The Cost of Looking Secure & Why Third-Party Risk Programs Are Failing Despite Growing Sophistication

By all appearances, companies are finally taking supply chain risk seriously. Budgets are rising. Programs are maturing. Tools are proliferating. And yet, despite all this forward motion, nearly every organization (97%) surveyed in BlueVoyant’s 2025 State of Supply Chain Defense report experienced at least one third-party breach last year.

That’s up from 81% the year before, even as nearly half of respondents describe their TPRM (third-party risk management) programs as “established and optimized.” This isn't just a gap between intent and execution. It's a system-wide stall, where internal misalignment and shallow compliance masquerade as progress.

The report outlines a pattern of “maturity without commitment.” Many TPRM programs function impressively on paper, but lack the executive engagement needed to turn plans into protection. Only 24% of organizations brief leadership on risk monthly, and 60% cite poor cross-functional collaboration as a key obstacle. Brendan Conlon, global director of third-party risk management at BlueVoyant, explains, “Integrated systems and genuine commitment to risk reduction over simply meeting compliance requirements will be the difference in delivering positive security outcomes and drowning in box checking.”

Even more alarming: only 16% of companies said their TPRM programs are primarily driven by risk reduction. Instead, most are checking boxes for cyber insurance or contract requirements. Fragmented systems, slow incident response, and limited visibility into supplier vulnerabilities. Integration with broader risk systems remains elusive. And the tools meant to create transparency? Too often, they operate in isolation.

Almost all respondents (96%) expect to grow their third-party ecosystems in the coming year—but they’re not improving vendor tiering models at the same pace. A full 57% classify between 30% and 50% of their suppliers as “critical,” rendering the label almost meaningless.

Prioritizing vendors based on contract value or legacy relationships, rather than on real risk indicators such as data access or potential operational impact, leaves critical exposures in the shadows.

Sector-level data shows pockets of momentum:

• Defense leads the pack in maturity, with 60% of organizations reporting optimized programs, 30% conducting monthly executive briefings, and nearly half collaborating with vendors on remediation.
• Manufacturing, despite its massive attack surface, continues to struggle. With 3.8 breaches per organization and only 42% describing programs as mature, the sector is burdened by fragmented tools and complex global supply webs.
• Energy and Utilities are making headway. Though 95% still reported breaches, they showed strong vendor oversight—outsourcing remediation to better focus on high-risk suppliers.
• North America stands out globally, with 54% of organizations reporting mature programs. But even there, 99% suffered supply chain incidents in the past year, up 10% from 2024. The top regional concern? Integration—or the lack thereof.

Organizations have moved past denial and into investment. 45% of companies are now working directly with third parties to remediate risks. That’s a significant move away from passive oversight. It's also one of the few trends correlated with improved outcomes. Still, investment without integration, without true internal cooperation, is just a more expensive version of the same failure.

What’s needed next? A cultural reset. Real-time reporting. Cross-departmental cooperation. Risk-driven decision-making. Without these, even the most sophisticated tools won’t save us.