Sat, 2nd Aug 2025
Author: Jed Nykolle Harme
Article from: https://securitybrief.co.nz
Cobalt has released its CISO Perspectives Report 2025, highlighting current concerns around AI, third-party risks, and defensive strategies in enterprise security.
The report, based on a survey of 225 security leaders across organisations employing between 500 and 10,000 people, captures the current attitudes and strategies among those responsible for managing cybersecurity risk.
Third-party and supply chain worries
Key findings show that 68% of security leaders are concerned about the risks introduced by third-party software tools and components in their organisations’ technology stacks. In addition, 73% have received at least one notification about a software supply chain vulnerability or incident over the past twelve months.
This increase in reported supply chain incidents demonstrates the extent to which organisations rely on software developed externally, and the potential weaknesses introduced as a result. The report highlights that these risks are further compounded by the use of open-source code and new AI-driven features, which are challenging to audit and secure comprehensively.
The challenge of AI and automation
Survey results noted that 46% of respondents are uneasy about AI-driven features and large language models. At the board level, the issue is viewed as particularly urgent, with 68% indicating their boards regard the secure deployment of generative AI (genAI) as a critical priority.
Andrew Obadiaru, CISO at Cobalt, said,
Security leaders understand that attackers are evolving at an unprecedented pace, and defensive strategies alone won’t cut it. Our research shows a growing demand for offensive security to complement traditional controls. This isn’t just about finding gaps – it’s about building a culture of continuous resilience where security is tested as rigorously as the threats we face.
The report indicates that 60% of security leaders believe attackers are moving too quickly for organisations to maintain a truly resilient security posture, as adversaries increasingly use automation and AI to scale their attacks. This rapid pace, combined with complexity introduced by digital transformation, means reactive, purely defensive approaches are unlikely to keep up.
Insider threats and employee risk
The internal environment remains a top concern. Over half of security leaders (55%) reported they are constantly worried that a single employee’s mistake could expose the entire organisation to significant risk. The potential for a misstep or overlooked vulnerability to result in a breach with wide-ranging consequences was noted as a wake-up call for companies to improve resilience through a proactive approach.
Adoption of offensive security measures
The survey found that 88% of security leaders view penetration testing as an essential component of their security programme. Far from being viewed solely as a compliance requirement, penetration testing is increasingly recognised as a vital tool for identifying and mitigating vulnerabilities before exploitation.
Penetration testing is now often integrated into software development processes, with 58% of respondents requiring third-party penetration test reports to validate software security. In parallel, 55% conduct independent code reviews and 53% supplement these measures with internal testing, reflecting a multi-layered approach to managing third-party risk in the digital supply chain.
The report emphasises that practices such as penetration testing and red teaming are becoming integral for assessing and validating security in real-world conditions. By taking a proactive and continuous, threat-informed testing approach, organisations are aiming to reduce uncertainty and improve resilience across their digital environments.
The survey underpinning the report was conducted by Emerald Research and sought responses from both C-level and VP-level security professionals, providing insight into the strategies and concerns of leaders responsible for securing medium to large organisations.
This article is posted for the interest of our readers and is not associated with RiskNZ.