87% of cybersecurity managers say quick compliance programs are actually increasing risk and making businesses less resilient

News
By published

Getting certified fast wins contracts, but at what cost?

Hands on a laptop with overlaid logos representing network security
(Image credit: Thapana Onphalai via Getty Images)
  • IO research shows 87% of UK cybersecurity managers doubt the credibility of speed‑focused certification programs
  • Rapid, automated compliance creates a false sense of security, with certifications like ISO 27001 not guaranteeing resilience
  • Experts stress continuous monitoring and human oversight, as automated recommendations and evidence still need validation and interpretation

Speed-focused compliance programs could help businesses get cybersecurity certifications quicker, but security professionals are skeptical if the speed comes at the expense of actual business resilience.

This is according to new research from resilience specialists IO, which claims that 87% of senior cybersecurity managers in the UK believe the speed at which certification is achieved affects its credibility.

According to the report, compliance initiatives that are either heavily automated or compressed into short timeframes are creating a false sense of security. Certifications like ISO 27001 might help companies win contracts and maintain an image, but researchers are warning that certification alone does not guarantee actual operational resilience.

Latest Videos From

Gaps in security posture

“Organizations that focus on achieving certification as quickly as possible are at risk of leaving gaps in their security posture,” says Chris Newton-Smith, CEO of IO. “Certification can open doors to new contracts and demonstrate commitment to recognised standards but treating certification as the end goal rather than the outcome of establishing and embedding effective compliance is more often than not at the expense of long-term resilience. Businesses must treat compliance not as a tick-box exercise but an evolving, iterative, and business critical project.”

Polling 251 cybersecurity managers in the UK, IO found that 31% consider continuous controls monitoring as the strongest indicator of compliance resilience. At the same time, a fifth (21%) said certifications could reflect security controls at the time of an audit, but could soon after become obsolete.

IO also stressed the importance of human expertise in these programs. Almost half (45%) of the respondents said human involvement is still essential when evaluating if automated compliance recommendations are still relevant and accurate, and another third (33%) said complex regulations still need human interpretation.

Finally, 32% stressed the importance of human in validating compliance evidence generated by automated systems.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.