Managing Risk from Subsidiaries:
Goals, Friction, and Failure

White Paper by Osterman Research

Executive SummaryCover-WP2109-osterman-research copy

Organizations are overconfident in their ability to manage subsidiary risk, and they continue to experience attacks involving subsidiaries. This research examines how well large companies manage risk from subsidiaries, what difficulties and constraints they encounter, and the ramifications of these. The study, commissioned by CyCognito and conducted by Osterman Research, surveyed enterprises with over $1 billion in annual revenue and an average of more than 19 subsidiaries.

The research shows a perplexing disparity between what large organizations want to believe and the actual state of affairs when it comes to managing subsidiary risk. The majority of organizations reported they were doing a good job managing subsidiary risk, yet 67% of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary or that they lacked the ability or information to rule out that possibility. Even more telling, 50% of respondents reported they would not be surprised if a cyber-breach was to occur “tomorrow” at one of their subsidiaries.

Current tools and processes for managing subsidiary risk present multiple shortfalls, including a focus on compliance at the expense of security, complex onboarding processes, infrequent and lengthy risk management processes that leave too many blind spots, an excess of manual tools, and a lag between results and remediation.

Watch a short video to see how the CyCognito platform identifies attack vectors that might go undetected by other security solutions >>

The key takeaways of this research are:

  • Most have experienced a cyberattack that included a subsidiary
    67% of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary or that they lacked the ability or information to rule out that possibility. Only 33% of respondents have not experienced a cyberattack that included a subsidiary. See Figure 1.
  • Assessing subsidiary risk is a high priority
    Respondents treat subsidiary risk as a priority: 85% regard assessing subsidiary risk as a top 10 priority relative to other security and risk initiatives. Overall, 47% regard subsidiary risks as a top 5 priority.
  • Concerns about digital transformation and supply chain breaches reign
    The macro trends seen as having the greatest impact on risk in subsidiaries are pandemic-accelerated digital transformation and supply chain breaches.
  • Half would not be surprised by a breach as a subsidiary tomorrow
    50% of respondents would not be surprised if a cyber-breach occurred “tomorrow” at one of their subsidiaries. Cybersecurity managers had a higher expectation of breach than risk managers.
  • Compliance, measurement, and prioritization the top drivers
    The three most important outcomes expected for subsidiary risk management are meeting compliance mandates, measuring subsidiary risk, and prioritizing investment in security posture improvement.
  • Point-in-time only, duration, and blind spots the top concerns
    The three highest ranked concerns about existing subsidiary risk management practices: they provide only a point-in-time snapshot, the process takes too long, and they offer only limited test coverage, leaving too many blind spots.
  • Desire for more actionable information, reduced false positives, and increased frequency
    The three changes respondents would most like to make in their process are getting actionable information, reducing false positives, and increasing the process frequency.

Osterman_CyCognito Final - Figure 1

Figure 1: Subsidiary Implicated in Cyber Attack Chain. Percentage of respondents.
  • Huge variation between current and preferred remediation time
    Two thirds of respondents report that time to remediate a detected subsidiary risk was a week or longer on average, and sometimes up to three months. For 71% of respondents, the preference is a day or less.
  • Risk and vulnerabilities increase with more subsidiaries
    Enterprises with more subsidiaries are 50% more likely to take longer than a month to remediate detected security gaps than those with fewer subsidiaries. Respondents at parent companies with 17 or more subsidiaries were almost twice as likely to say that a subsidiary has been implicated in a cyberattack chain more than once than at parent companies with 16 or fewer subsidiaries.

About this White Paper

Osterman Research conducted a primary market survey of 201 organizations with at least 10 subsidiaries, and at least 3,000 employees and/or $1 billion in annual revenue. The 201 respondents were in management roles for cybersecurity, compliance, or risk. All organizations had staff dedicated to monitoring subsidiary risk. The survey and this white paper were sponsored by CyCognito; see the end of this paper for information on CyCognito.

For the purposes of this research, “subsidiaries” means any entity owned by a parent company, regardless of whether they are called a business unit, brand, standalone company, etc.

Cyber Risk from Subsidiaries Presents a Major Threat to Organizations

Even the organizations most focused on subsidiary risk and that rank it as a top priority have not been able to prevent attacks involving subsidiaries. In this section, we explore the detailed survey results and what they mean.


Subsidiary Risk Management is a Priority

All respondents to this survey work in organizations that have staff dedicated to managing subsidiary risk—something not true of organizations in general. Respondents treat subsidiary risk as a priority: 47% regard assessing subsidiary risk as a top 5 priority relative to other security and risk initiatives, and 85% overall regard subsidiary risk as a top 10 priority.

