AI, Supply Chains, and Sleepless Nights: Inside the 2025 Security Crisis Keeping CISOs Up at Night

When it comes to cybersecurity in 2025, it's not the cybercriminals that are changing—it's the battlefield. And Cobalt's latest CISO Perspectives Report makes one thing crystal clear: the digital supply chain is the new front line, and artificial intelligence is both a powerful tool and a growing liability.

The report, titled CISO Perspectives Report 2025: AI and Digital Supply Chain Risks, synthesizes insights from 225 senior security leaders at organizations ranging from mid-market to enterprise. Its findings reflect a profession grappling with a rapidly expanding threat landscape—one where the weakest link might not be inside the firewall at all, but buried in a third-party code library or an AI-driven feature behaving unpredictably.

Among the most sobering takeaways: 68% of CISOs express concern over the risks introduced by third-party software and open-source components. Nearly three in four respondents say they’ve received at least one supply chain vulnerability notification in the past year. And 60% worry that attackers are evolving too quickly for defenders to keep pace—a stark admission in an industry built on control and precision.

“Security leaders understand that attackers are evolving at an unprecedented pace, and defensive strategies alone won’t cut it,” said Andrew Obadiaru, CISO at Cobalt. “Our research shows a growing demand for offensive security to complement traditional controls. This isn’t just about finding gaps—it’s about building a culture of continuous resilience where security is tested as rigorously as the threats we face.”

That demand is fueling a broader embrace of offensive security practices. Penetration testing, once seen as an annual checkbox for compliance, has now become a strategic pillar. According to the report, 88% of CISOs consider pentesting essential—not optional—for their security programs. It's also creeping earlier into the development cycle, with 58% of respondents requiring third-party pentest reports and a majority layering in code reviews and internal testing to bolster assurance.

But the real anxiety may lie with AI. While generative AI has captivated the enterprise with promises of efficiency and innovation, it’s also surfaced as a wildcard in the security equation. Nearly half (46%) of respondents are uneasy about AI-driven features and large language models, fearing unintended consequences or exploitation. Meanwhile, 68% say their boards now view secure AI deployment as a top strategic priority—a sharp signal that AI risk has gone mainstream.

The findings paint a picture of CISOs stretched thin between innovation and risk. As companies rush to digitize and automate, the attack surface expands exponentially. A single vulnerable software component, an exposed API, or even a well-meaning employee clicking the wrong link can open the door to cascading failures.

In this context, the traditional perimeter model is dead. Modern security, the report argues, requires persistent, real-world validation—red teaming, continuous pentesting, and supply chain risk management that reflects the true interconnectedness of today’s ecosystems.

The Cobalt report lands at a pivotal moment. With the rise of AI agents, embedded software dependencies, and real-time supply chain orchestration, CISOs must navigate threats that move faster and hide deeper than ever before.

“Cyber resilience isn’t just about surviving an attack,” said Obadiaru. “It’s about proving you can hold your ground even when the terrain keeps shifting.”

In other words, the new gold standard in security isn’t just patching faster or buying the latest tools. It’s thinking like an attacker—before the real ones do.