{"id":43034,"date":"2026-01-14T23:51:09","date_gmt":"2026-01-14T23:51:09","guid":{"rendered":"https:\/\/agooka.com\/news\/technologies\/85-of-security-leaders-are-flying-blind-on-supply-chain-threats-panorays-study-says\/"},"modified":"2026-01-14T23:51:09","modified_gmt":"2026-01-14T23:51:09","slug":"85-of-security-leaders-are-flying-blind-on-supply-chain-threats-panorays-study-says","status":"publish","type":"post","link":"https:\/\/agooka.com\/news\/technologies\/85-of-security-leaders-are-flying-blind-on-supply-chain-threats-panorays-study-says\/","title":{"rendered":"85% of security leaders are flying blind on supply chain threats, Panorays study says"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/dataconomy.com\/wp-content\/uploads\/2026\/01\/85-of-security-leaders-are-flying-blind-on-supply-chain-threats-panorays-study-says.jpg\" alt=\"85% of security leaders are flying blind on supply chain threats, Panorays study says\" title=\"85% of security leaders are flying blind on supply chain threats, Panorays study says\"\/><\/p>\n<p>A new survey from Panorays paints a troubling picture of the state of third-party security risk management. Despite growing awareness of supply chain vulnerabilities, most security leaders still can\u2019t see what\u2019s coming through their back door. Panorays is a global provider of third-party cybersecurity management software. The 2026 CISO Survey for Third-Party Cyber Risk Management, based on responses from 200 US-based Chief Information Security Officers, reveals a striking disconnect between perceived threats and actual preparedness.<\/p>\n<p>While 60% of CISOs report an increase in third-party security incidents over the past year, only 15% say they have full visibility into those risks. The remaining 85% are operating with significant blind spots.<\/p>\n<p>This visibility gap is creating real exposure. Organizations without clear sight lines into their supply chains are increasingly susceptible to prolonged outages, exposure of sensitive systems, financial losses, and compliance violation penalties. Without proper monitoring, even minor incidents have the potential to spiral out of control.<\/p>\n<p>The survey was conducted in October 2025 by Global Surveyz, an independent research company, on behalf of Panorays. The sample included 200 Chief Information Security Officers from US-based companies in finance, insurance, professional services, technology, healthcare and software development sectors. All respondents are full-time employees responsible for overseeing third-party cybersecurity risk management within their organizations.<\/p>\n<h2>Awareness is high, but preparedness remains dangerously low<\/h2>\n<p>The survey found that 77% of CISOs recognize third-party risk as a major threat to their organizations. Yet only 21% have tested crisis response plans in place. This gap between recognition and readiness suggests that many organizations are waiting for a breach to happen before taking action.<\/p>\n<p>The problem extends beyond direct suppliers. Although 60% of respondents report rising third-party breaches, just 41% monitor risk beyond their immediate vendors. This means CISOs are watching the front door while the biggest risks are lurking in the background\u2014in fourth-party and fifth-party relationships that most security teams never examine.<\/p>\n<p>\u201cOur findings show that third-party security vulnerabilities aren\u2019t going away\u2014in fact, they\u2019re becoming more prevalent due to a dangerous lack of visibility and the rampant adoption of unmanaged AI tools,\u201d said Matan Or-El, founder and CEO of Panorays. \u201cMeanwhile, it\u2019s especially alarming that only 15% of CISOs say they have the ability to map out their entire supply chains.\u201d<\/p>\n<h2>Shadow AI: The new blind spot<\/h2>\n<p>One of the most concerning findings involves artificial intelligence. Despite rapid AI adoption across enterprises, only 22% of CISOs have formal vetting processes for AI tools. This leaves unmanaged third-party AI systems embedded in core environments without proper security scrutiny.<\/p>\n<p>The risk is significant: 60% of respondents identified unmanaged AI tools as uniquely dangerous. Teams are adopting black-box AI tools faster than security teams can evaluate them, creating a growing blind spot as high-risk third-party systems are granted access to IT environments without oversight.