Panorays, a leading provider of third-party security risk management software, has released the 2026 edition of its annual CISO Survey for Third-Party Cyber Risk Management.
The survey highlights third-party cyber risk as one of the most critical challenges facing security leaders today, driven largely by a lack of visibility. While 60% of CISOs report an increase in third-party security incidents, only 15% say they have full visibility into those risks.
These gaps are compounded by limited resources and technology stacks that weren’t designed to manage dynamic supply-chain threats at scale.
Drawing on responses from 200 CISOs of US-based companies, the 2026 Panorays CISO Survey puts a spotlight on cybersecurity executives’ continuing challenges to shore up software supply chain security, as these efforts are further undermined by resource constraints and tech stacks that fall short. Despite growing adoption, standard Governance, Risk, and Compliance (GRC) platforms have largely failed security teams, leaving them without the ability or confidence needed to effectively address the rising tide of third-party threats.
Key Findings and Insights
- Preparedness is dangerously low: While 77% of CISOs see third-party risk as a major threat, only 21% have tested crisis response plans in place. This suggests that organizations are increasingly susceptible to prolonged outages, exposure of sensitive systems and financial losses in the event of a security breach, as well as compliance violation penalties. Without a proper response plan in place, even minor incidents have the potential to spiral out of control.
- Most organizations are blind to vendors: Although 60% report rising third-party breaches, just 41% monitor risk beyond direct suppliers. CISOs face massive observability gaps, as they’re only watching the front door. But the biggest risks are lurking in the background, largely unseen by most security teams.
- Shadow AI is creating new attack paths: Despite rapid AI adoption, only 22% of CISOs have formal vetting processes, leaving unmanaged third-party AI tools embedded in core environments. Teams are adopting black-box AI tools faster than security teams can keep up, with 60% of respondents identifying shadow AI as uniquely risky. This creates a dangerous and growing blind spot for CISOs, as high-risk third-party systems are granted access to IT environments without scrutiny.
- CISOs are dissatisfied with their compliance stacks. The report found that 61% of businesses have invested in GRC software solutions, yet 66% say that these platforms are ineffective in dealing with the dynamic nature of external third-party supply chain risks. As a result, security teams are forced to rely on manual workarounds instead, increasing the likelihood of vulnerabilities being missed.
- Static security assessments are no longer up to the job. This is a growing consensus among CISOs, with 71% admitting that traditional questionnaires fall short of expectations, creating fatigue instead of visibility into the threat landscape. Fortunately, CISOs are quickly embracing alternatives, with 66% moving on to AI-driven assessment tools.
Left to right: Panorays Co-founders Meir Antar (COO), Matan Or-El (CEO) and Demi Ben-Ari (Chief Strategy Officer)
“Our findings show that third-party security vulnerabilities aren’t going away – in fact, they’re becoming more prevalent due to a dangerous lack of visibility and the rampant adoption of unmanaged AI tools,” said Matan Or-El, founder and CEO of Panorays. “Meanwhile, it’s especially alarming that only 15% of CISOs say they have the ability to map out their entire supply chains.”
“The rise of AI has only made supply chains more complex, and the connected nature of these data-dependent systems is expanding the attack surface,” Or-El continued. “CISOs are increasingly seeing the value of AI-driven solutions to increase clarity around the evolving threat landscape.”
Visibility Is Being Prioritized, but CISOs’ Hands Remain Tied
The new report found there’s a growing sense of urgency among CISOs due to the failure of traditional GRC platforms to manage third-party risk at scale. Almost two-thirds of organizations have invested in GRC tools, up from just 27% in the 2025 version of Panorays’ report, yet overall visibility has declined, resulting in growing dissatisfaction about the ineffectiveness of these systems.
Fortunately, there are signs that organizations can close the visibility gap as more CISOs explore the use of advanced, AI-driven tools to improve their security posture. Adoption of AI for third-party risk management has surged, up from 27% a year ago to 66% this year.
This shift has led to significant, but still alarmingly insufficient, growth in the ability of organizations to properly assess the third-party threat landscape.
The 2026 survey found that 15% of CISOs now say they have full visibility into their software supply chains, up from just 3% a year ago, but much work remains to be done. While the progress is encouraging, the overall picture remains bleak, as 85% of organizations still lack a complete view of their overall threat landscape.
About the Survey
The 2026 CISO Survey was conducted in October 2025 by the independent research company Global Surveyz on behalf of Panorays. It’s based on responses from 200 Chief Information Security Officers, all of whom are full-time employees tasked with overseeing third-party cybersecurity risk management within their organizations. The sample included CISOs from the finance, insurance, professional services, technology, healthcare and software development sectors.
About Panorays
Panorays is a global provider of third-party cybersecurity management software. Adopted by leading banking, insurance, financial services, and healthcare organizations, Panorays enables businesses to optimize their defenses for each unique third-party relationship. With personalized and adaptive third-party cyber risk management, Panorays helps businesses stay ahead of emerging threats and delivers actionable remediations with strategic advantages with over 1,000 customers worldwide. The company serves enterprise and mid-market customers primarily in North America, the UK and the EU, Headquartered in New York and Israel, with offices around the world, Panorays is funded by numerous international investors, including Aleph VC, Oak HC/FT, Greenfield Partners, BlueRed Partners (Singapore), StepStone Group, Moneta VC, Imperva Co-Founder Amichai Shulman and former CEO of Palo Alto Networks Lane Bess. For more information, users can visit panorays.com or contact at info@panorays.com.
Contact
PR
Dan Edelstein
InboundJunction
pr@inboundjunction.com
Read More from This Article: 2026 Study from Panorays: 85% of CISOs Can’t See Third-Party Threats Amid Increasing Supply Chain Attacks
Source: News