In the digital labyrinth where Chief Information Security Officers (CISOs) find themselves today, a recent study sheds light on a startling paradox. The 2024 CISO Survey, encompassing the insights of 200 CISOs, reveals a chasm between concern and action in the realm of third-party cyber threats.

A Stark Contrast: High Concern, Low Action

The study paints a rather concerning picture: While a whopping 94% of CISOs acknowledge the looming shadow of third-party cyber threats, with 17% marking it as a paramount concern, a mere 3% have taken the leap to integrate a third-party cyber risk management solution within their organizations. A staggering 33% are planning to do so within the year. The financial commitment to this cause is evident, with 65% of CISOs expecting an increase in their third-party cyber risk management budgets in 2024.

Dissecting the State of Third-party Security Management

When it comes to enterprise size, the survey reveals an intriguing trend. Larger enterprises, about 73% of them, are more perturbed by third-party cyber threats compared to their mid-size counterparts, at 47%. Interestingly, only 7% of CISOs expressed no concern whatsoever. Despite recognizing the value of third-party security solutions, their widespread adoption is surprisingly limited.

In terms of team composition, the responsibility of managing third-party risk is shared across various departments, with IT, risk, operations, or privacy teams taking the lead in 54% of the organizations. A notable 10% have outsourced this critical function to external service providers.

AI Solutions: The New Vanguard in Cybersecurity

The CISOs’ confidence in AI as a bulwark against third-party threats is noteworthy. 80% believe that AI-driven solutions could significantly reduce breaches. The survey highlights the effectiveness of diverse tools, such as cyber questionnaires, compliance management tools, and API monitoring in the supply chain, with high effectiveness ratings.

CISOs are betting big on AI to enhance their third-party security programs. Key areas of focus include improving supply chain discovery, enhancing asset discovery to minimize inaccuracies, automating the classification of third parties, and predicting potential breaches.

2024: The Year of Third-party Security Management Challenges

As 2024 unfolds, CISOs face a spectrum of challenges in third-party risk management. Topping the list is compliance with new regulations, followed by issues like resource constraints, the rise of AI-based breaches, lack of visibility in Shadow IT usage, and the need for prioritizing risk assessments.

When choosing third-party cyber risk management solutions, CISOs emphasize diverse capabilities. Risk quantification emerges as a critical feature, along with remediation actions for identified gaps, threat intelligence, and seamless integration with existing systems.

In summary, the 2024 CISO Survey reveals a landscape where awareness and concern about third-party cyber threats are high, but the journey to effective implementation and management is fraught with challenges and slow adoption rates.

As the digital domain evolves, CISOs are increasingly turning to AI-driven solutions to bolster their defenses, navigating through a complex web of regulations, resource constraints, and technological advancements.

“Will we get there in time” is a very good question, to which we don’t yet have a good answer. Someone once said that it is hard to see inside the box unless you look. Right now, we do a lot of talking but very little looking.