<\/p>\n<p>\u201cThe rise of AI has only made supply chains more complex, and the connected nature of these data-dependent systems is expanding the attack surface,\u201d Or-El noted. \u201cCISOs are increasingly seeing the value of AI-driven solutions to increase clarity around the evolving threat landscape.\u201d<\/p>\n<h2>GRC platforms are failing security teams<\/h2>\n<p>Here\u2019s where the findings get particularly interesting: companies are investing heavily in security tools, but those tools aren\u2019t delivering results.<\/p>\n<p>The survey found that 61% of businesses have invested in Governance, Risk, and Compliance (GRC) software solutions\u2014a dramatic increase from just 27% in Panorays\u2019 2025 report. Yet despite this surge in adoption, 66% of CISOs say these platforms are ineffective at dealing with the dynamic nature of external third-party supply chain risks.<\/p>\n<p>The result? Security teams are forced to rely on manual workarounds, increasing the likelihood that vulnerabilities slip through the cracks. More spending isn\u2019t translating into better visibility. Something in the current approach isn\u2019t working.<\/p>\n<p>Traditional security assessments are also falling short. A full 71% of CISOs admit that traditional questionnaires no longer meet expectations. Instead of providing visibility into the threat landscape, these static assessments are creating fatigue\u2014endless forms that generate compliance paperwork but fail to surface actual risks.<\/p>\n<h2>AI-driven tools gaining traction<\/h2>\n<p>Despite the bleak overall picture, there are encouraging signs that organizations are adapting. CISOs are increasingly turning to AI-driven assessment tools as an alternative to failing legacy approaches. Adoption of AI for third-party risk management has surged from 27% a year ago to 66% this year.<\/p>\n<p>This shift is producing measurable results. The percentage of CISOs reporting full visibility into their software supply chains has improved from just 3% in 2025 to 15% in 2026. That\u2019s a fivefold increase in one year.<\/p>\n<p>But perspective matters here. While the progress is real, 85% of organizations still lack a complete view of their overall threat landscape. Moving from 3% to 15% is an improvement. It\u2019s not a success.<\/p>\n<h2>The path forward<\/h2>\n<p>The survey\u2019s findings point to a fundamental challenge in modern cybersecurity. Supply chains are becoming more complex, not less. The proliferation of AI tools\u2014both sanctioned and shadow\u2014is expanding the attack surface faster than security teams can map it. And the tools that organizations have invested in over the past decade weren\u2019t designed to manage dynamic, interconnected third-party risks at scale.<\/p>\n<p>For CISOs, the message is clear: awareness without visibility is not enough. Crisis plans that haven\u2019t been tested aren\u2019t really plans. And watching only direct suppliers while ignoring the broader ecosystem is a strategy that leaves too many doors unguarded.<\/p>\n<p>The organizations that close this gap will be the ones that move beyond checkbox compliance toward continuous, AI-assisted monitoring of their entire supply chain. The 85% that don\u2019t will continue flying blind\u2014until something forces them to see.<\/p>\n<p><strong>Featured image credit<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new survey from Panorays paints a troubling picture of the state of third-party security risk management. Despite growing awareness of supply chain vulnerabilities, most security leaders still can\u2019t see what\u2019s coming through their back door. Panorays is a global provider of third-party cybersecurity management software. The 2026 CISO Survey for Third-Party Cyber Risk Management, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":43035,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37],"tags":[],"class_list":{"0":"post-43034","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technologies"},"_links":{"self":[{"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/posts\/43034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/comments?post=43034"}],"version-history":[{"count":0,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/posts\/43034\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/media\/43035"}],"wp:attachment":[{"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/media?parent=43034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/categories?post=43034"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/agooka.com\/news\/wp-json\/wp\/v2\/tags?post=43034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}