Enterprise Chief Information Security Officers are acutely aware of the need to prevent third-party software vulnerabilities from exposing mission critical data, but a new report has found that most have little inkling of the scope of threats they’re facing.
That’s one of the primary takeaways of the new “CISO Survey for Third-Party Cyber Risk Management” report by Panorays, which found that just 15% of the 200 CISOs it surveyed have “full visibility” into their third-party threat exposure. The rest are effectively operating in the dark, which means their organizations are at risk of suffering a serious cybersecurity breach or compliance violation.
The 2026 edition of the Panorays study comes at a time when enterprises have become increasingly dependent on an expanding ecosystem of software vendors and service providers. These relationships span everything from authentication and invoicing to customer engagement and data storage, but while they’re essential, each new connection expands the potential attack surface.
Bad actors know this. Third-party software breaches have become a favorite vector of attack for cybercriminals who understand that vulnerabilities in external vendors go unseen. As organizations increase their reliance on third-parties, the risk of such breaches has grown exponentially. For CISOs, this means their jobs are getting harder than ever, with effective risk management for software supply chains becoming an essential, yet seemingly impossible task.
Panorays’ report found that 83% of CISOs have either “moderate” or “limited” visibility into potential software supply chain threats, meaning they generally only have insights into the direct third parties they rely on. But the problem is that software supply chains don’t stop there – they go much deeper.
Most software vendors are themselves reliant on dozens of other software suppliers, and in turn, many of those fourth-parties are reliant on fifth-parties, and then sixth parties, and so on. Software supply chains today are a tangled web of interconnected vendors, and if a single one is breached, it could potentially impact all of those reliant on it. In other words, organizations are exposed to an almost incomprehensible attack surface.
Yet the majority of businesses don’t have any visibility into these extended supply chains. Panorays found that just 41% of CISOs actively monitor fourth-parties for cyber risks, and that number declines to just 13% for nth-party vendors. In other words, while many organizations monitor their immediate suppliers, they rarely go beyond that, making deep supply chain providers prime targets for exploitation.
As a result, when cyber incidents occur, organizations often have little idea. That’s evident from the survey responses, which found that 50% of today’s partner-based security breaches originate with fourth or nth parties and other external relationships, such as contractors and affiliates.
For many organizations, the lack of visibility puts them at risk of more than just a security breach, for regulators are preparing to add a new dimension to their compliance obligations.
In the EU for example, the Digital Operational Resilience Act (DORA) is a direct response to growing third-party supplier risks. The act explicitly requires businesses to manage information and communications technology systems risk across their entire supply chain, including both direct and downstream providers.
Meanwhile, the U.S. SEC’s new Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rules will require organizations to demonstrate increased oversight of supply chain risks.
At present, most organizations fall short of meeting these obligations. Panorays found that just 22% of CISOs say their organizations are fully prepared for these upcoming compliance requirements. Another 61% said they’re “mostly prepared,” while 17% admitted to being just “somewhat prepared.”
While it’s tempting to assume that enterprises are making progress, the stark reality is that 78% still have significant compliance gaps that could lead to financial penalties and reputational damage if nothing is done about them.
With attackers coming up with more inventive ways to exploit the hidden vulnerabilities in software supply chains and global regulators raising the bar for due diligence, CISOs are under immense pressure to act.
Third-party vulnerabilities are not just a hypothetical risk. They’re responsible for increasing numbers of security breaches and evolving attack patterns. Cybercriminals know they can potentially compromise entire industries by breaching a single vendor.
CISOs might be able to outsource some security services, but they cannot do the same for responsibility. Managing third-party risk has become a top priority, and that means finding a way to extend supply chain visibility deeper than ever before.