A study from cybersecurity solutions provider BlueVoyant revealed that 92% of organizations in the U.S. suffered a security breach last year due to vulnerabilities in their vendor ecosystem. The study, conducted in cooperation with independent research firm Opinion Matters, highlighted the views and experiences of 1,505 CIOs, CISOs and Chief Procurement Officers in organizations located across the U.S., the U.K., Mexico, Switzerland, and Singapore.
Multiple Pain Points
The study found that organizations are experiencing multiple pain points in their third-party cyber risk management programs. The top three pain points include:
- Working with suppliers to improve their security performance
- Prioritizing which risks are urgent and which are not
- Offboarding suppliers with the rigor we onboarded them
Other Findings include:
- S. organizations have the highest breach frequency among the surveyed countries.
- 33% say they have no way of knowing if cyber risk emerges in a third-party vendor; this was the second highest out of all five countries surveyed.
- Just under one third (31%) monitor their entire supply chain, which means that 69% do not have full visibility. However, this was higher than the global average across all respondents which was 23%.
- The respondents in the U.S. are monitoring and reporting more frequently than most other countries surveyed, 35% report monthly and 9% report weekly, while 27% only re-assess and report their vendor’s cyber risk position either six-monthly or less frequently.
- The average headcount in internal and external cyber risk management teams is 10.7.
- 86% say that budget for third-party cyber risk management is increasing, by an average figure of 45%. This was the second highest budget increase out of the five countries surveyed.
- Over half (54%) of US organizations think the CISO owns cyber risk while 27% say it belongs to the CIO and 10% say Chief Procurement Officers are responsible.
Jim Penrose, Chief Operating Officer for BlueVoyant, said, “There are signs that U.S. respondents are responding to the severity of the situation, but there is still a concerning lack of visibility into third-party suppliers. This is evident in the number of breaches that U.S. respondents are reporting. The research clearly indicated the reasons behind this high breach frequency with visibility being a major problem and one-third admitting that they have no way of knowing if a risk arises in a third-party vendor.”