CISOs have good reason to rank third-party risk as a top concern: their organizations engage with a growing number of third parties providing an ever-expanding range of services. While reputable providers certainly prioritize security, bringing products developed outside a business inside the company perimeter increases the chance of importing a threat. “Third-party risk is a major threat because it only takes one partner with poor security to put your own company at risk — and as a CISO, you own that risk,” says cybersecurity consultant Gerald Auger, a faculty member at The Citadel military college.
Recent research helps quantify the security threats that CISOs and their organizations face from third parties. For example, a 2023 RSA Conference report found that 87% of the responding CISOs had been affected by a significant cyber incident that originated at a third party in the preceding 12 months. A 2022 study from SecurityScorecard and the research firm Cyentia Institute reported that 98% of organizations had vendor relationships with at least one third party that had experienced a breach in the prior two years.