Despite the current focus on managing security risk at subsidiaries, 50% of organizations would not be surprised if a cyber-breach happened “tomorrow.”

Osterman_CyCognito Final - Figure 2

Figure 2. Priority of Assessing Cybersecurity Risk of Subsidiaries
Percentage of respondents

Not Surprised by Cyberattacks

Among these organizations with a high awareness and focus on subsidiary risk management, 67% of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary or that they lacked the ability or information to rule out that possibility. Also surprising was that, even among this vigilant group, 50% of respondents reported they would not be surprised if a cyber-breach was to occur “tomorrow” at one of their subsidiaries.

Osterman_CyCognito Final - Figure 3

Figure 3. Expectations on Reaction to a Hypothetical Breach at a Subsidiary Percentage of respondents

Cyberattacks are Common

Only 33% of respondents have not experienced a cyberattack that included a subsidiary. Just under one third (31%) have experienced a cyberattack more than once where the attack surface or attack chain included one of its subsidiaries; 23% have experienced only one attack where the attack surface or chain included a subsidiary; and an alarming 12% of organizations said they were unsure if they experienced an attack involving a subsidiary because they lacked the visibility or information to know.


67% of organizations have experienced a cyberattack that included a subsidiary in the attack surface or attack chain.

CyCognito Final - Figure 4

Figure 4. Subsidiary Implicated in Cyberattack Attack
Chain Percentage of respondents

Macro Trends are Having an Impact

Macro trends and the business environment in which organizations operate affect operational realities. Recent events bring the importance of subsidiary risk management into sharper focus. The macro trends seen as having the greatest impact on risk in their subsidiaries were:

  • The impact of pandemic-accelerated digital transformation (69% of respondents said this trend was “very impactful” or “most impactful”). The requirement to rapidly transform business operations to support remote fulfilment and a work-from-home workforce under the duress of an unprecedented health pandemic has taken a toll on cybersecurity readiness.
  • The impact of supply chain breaches (56% of respondents). High-profile breaches over the past year—e.g., SolarWinds and Kaseya—have elevated the awareness of and concern about this type of threat.

CyCognito Final - Figure 5

Figure 5. Impact of Key Trends on Concerns About
Subsidiary Risk Percentage of respondents indicating “very impactful” and “most impactful”

Pandemic-accelerated digital transformation and supply-chain breaches
are the most impactful macro trends on managing subsidiary risk.


Factors That Hamper Subsidiary Risk Management

Several factors hamper the ability of organizations to manage subsidiary risk. In this section, we look at two significant factors.


A Focus on Compliance vs. Security

Compliance mandates and security imperatives have long gone together, but compliance is generally seen as a lower bar, and sometimes even a “checklist” or a “tick-the-box exercise” that must be met, as compared to a security-first approach. Yet compliance ranked first in the three most important outcomes expected for subsidiary risk management:

  • Meeting compliance mandates.
  • Measurement of subsidiary risk.
  • Prioritization of investment in security posture improvement.

Since respondents ranked compliance as the most important outcome for managing subsidiary risk, it may be less surprising that so many have seen attacks involving subsidiaries and that they wouldn’t be surprised if they were breached through a subsidiary soon.

Organizations are more focused on the compliance aspects of monitoring subsidiary risk than the security aspects.

CyCognito Final - Figure 6

Figure 6. Importance of Outcomes Percentage of respondents indicating “very important” and “most important”


Low Process Maturity for Onboarding Subsidiaries

Digging deeper exposed multiple process gaps that organizations face—and need to close—when it comes to subsidiary risk management. For instance, only 5% of organizations have mature processes to allow seamless onboarding of a subsidiary to their existing risk monitoring processes. As with any process, the more complex it is, the greater the likelihood for errors. In cybersecurity, those errors usually translate into security gaps that organizations are unaware of and attackers can exploit. In the case of onboarding new subsidiaries, 77% of respondents reported there’s a lot of onboarding work to be done, with 39% reporting that the parent company is saddled with the work, and an additional 38% said it placed a burden on both the subsidiary and the parent.

Only 5% of respondents said that onboarding a new subsidiary into their risk management process is a seamless activity. 

