Another important issue is the uncertainty surrounding supply chain interdependencies. Lack of visibility throughout the ecosystem and oversight over the degree of security maturity of their suppliers is a major concern for organizations. At a focus group at the 2024 Annual Meeting on Cybersecurity, 41% of participants expressed the view that enhancing visibility of third-party dependencies is the top priority for improving supply chain cyber resilience. Enforcing security standards on third-party providers – let alone fourth- and Nth-party providers – on whose services they have become dependent, has become increasingly difficult. This is confirmed by the GCO survey: 48% of participating CISOs indicated that ensuring third- party compliance with their security requirements is the main challenge to effectively implementing cyber regulations. This is often compounded by the fact that baseline security requirements at times differ between industries, and it becomes difficult to enforce more onerous requirements throughout the supply chain. Additionally, organizations find themselves increasingly dependent on a limited number of critical providers that have managed to establish themselves as leaders in their capability. The risk, however, is that these providers become systemic points of failure, and that any vulnerability introduced through the providers will not only have knock-on effects throughout their extensive client base but also cause a ripple effect throughout the ecosystem. Owing to the complexity of the ecosystem, a cyberattack or outage can have far-reaching and unpredictable consequences. This was seen in 2024 when a faulty update to CrowdStrike’s cloud-based security software resulted in a global IT outage, affecting businesses and governments around the world. Similarly, cloud providers play a crucial role in enhancing the security of modern ecosystems, offering a stronger security posture than many organizations can achieve on their own. However, individual organizations often have limited control over the cyber risks associated with cloud services and must manage these as part of their broader strategy. Many organizations embrace cloud technologies for their cost efficiency, requiring a clear understanding of the shared responsibility model, where roles and accountability can sometimes overlap. As organizations move more workloads to software-as-a-Service (SaaS) platforms with limited control over configurations, this introduces a significant concentration of risk. A ransomware attack on a major provider could ripple across thousands of dependent businesses, halting operations overnight. While such providers place great emphasis on resilience, no system is infallible. Companies must invest in their own business resilience strategies, ensuring they have contingency plans that do not rely solely on their SaaS partners.In attempting to address these concerns, some organizations have opted for solutions close to home, including reconsidering risk exposure throughout their entire end-to-end supply chain and enforcing secure software development practices, including robust risk assessment and dependency management. Others pointed to the importance of standardization and certification to increase trust in services provided in the digital ecosystem, while recognizing that financial penalties have the greatest likelihood of providing sufficient incentive. In all, this reflects the sentiment that, while responsibility for secure software development should be clearly defined and transparent to hold developers to account, CISOs must continue to build sufficient resilience into their environments. To support this effort, the EU Cyber Resilience Act, which came into force in the second half of 2024, aims to enhance the cybersecurity of products with digital elements throughout the EU.Building resilience is critical in today’s interconnected landscape, where supply chain complexity can create innumerable cybersecurity challenges. Smart adversaries exploit third-party vulnerabilities, making collaboration essential. By enforcing standards, leveraging threat intelligence and equipping organizations of all sizes with more effective cybersecurity solutions, we can close gaps and fortify the ecosystem to stop breaches while safeguarding business continuity and digital trust. George Kurtz, Founder and Chief Executive Officer, CrowdStrike The GCO survey finds that nearly 60% of respondents reported that their cyber strategies were influenced by geopolitical tensions. Moreover, ongoing conflicts in 2024 have continued to affect regions beyond those directly involved, with 18% of organizations adjusting trading or operational policies, 17% halting business or operations entirely in certain regions and 16% of organizations reporting changes in vendors.The impact of geopolitical risk on ecosystem complexity60% of organizations reported that their cyber strategies were influenced by geopolitical tensions. Global Cybersecurity Outlook 2025 25