cybersecurity Skills Development: Cybersecurity governance, risk and compliance (GRC) professionals who use frameworks to integrate security and privacy into organizational objectives can look to professional certifications such as ISC2’s CGRC. This enables all stakeholders in the organization to make informed decisions for data security, compliance, supply chain risk management and more.
(cm/ISC2)
| About the survey |
| The online survey was conducted among 1,062 respondents who work in a position with cybersecurity responsibilities. Respondents worked in organizations of various sizes: small (1–499 employees), medium (500–2,499 employees), large (2,500–4,999 employees), and enterprise (5,000+ employees). The data was collected from August 12 to 28, 2025. |