CyCognito Final - Figure 7

Figure 7. State of Onboarding Process for New Subsidiaries Percentage of respondents (sums to 99% due to rounding)


Once subsidiaries are onboarded to their risk monitoring processes, organizations indicated they were concerned about the infrequency and “point-in-time” nature of their processes (45%), how long it takes to perform them (41%), and limited coverage leaving too many blind spots (38%). The three things organizations want to change most about their existing subsidiary risk management process are getting more actionable information (42%), having fewer false positives (36%) and increasing the frequency of assessments (33%). More on these concerns and limitations below.


Visibility Gaps and Lack of Actionable Information

Respondents point to a desire for more security intelligence to help improve their subsidiary risk management processes. Given that these organizations have a focus on managing subsidiary risk, and they are primarily looking for compliance-oriented measurements, it is not surprising that they point to the need for information that is more complete, frequent, and actionable. In this section, we look at the top concerns and desired changes with current processes, along with the high cost of slower security processes.


Top Concerns with Existing Practices

Respondents rated the level of concern felt with eight aspects of their current subsidiary risk management process. The top three concerns are:

  • Too infrequent or provides only a point-in-time snapshot of security posture (45% of respondents said they were “very concerned” or “most concerned” about this issue).
  • It takes too long (41% of respondents).
  • Limited test coverage/too many blind spots for the subsidiaries we test (38% of respondents).

Organizations are looking for more complete, frequent, and actionable subsidiary risk intelligence. 

CyCognito Final - Figure 8

Figure 8. Concerns with Current Processes for Subsidiary Risk Management Percentage of respondents indicating “very concerned” and “most concerned”

Highly Rated Desired Changes

Respondents had a list of prioritized changes that they would like to make in their process for managing subsidiary risk. Out of the seven changes we asked about, the three highest rated changes were:

  • Getting actionable information.
  • Reducing false positives.
  • Increasing frequency.

More actionable information, fewer false positives, and increased process frequency are the most preferred changes in how subsidiary risk management operates. 

CyCognito Final - Figure 9

Figure 9. Importance of Factors to Change About Current Process for Monitoring Subsidiary Risk Percentage of respondents indicating “most” and “second-most important”

The Cost of Taking Too Long

Attackers are business-minded and motivated to find the greatest return on their attack “investment.” They seek the path of least resistance to find the portion of an enterprise’s attack surface that is least protected and least monitored, which would then allow them to get to valuable assets. What concerns respondents most about their current subsidiary risk management practices is the point-in-time nature of the data they get, with snapshot views quickly outdated. Further, existing processes don’t cover enough to begin with, leaving organizations at risk. Respondents also report that the quality of the data is a concern, with time-wasting false positives noted as one of the top three things they want to change.

Specifically, on taking too long, 54% report that it currently takes from 1 week to 3 months to measure the risk of all their subsidiaries. When asked how long they would prefer it to take, only 7.5% were willing to fall in that range. The vast majority—71%—said they want the results in a day or less. You can see this illustrated in Figure 10 where the blue bars indicate current practices, and the green bars (showing what’s desired) are effectively the blue bars shifted to the left, reflecting that organizations would prefer it take less time. Asked what is preventing them from achieving that more rapid cadence, a lack of time was reported as the biggest barrier (67%), implying that processes are likely highly manual in nature. That’s consistent with the next most significant barrier, limitations in their toolset (62%).

CyCognito Final - Figure 10

Figure 10. Time to Measure Subsidiary
Risk Percentage of Respondents

Time Lag Between Detection and Remediation

Beyond the time to measure the risk of subsidiaries, respondents also report a lag of time between detection of a security gap and remediation of said gap. More than half (53%) report that it takes at least a week or longer, with 20% of the overall taking a month or longer. This is a dangerous lag for an exposure that may well be the entry point for a ransomware gang.

CyCognito Final - Figure 11

Figure 11. Average Time to Remediate a Security Gap After Detection Percentage of respondents 

Few organizations are using a single tool for managing subsidiary risk, creating processes with largely manual efforts which increases the likelihood of mistakes and decreases chances of eliminating subsidiary risk.


Multiple Tools, Manual Processes

Organizations are generally using multiple tools (91%) to manage subsidiary risk. Only 9% are using just one tool, which indicates that there is no single product, or product category for that matter, that organizations can rely on. The majority (53%) use 2-3 different tools, and 38% are using 4 or more tools. This reinforces the fact that processes are largely manual: working with 3-6 different IT and security tools typically involves manual data extraction, correlation and reporting, and ultimately increases the likelihood of mistakes and decreases the chances of achieving the required cadence or coverage to find and eliminate subsidiary risk.

