To understand the current state of software supply chain security (SSCS) we surveyed 900 AppSec professionals in US, Europe and APAC based organizations across a wide range of industries. The findings show an increased sense of awareness with more than half of respondents acknowledging that SSCS is a top or significant area of focus. However, only 7% have already purchased and implemented an SSCS-specific product.

This report comes at a time when top organizational risks, such as supply chain, cybersecurity, and third-party risks cut across large parts of all organizations. Stopping supply chain attacks requires understanding their causes and the variables that contribute to them. SecurityScorecard threat researchers assist in that effort by helping organizations gauge their overall risk levels and set priorities for vendor vetting.

In the second quarter of 2023 GreyNoise researchers observed a substantial change in the behavior of some regular internet scanning idioms. Inventory scans—where both benign and malicious actors perform regular checks for a given technology or specific vulnerability being present—significantly reduced in frequency and scale. These targeted attacks threaten to circumvent existing defense capabilities and expose organizations to a new wave of disruptive breaches. Defenders must evolve in response.

AuditBoard’s 2023 Digital Risk survey of 130+ risk leaders found, most organizations are struggling to mature their risk management capabilities. . Our survey explored the digital risk management programs and technologies that organizations currently rely upon to better understand their digital risk landscape and digital risk management maturity, integration, and technology adoption.

Our survey results revealed that more companies than ever are viewing GRC as a holistic process and taking steps toward getting a complete view of their risk environment and regulatory obligations. Centralizing strategy, unifying risk and compliance data, and revamping the approach to cybersecurity are becoming more popular strategic objectives among respondents, especially with the rise of AI technology dismantling barriers and fostering collaboration among various GRC functions. This means the criteria for which GRC technology is being evaluated against in the purchase cycle is rapidly expanding.

While third-party risk management is a well-established practice, it’s also continuously evolving. Organizations of all sizes and industries must continually adapt and change to effectively identify, assess, manage, and monitor third-party risks. By analyzing the third-party risk management landscape and practices captured in our survey, organizations can see where they stand compared to their peers and consider that information as they prepare and implement changes this year and beyond.

In this year’s survey, they revisited questions around how organizations are developing effective third-party cyber risk management (C-TPRM) programs with robust technology and services and determining how to best collaborate with third parties on their shared security posture. They also asked some new questions related to how organizations refine their risk management approaches over time. To assure an accurate reflection of industry trends and observations, BlueVoyant commissioned its fourth annual survey undertaken by independent research organization, Opinion Matters, in October 2023. A total of 2,100 respondents represent a variety of executive roles within their organizations, but are all responsible for managing supply chain and cyber risk.

This report is sponsored by RiskRecon, a Mastercard Company and conducted by Ponemon Institute, 1,162 IT and IT security professionals in North America and Western Europe were surveyed. All participants in the research are familiar with their organizations’ approach to managing data risks created through outsourcing. Sixty percent of respondents said the number of cybersecurity incidents involving third parties have increased.

In April 2023, ReversingLabs partnered with Dimensional Research to survey 321 security and IT professionals on their software supply chains for its report, “Software Supply Chain Security Risk Survey.” This analysis presents key findings and actionable recommendations for security organizations in four key areas: traditional applications security shortcomings, software supply chain complexity and security, security in software development and enterprise-wide security risks.

This report presents analysis of insights gathered from 130 leading CISOs who participated in the 2023 Team8 CISO Village TLV Summit, an exclusive and intimate gathering of CISOs from global prominent enterprises, many of which are Fortune 500 companies. This report incorporates previously unpublished information gathered from the 2022 CISO Village TLV Summit Survey.

This report is different in that we’re focusing on explicit relationships that are manually configured by organizations using RiskRecon’s platform. In other words, we’re examining curated portfolios of vendors and suppliers tracked as part of organizations’ third-party risk management program. We started with a dataset extracted from RiskRecon’s platform consisting of over 100,000 primary organizations and more than 300,000 monitored third-party relationships. We’re focusing on direct relationships in this report, but the data supports the analysis of indirect (fourth- to nth-party) relationships.

Hyperproof conducts an annual survey to uncover the top challenges IT compliance professionals face and what issues they are focused on in the coming year. We’ve asked over 1,000 survey respondents about their pain points, IT risk and compliance budgets, staffing, risk management best practices, and much more to provide an in-depth view of the market’s current state and what to prepare for this year.

The Fast and the Frivolous uses a massive dataset from SecurityScorecard that spans 1.6 million organizations. We analyze billions of internet-exposed assets to measure the speed of vulnerability remediation over a three-year period. In this report, you’ll find some of the lessons we learned.

In this risk surface series, RiskRecon, a Mastercard Company, and Cyentia have worked to help third-party risk managers understand how to measure and manage risk. We’ve seen variation across industries and other slices. But not all firms are interchangeable. A payroll processor cannot be replaced with a janitorial supply company, at least not with good business outcomes! In this report, we look at what distinguishes top-performing firms from those that struggle the most. Armed with this knowledge, Third-Party Risk Management (TPRM) professionals can take into account the totality of their risk surface, and how it impacts the overall security performance of an organization

In the summer and fall of 2019, EY surveyed 246 global institutions that had a third-party risk management (TPRM) function in various sectors, including but not limited to, retail and commercial banking, investment banking, insurance, advanced manufacturing and mobility, technology, media and entertainment, power and utilities, and health.

For our seventh annual survey, Venminder surveyed individuals from a wide variety of organizations and industries, including financial services, fintech, retail, food services, insurance, healthcare, information technology, and more in a nice balance of different sizes ranging from less than $1B assets of less than 100 employees to more than $10B assets or more than 5,000 employees.

This report offers an in-depth examination of the underlying condition that enables such incidents to take place-the widespread interdependence of modern digital supply chains. We analyzed data from over 230,000 organizations to investigate the prevalence of security incidents among third parties. We then measure the extent of vendor relationships and explore the effects of that exposure. Finally, we compare the security posture of organizations to that of their third and fourth-parties to yield data-driven insights on how to identify risky vendors and better manage exposure.

Ivanti surveyed over 6,500 executives leaders, cybersecurity professionals and office workers in October 2022. Our goal: to understand today’s threats - from the perspective of security professionals, as well as executive leaders and all other office workers - plus find out how companies are preparing for yet - unknown future threats.

We identified 50 of the largest multi-party cyber incidents over the past several years in an effort to understand their causes and consequences from beginning to end. Tsunami draws from the same rigorous methodology in the rest of the IRIS series. We started with a huge dataset of cyber loss events, identified those that involved multiple organizations, and then researched each event to understand who was behind it, what happened, how the after effects propagated through the supply chain, and the financial losses for all parties involved.

The goal of this report is to offer a view on the state of compliance in today’s typical organization, including: the rate of noncompliance among a typical organization’s assets, the compliance standards that are hardest for organizations to adhere to, how well compliance tracks against the overall risk surface and the most common security controls causing non-compliance.

The goal of the study was to provide a state-of-the-market on third-party risk with actionable recommendations that organizations can take to grow and mature their programs across every stage of the third-party risk lifecycle.