Vulnerabilities in suppliers and lack of skills: the two most critical fronts for CISOs
Cybersecurity operations center (SOC) screens displaying dashboards with alerts, threat maps, or real-time analysis. A dark technological environment with monitor lights conveying digital surveillance and the complexity of threats.
Corporate cybersecurity is at a critical juncture. On one hand, supply chain attacks have reached record levels: malicious actors are no longer targeting just companies, but also their suppliers, SaaS integrations, and third-party services.
On the other hand, organizations face a growing shortage of specialized talent capable of anticipating and managing these interconnected risks. This double pressure makes supplier security and the skills gap the most pressing challenges for CISOs in 2026.
In this context, each new technology partner adds a potential entry point and necessitates enhanced audits, continuous monitoring, and stricter security agreements. At the same time, the lack of professionals trained to operate, scale, and automate defense strategies leaves internal teams overburdened, trying to do more with less.
This reality is confirmed in a recent BrandShield report, which surveyed 200 CISOs about the main risks organizations face today. The study reveals a dispersion of threats that reflects the complexity of the digital ecosystem.
The 10 threats that most worry CISOs
- Phishing
- Malware y ransomware
- Brand impersonation
- Data and credentials leak
- Supply chain attacks
- Vulnerabilities in third-party software
- Internal threats
- Fraud on social media and fake websites
- Deepfakes and identity manipulation
- Risks associated with generative AI
The conclusion is clear: there is no single dominant threat. “Levels of concern are evenly distributed, indicating that CISOs today face an ecosystem of interconnected risks that reinforce each other,” explained Néstor Markowicz, COO of CertiSur.
This requires abandoning the traditional approach of prioritizing a single risk and moving towards a comprehensive defense based on multiple layers of security, including:
- Automate certificate management
- Detect and disable threats in real time
- Incorporate multi-factor authentication (MFA)
- Increase visibility into access points, exposed systems, and third parties
The current landscape demonstrates that cybercrime no longer operates in isolated compartments. A phishing campaign can be the prelude to ransomware; a digital identity manipulated through deepfake technology can enable critical access; a breach at a supplier can compromise the entire organization.
“Today, cybersecurity is a business issue, not just a technology issue,” Markowicz emphasized. “An attack can halt a company’s entire operations, generate significant losses, and damage its reputation. With diverse and highly interconnected threats, a single incident can escalate very quickly.”
Faced with this scenario, the priority is to gain visibility and automate. “The first step is to know which certificates, access credentials, and systems are exposed. Then, automate their management, add MFA, and raise team awareness. This combination immediately reduces the attack surface and prepares the organization to respond quickly to any incident,” the COO concluded.