Whistic and RiskRecon announced the release of a research report showing companies are increasing spending on cyber risk management.

New report finds that companies are spending more on vendor security and cyber risk management

Salt Lake City—Whistic and RiskRecon, a Mastercard company, today announced the release of a joint research report showing three out of five companies are increasing spending on cyber risk management to “trust but verify” vendors. The research in, “The Modernization of Cybersecurity | How Technology is Changing the Way Businesses View Vendor Assessment and Cybersecurity” report looks at how recent investments in technology have impacted vendor security and cyber risk management. 

“Vendor security and cyber risk practitioners are the first line of defense against potential security incidents and without a continued investment in technology, they are fighting a losing battle,” says Nick Sorensen, CEO of Whistic. “That’s why we were encouraged to see more and more businesses are prioritizing these programs with not only technology spend, but executive visibility into how they are run and what response and remediation strategies should be.”

More than 500 cyber risk and infosec practitioners were surveyed for the report. 

Key findings include:

Cyber risk and vendor security management are top priorities. The survey shows 80 percent of respondents have cyber risk and vendor security programs in place and 60 percent report they have incorporated more technology into their programs over the past five years.

Additionally, as the threat of third-party security incidents continues to increase, the issue is a top concern even at the highest levels of companies as 71 percent of respondents report program metrics to internal leadership outside of security business functions. 

Investment in technology results in increased program maturity. Overall, 64 percent of respondents indicate their cyber risk and vendor security programs are either mature or advanced. However, program maturity depends heavily on the size of the organization as 66 percent of enterprises have advanced stage programs, while just six percent of startups are at that level and 64 percent have early to non-existent programs.

Trust but verify is still a staple in the industry. When it comes to security questionnaires, 53 percent of respondents say they trust what their vendors send them. Despite that trust, 61 percent of respondents say they still verify vendor responses using a third-party validation tool.

“The reliance on third parties is only increasing, and organizations must understand the threats coming from their vendor ecosystem,” says Kelly White, founder, RiskRecon, a Mastercard Company. “We have seen too many large-scale cyber incidents in the past few years for firms to overlook proper third-party risk management. Your organization is only as secure as the vendors you work with.” 

You can access the full findings of the report here.

About Whistic

Located in the heart of the Silicon Slopes in Utah, Whistic is the network for assessing, publishing and sharing vendor security information. The Whistic Vendor Security Network accelerates the vendor assessment process by enabling businesses to access and evaluate a vendor’s Whistic Profile and create trusted connections that last well beyond the initial assessment. Make security your competitive advantage and join businesses like Airbnb, Okta, Betterment, and Qualtrics who are leveraging Whistic to modernize their vendor security programs. For more information, visit

About RiskRecon

RiskRecon, a Mastercard Company, enables you to achieve better risk outcomes for your enterprise and your digital supply chain. RiskRecon’s cybersecurity ratings and assessments make it easy for you to understand and act on your risks, delivering accurate, risk-prioritized action plans custom-tuned to match your risk priorities. Learn more about RiskRecon and request a demo at