UK cybersecurity managers doubt fast-track certification

IO has published research showing that 87% of UK cybersecurity managers believe the speed at which compliance certification is achieved affects its credibility. The findings point to scepticism about fast-track security compliance certification.

A survey of 251 UK cybersecurity managers found concern that businesses may treat certification as an end point rather than part of a broader process of maintaining controls, governance and oversight. This, IO said, can leave organisations with weak spots in their security posture even if they hold recognised certifications.

One finding focused on how respondents judge resilience in practice. Nearly a third, 31%, said continuous monitoring of controls is the best indicator of an organisation's security compliance resilience, suggesting many practitioners place greater value on ongoing oversight than on how quickly a certificate is obtained.

Another result highlighted doubts about how long an audit outcome remains a reliable guide. Some 21% of respondents said third-party certifications may somewhat reflect the real-world effectiveness of an organisation's security controls at the time of audit but can quickly become outdated.

Human oversight

The research also pointed to a continued role for people in compliance work as providers market increasingly automated routes to certification. While automation can help gather evidence and handle routine checks, respondents indicated that judgement and interpretation still matter when businesses assess complex rules and day-to-day practice.

According to the survey, 45% said human expertise remains essential when evaluating whether suggested automated compliance processes and actions are relevant or accurate. A further 33% said human expertise is needed to interpret complex regulations, while 32% said it is important for challenging the credibility or completeness of automated compliance evidence.

Chris Newton-Smith, Chief Executive Officer of IO, said pressure to secure certification quickly can come at the expense of deeper operational work.

"Organisations that focus on achieving certification as quickly as possible risk leaving gaps in their security posture. Certification can open doors to new contracts and demonstrate commitment to recognised standards, but treating it as the end goal rather than the outcome of establishing and embedding effective compliance often comes at the expense of long-term resilience. Businesses must treat compliance not as a tick-box exercise but as an evolving, iterative and business-critical project," he said.

The figures come as many organisations face rising expectations from customers, partners and regulators to prove that compliance is embedded in normal operations rather than assembled shortly before an audit. Standards such as ISO 27001 are built around continuous improvement, placing emphasis on maintaining and testing controls over time.

That distinction between holding a certificate and demonstrating operational resilience runs through the survey findings. Respondents appeared to draw a line between documented compliance and a business's ability to continue functioning effectively during disruption or scrutiny.

Newton-Smith said compressed implementation can limit the evidence that controls are properly established within an organisation.

"Certification provides valuable independent assurance that an organisation has implemented controls. However, where implementation has been heavily compressed, there may be limited opportunity to demonstrate that those controls have been embedded, monitored and improved over time. Genuine resilience requires controls to be embedded, understood and actively maintained, not just documented for inspection.

"The research gives us a clear picture of what practitioners believe genuine compliance resilience looks like: controls that are monitored continuously, governance with named accountability and human expertise kept in the loop. These are the foundations that allow an organisation to keep operating through disruption, demonstrate its security posture on demand and absorb regulatory change without starting from scratch. Done rigorously, compliance delivers all this. It is not just a certification, but the capability to audit faster, absorb new requirements without disruption, face fewer costly surprises, keep the business running and keep earning trust."

Commercial pressure

The debate is not only about internal controls. Certification often influences procurement decisions and access to contracts, creating incentives to seek the shortest route to a recognised standard. The survey suggests cybersecurity managers are wary of that dynamic if it pushes organisations to prioritise speed over durability.

For buyers and partners, the question increasingly extends beyond whether a supplier holds certification. Businesses are also being asked to show how they monitor controls, assign responsibility and respond to change after the audit has finished.

Newton-Smith framed this as a test of whether compliance is meaningful inside the organisation rather than simply visible on paper.

"The question to ask of any compliance programme is not how long it took. It is: do the people in this organisation understand what they are doing and why? Are the controls genuinely embedded? Would this hold if something went wrong tomorrow? If the answer to those questions is yes, the certification means something. If the process was too fast for those questions to have been properly answered, the certificate is a risk, not a reassurance.

"Procurement teams and partners are increasingly assessing not just whether an organisation holds certification, but how it manages compliance on an ongoing basis. Certification remains an important signal of trust, but organisations are increasingly expected to demonstrate that compliance is embedded into day-to-day operations through governance, monitoring and continual improvement. The ability to demonstrate live, integrated governance is becoming a commercial differentiator for businesses."