The CISO Perspectives Report 2025: AI and Digital Supply Chain Risks by Cobalt analyzed security leaders’ perspectives on emerging risks.

The report found that 68% of security leaders are concerned about the risks of third-party software tools and components introduced across their tech stacks. Seventy-three percent reported receiving at least one notification of a software supply chain vulnerability or incident in the past year.

According to the report, 60% believe attackers are evolving too quickly to maintain a truly resilient security posture and 46% are uneasy about AI-driven features and large language models. Sixty-eight percent say their boards now view the secure deployment of genAI as a critical priority. The report found that 55% of security leaders say they’re constantly worried one employee mistake could put the whole organization at risk.

The CISO Perspectives report also highlights the growing role of penetration testing in security strategies. Nearly nine in 10 security leaders (88%) view pentesting as an essential component of their overall program. Far beyond a compliance checkbox, it is a proactive measure to identify and remediate vulnerabilities before exploitation occurs.

Pentesting is also being embedded into software development to provide assurance to regulators and customers concerned about third-party risk. More than half (58%) of respondents require third-party pentest reports to validate software security, while 55% conduct independent code reviews and 53% supplement these efforts with internal testing. These practices reflect a deep commitment to building resilience across the digital supply chain.

Download the report