In today’s world, digital transformation is no longer optional. As technology evolves rapidly, businesses worldwide face a critical decision: Adapt or fall behind. Digitalization can be the key to enhanced process efficiencies, data-driven customer insights and business agility for many enterprises – all critical pieces of the sustainable growth puzzle. However, attempting such a transition single-handedly will likely be extremely difficult. To transform both effectively and quickly, organizations should look to partner with third-party suppliers and specialists that possess the tools, technologies, expertise and resources to help revolutionize their clients’ operations. From open-source developers to business process outsourcing (BPO) firms, they can be incredibly valuable partners from an operational standpoint.

However, for security professionals, such partnerships can pose problems.

With each new investment and supplier, companies are inadvertently expanding their digital attack surfaces, offering threat actors additional opportunities to exploit vulnerabilities.

Third-Party Risks are the Number One Security Challenge Facing U.S. Businesses

In recent years, third-party cyberattacks have become a pressing concern for security professionals. High-profile incidents such as the Okta, Change Healthcare, and Home Depot breaches thrust the vulnerabilities of supply chains and the implications of third-party vendors into the spotlight, compelling U.S. businesses to reevaluate their cybersecurity strategies.

My organization sought to explore the issue of supply chain attacks in more detail, with our latest State of Information Security report providing insight into the experiences of 1,526 respondents who work in information security.

Here, several prevalent findings came to the fore, with the management of vendor and third-party risks emerging as the number one challenge among U.S. information security professionals, having been cited by 37% of respondents.

This widespread concern likely stems from the high incidence of supply chain-related security incidents that many businesses have recently experienced. Indeed, about three-quarters of those companies surveyed reported security incidents involving their supply chain or third-party vendors, an increase from the previous year. Additionally, 43% of U.S. businesses disclosed that partner data had been compromised in the past 12 months.

These statistics are a direct consequence of expanding digital ecosystems and increasingly interconnected business operations, highlighting the growing prevalence of supply chain vulnerabilities and their exploitation by cybercriminals.

Given the widespread nature of these threats, businesses must remain vigilant regarding the risks posed by their third-party vendors and suppliers, especially in the face of increasingly sophisticated attacks. Not only that, but they must also continue to build robust and effective cybersecurity foundations created on stronger partnership agreements that are founded in thorough vetting processes and enhanced cybersecurity measures.

AI in the Security Toolkit

Understanding that these enhanced measures need not rely on old, outdated security practices is important. Indeed, just as threat actors are utilizing increasingly sophisticated tools to craft and execute advanced threats, organizations should embrace cutting-edge technologies to strengthen their defenses.

Enterprises themselves must explore these opportunities, with generative AI already being promoted by security vendors as a solution to bridge skills gaps in security operations centers (SOCs).

Not only can these technologies explain and contextualize alerts and complex scripts and recommend response actions, but when trained on the right datasets, they can also help prioritize patches and identify common misconfigurations. Additionally, the technology’s ability to produce synthetic data may be useful for simulating attacks to test AI/ML-powered security tools.

The opportunities are undoubtedly clear. But where does adoption currently stand?

While a significant majority of organizations (73%) believe AI and ML will enhance their data security programs, little more than a quarter (26%) have implemented such initiatives in the past 12 months. Further, only about a third (36%) plan to increase cybersecurity spending by up to 25% in the next 12 months.

Embracing Standards to Assure Stakeholders

The gap between positive perceptions and hesitancy to adopt advanced technologies like AI and ML can be attributed to several factors. Some organizations have explained that they’re simply prioritizing other matters that they deem to be more pressing, while others harbor concerns regarding the potential privacy implications of AI, for example.

Of course, such caution is natural, with the long-term impact of new, sophisticated technologies like AI and ML on the data security landscape remaining unclear. However, increased regulation surrounding their usage is inevitable.

As the attack surface expands and regulators become less forgiving, these challenges are poised to intensify.

Within this context, standards such as ISO 42001, specifically addressing AI, can aid organizations in assuring stakeholders, including partners, customers and regulators.

Critically, ISO 42001 sets a global benchmark for AI management systems, providing a structured framework to assist organizations in ethically, securely, and transparently designing, developing and deploying AI technologies.

Amid the relentless challenges of safeguarding data, ensuring operational continuity and satisfying regulatory demands in the face of agile adversaries, standards like these offer a beacon of hope, steering organizations toward the essential processes.

For many, the challenge is often knowing where to start. However, compliance with these frameworks doesn’t need to be as burdensome as businesses might think. Indeed, with the proper support and guidance, they can be adopted and followed with relative ease.