Organizations depend on long chains of vendors, but many cybersecurity professionals say these relationships create gaps they cannot see or control. A new ISC2 survey of more than 1,000 cybersecurity professionals shows that supply chain risk sits near the top of their concerns.
70% of respondents said their organizations are concerned about cybersecurity risks linked to third party suppliers. Concern is highest in enterprise environments and in sectors that handle financial or government data.
Vendor ecosystems continue to expand as organizations adopt new tools and services. Each integration adds potential exposure, and many security teams struggle to understand the deeper layers of these networks.
What drives the concern
Concern rises among organizations that have experienced a vendor related security incident. Nearly one in three respondents reported such an incident within the past two years, with higher rates in large enterprises and financial services.
47% of respondents said their organizations did not feel a direct impact after a supplier experienced a cybersecurity issue. Even so, these events raise questions about continuity, vendor communication and the accuracy of vendor security claims.
Organizations that sell software or digital services show more concern than those outside that space. In financial services and in military contractor environments, more than 80% of respondents report high concern.
Visibility remains the weak link
Respondents pointed to lack of visibility as the biggest challenge. Security teams often do not know which subcontractors support their vendors or what controls those subcontractors maintain. Several respondents said they rely on trust without verification because vendors provide limited insight into their practices.
Some vendors share information only during onboarding. If that information is not updated, customers may rely on outdated assumptions and miss changes in risk posture.
Threats that stand out
Data breaches ranked as the most disruptive supply chain threat, cited by 64% of respondents. Malware and ransomware followed. Vulnerabilities in supplier software also ranked high. Unauthorized access through third party credentials and limited visibility into vendor controls continue to cause concern. Insider threats within vendor organizations add further risk.
These findings show a pattern in which attackers target weaker controls in vendor networks to bypass stronger defenses in customer environments.
How organizations are responding
Organizations struggle to understand the risk that vendors and their subcontractors introduce. Many turn to risk assessments and supplier reviews to get basic visibility into security practices. These checks often occur during onboarding and at planned points in the vendor relationship. They help teams confirm whether required controls remain in place.
Organizations review supplier security practices on different schedules, but many do not check often enough. Some conduct a review only during onboarding, which can leave gaps for years. When that happens, customers may rely on outdated information and miss changes in a vendor’s security posture.
Procurement teams also set control requirements. Compliance with standards such as ISO 27001, SOC 2 and NIST frameworks is the top requirement. Security audits and attestations follow. Many organizations require MFA, secure access practices and incident reporting procedures. Only a small share of respondents said their organizations have no control requirements.
Mixed maturity across supply chain risk programs
Setting controls at the start of a vendor relationship matters, but it does not replace ongoing oversight. Organizations vary widely in how they handle this work. Some have formal programs that guide assessments and decisions. Others rely on contract terms or address risks only when they arise. Some still lack a defined process and are working to build one. These differences show how uneven supply chain risk management remains across industries.
Most respondents who work for supplier organizations said their firms have incident response plans and communication procedures that follow established standards and regulatory expectations. Still, not every vendor has a documented process, and some staff are unsure whether one exists, which creates uncertainty for customers who depend on timely updates during an incident.
Exam prep hacked: Study tips and tricks that really work