CyCognito Final - Figure 12

Figure 12. Number of Tools Used Currently to Monitor Subsidiary Cybersecurity Risk Percentage of respondents

The Cost of Too Many Tools

Currently used tools are proving insufficient for delivering the desired process frequency for measuring and remediating subsidiary risk.

Current toolsets are not capable of providing the analysis any quicker, and staff lack the time to cover tool-based weaknesses through manual efforts.

CyCognito Final - Figure 13

Figure 13. Reasons for Not Achieving Desired Process Frequency Percentage of Respondents

Effectiveness of Tools

Of the tools organizations are using, attack surface management products are viewed as the most effective solutions. Seen as least effective are questionnaires, cybersecurity risk rating services, and OSINT and other point tools. Questionnaires are likely the oldest “technology” in use and prone to human error and other selfreporting errors. OSINT tools require a great deal of manual effort to operate and extract useful information, which limits their utility. Security rating services may discover subsidiaries and other supply chain partners but use passive measures to assess security, so are not good at producing actionable security insights.

Based on the collective wisdom from the responses summarized in Figures 12-14, it appears that existing tools and processes leave gaps across subsidiary risk coverage and cadence and that a more scalable, automated approach is required to meet the needs of organizations looking to effectively manage their subsidiary risk.

Attack surface management solutions are viewed as the most effective tool category for managing subsidiary risk.

CyCognito Final - Figure 14

Figure 14. Effectiveness of Various Tool Categories
Percentage of respondents


Organizations with More Subsidiaries

Of the companies surveyed in this report, the mean and median numbers of subsidiaries were 16 and 20, respectively. It was clear that the more subsidiaries an organization had, the more hurdles there were to staying on top of subsidiary risk. Only 5% of parent companies have a process maturity that allows seamless addition of subsidiaries when onboarding into their current subsidiary risk process (see Figure 7). Given the growing importance of monitoring subsidiary risk, most parent companies have a substantial process gap to close to reduce the cost and time required for the onboarding of future subsidiaries. Having policies, procedures, personnel, and tools that can scale is increasingly important.


In this research, organizations with subsidiaries have:

  • More likelihood a subsidiary is part of an attack chain
    The more subsidiaries, the greater the attack surface and the likelihood of compromise. Respondents at parent companies with 17 or more subsidiaries were almost twice as likely to say that a subsidiary has been implicated in a cyberattack chain more than once than at parent companies with 16 or fewer subsidiaries.
  • Longer timeframes to measure risk
    Parent companies with fewer subsidiaries are significantly less likely to take over a month to gain an updated view of all subsidiaries. For example, with 16 or fewer subsidiaries (n=101 respondents), 19% of respondents take one month or longer. With 17 or more subsidiaries (n=100 respondents), 36% of respondents take one month or longer.
  • The more subsidiaries, the longer it takes to remediate vulnerabilities Organizations with more subsidiaries take longer to remediate security vulnerabilities than those with fewer subsidiaries. Parent companies with more than 17 subsidiaries are 50% more likely to take longer than a month to remediate a security vulnerability once it has been detected.

Organizations with more subsidiaries have a larger attack surface which elongates processes for measuring and remediating risks.

CyCognito Final - Figure 15

Figure 15. Current Time to Create Updated View of Subsidiary Risk: By Subsidiary Groupings Percentage of respondents


CyCognito Final - Figure 16

Figure 16. Current Time to Remediate Security Vulnerabilities: By Subsidiary Groupings Percentage of respondents


This study shows that the practice of managing subsidiary risk is substantially lacking for most large enterprises. The implications of low current process maturity and unaddressed, exposed security weaknesses will continue to escalate. In addition, many organizations fear an increased risk from subsidiaries because of pandemic-accelerated digital transformation along with supply-chain breaches, because subsidiaries expand the organization’s external attack surface. The ramifications of inferior risk management for subsidiaries are growing, meaning that organizations need to take urgent action to strengthen subsidiary risk management processes by embracing an elevated focus on security (vs. compliance) outcomes, introducing simpler and faster onboarding processes, driving more frequent and comprehensive visibility into vulnerable attack vectors, and shrinking the time gap between results and remediation.



The CyCognito platform uses nation-state-scale reconnaissance and offensive security techniques to close the gaps left by other security solutions including attack surface management products, vulnerability scanners, penetration testing, and security ratings services.

No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, nor may it be resold or distributed by any entity other than Osterman Research, without prior written authorization of Osterman Research.

Osterman Research does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research makes no representation or warranty regarding the completeness or accuracy of the information contained in this document.