2025年全球供应链防御现状年度洞察报告

Supply ChainDefense Annual Global InsightsReport 2025 Foreword Welcome to BlueVoyant’s sixth annual report on the State of Supply Chain Defense. Over the past five years, we’ve chronicled the ups and downs of third-party risk management (TPRM)as it evolved from an immature awareness program to the established operational function it is today.This year, we refined our survey methodology to better reflect evolving priorities across industries andgeographies. It’s important to note that all of those surveyed were from organizations that had a risk-owner function. It’s no longer a question of “should we build this program?” but now, “how do we do this effectively?”This year’s survey explores not only what organizations are doing, but how, why, and what gaps they’reseeing. The data reveals that as organizations invest heavily in tools, teams, and processes, the gap betweenprogram maturity and organizational commitment is widening. While there are bright spots, the overalldirection suggests that mature programs don’t automatically equal positive outcomes. This year’s report focuses on the following key themes: >Operational challenges:Despite growing maturity among surveyed organizations, TPRMprograms face a widening gap in internal support and alignment. The strategy may be there, buttactically it’s hard to execute without far-reaching support. To dive into this thought, we separatedour challenge question to focus on both operational and organizational issues. With 60% oforganizations citing internal resistance as a top barrier to program maturity and effectiveness, it’s nowonder that it’s hard to execute. >Compliance over risk reduction:Organizations are building TPRM programs to check acompliance box and not necessarily reduce risk. Only 16% of respondents identified risk reductionas a primary program driver. Instead, they are motivated more by cyber insurance requirements,contractual obligations, and board mandates — all of which support compliance. While meetingminimum compliance requirements is critical, meaningfully reducing risk would lead to the same orbetter compliance result. Compliance is step one, not necessarily the end goal. The fact that 97% ofrespondents experienced a cyber incident at one of their suppliers underscores the need to focus onactual risk reduction. >Scale:With 96% of organizations expecting to grow their vendor ecosystem over the next year, theattack surface continues to widen. But without organizational support and integration across toolsand teams, silos will only continue to grow, limiting risk visibility. One positive trend was the increase in organizations being proactive about working with their third-party vendors. While 19% of organizations rely on vendor attestation alone, 23% use external third-party monitoring, risk ratings, or threat intelligence feeds for verification. And with 45% of organizationsworking with vendors directly to remediate issues, this collaboration is a step in the right direction. Ninety-six percent of respondents expect their vendor ecosystems to grow in the next year. Thirty-two percent expect their ecosystem to grow by 11-15%, and 35% expect 6-10% growth. Here’s thebreakdown by organizational size: In positive news, 95% of respondents estimated that their TPRM spending increased over the past 12months to further support this growth and continue maturing their program. We found that common challenges have shifted as priorities change. Organizations are fully aware ofthe risks their third-party vendors pose, but they’re less clear on how to tackle the problem because ofinconsistent organizational support. While the 2024 challenges were more tactical — knowing how topenalize vendors who don’t fix issues and meeting regulatory requirements — this year’s signal moreof a systemic issue. There’s less focus on what to do with vendors who aren’t proactive about risk, andmore focus on getting the organization in order internally. When it comes to AI, organizations identify this technology as best suited for continuous monitoring,recognizing that automation will be essential for maintaining visibility as the attack surface expands.Yet technology alone won’t solve the fundamental challenges of organizational alignment andstrategic prioritization. For six years now, the goal of this report has been to raise awareness and understanding for building aTPRM program. As organizational attitudes and priorities evolve, we’re excited to share our2025 findings. Methodology BlueVoyant commissioned its sixth annual survey undertaken by independent research organization,Opinion Matters, in September 2025. Eighteen hundred chief information officers (CIO), chief information security officers (CISO), chiefoperating officers (COO), chief security officers (CSO), chief technical officers (CTO), and chiefprocurement officers (CPO) responsible for supply chain and cyber risk management were surveyed.The respondents represented organizations with 1,000-plus empl