Nearly nine in ten senior cybersecurity managers in the UK harbour serious doubts about the credibility of certifications obtained through fast-track compliance programmes, according to research by business resilience firm IO. The study, which surveyed senior cybersecurity managers, found that 87% believe the speed at which certification is achieved directly affects its credibility – a figure that points to a growing unease across the industry about the rise of accelerated compliance offerings.
The concern is not that speed itself is inherently flawed. What worries practitioners is the erosion of rigour that often accompanies compressed, automated compliance processes. When a provider promises a quick, end-to-end, largely automated route to a certificate, the risk is that the organisation obtains a piece of paper without the underlying capability to withstand a real-world incident. Chris Newton-Smith, chief executive of IO, put it bluntly: “Organisations that focus on achieving certification as quickly as possible are at risk of leaving gaps in their security posture. Certification can open doors to new contracts and demonstrate commitment to recognised standards, but treating certification as the end goal rather than the outcome of establishing and embedding effective compliance is more often than not at the expense of long-term resilience.”
The research underlines a structural problem: the very nature of rapid compliance runs counter to the philosophy of the standards it claims to satisfy. ISO 27001, the international standard for information security management, is explicitly built on a cycle of continuous improvement – a principle that cannot be shortcut. Software platforms that treat certification as a one-time documentation exercise, Newton-Smith argued, are “structurally at odds” with that principle. In practice, an organisation that has gone through a heavily compressed implementation may have had limited opportunity to demonstrate that its controls have been embedded, monitored and improved over time. Certification in such cases amounts to little more than a snapshot on the day of the audit.
The limitations of that snapshot were acknowledged by the managers themselves. One in five respondents (21%) said third-party certifications may only reflect the real-world effectiveness of an organisation’s security controls at the time of audit and can quickly become outdated. That admission raises uncomfortable questions for procurement teams and partners who rely on certification as a proxy for ongoing security. Meanwhile, nearly a third of those surveyed (31%) pointed to continuous monitoring of controls as the strongest indicator of an organisation’s security compliance resilience – not a rapid certification result. Continuous monitoring, by its nature, catches drift, identifies gaps as they emerge, and provides a living picture of an organisation’s security posture, rather than a single attestation that may already be stale.
The push for speed is not happening in a vacuum. The UK regulatory landscape is evolving rapidly, and the consequences of treating compliance as a tick-box exercise are becoming steeper. The government’s Cyber Security and Resilience Bill, introduced in November 2025 and expected to receive Royal Assent in 2026, will overhaul the existing NIS Regulations, expanding their scope to include data centres and managed service providers, and introducing fines of up to £17 million or 4% of worldwide turnover. It will also mandate cyber resilience as a legal requirement and oblige organisations to report incidents to regulators and the National Cyber Security Centre within 24 hours. Against that backdrop, a certificate obtained through a compressed process – which may not reflect genuinely embedded controls – becomes a liability rather than a reassurance. Similarly, the government-backed Cyber Essentials scheme, while designed as a baseline for businesses, has seen alarmingly low uptake: only 5% of businesses reported adherence in the latest Cyber Security Breaches Survey, suggesting that even the most basic levels of certification are not being reached by the vast majority of UK firms.
Small and medium-sized enterprises face particular pressures. Resource constraints and a lack of deep cybersecurity expertise make them natural targets for providers offering quick, low-touch certification routes. Yet the same research briefing notes that small businesses have seen a return to previous levels of weakness in areas such as risk assessments and formal policies, indicating that speed-driven compliance programmes may be doing little to address foundational issues. The growing emphasis on supply chain security – with procurement teams increasingly scrutinising suppliers’ contractual obligations and ongoing compliance practices – means that a certificate obtained rapidly may no longer satisfy the demands of sophisticated buyers.
Human expertise remains essential to credible compliance
If speed and automation are not the answer, what is? The research points decisively to the value of human judgement and continuous, integrated governance. While automation can accelerate evidence gathering and routine checks, it cannot replace the professional judgement required to interpret complex regulatory requirements, assess context, or identify where an organisation’s documented compliance posture does not fully reflect its day-to-day operational resilience.
The survey numbers make the point forcefully. Forty-five percent of respondents said human expertise is still essential when evaluating whether suggested automated compliance processes and actions are relevant or accurate. A third (33%) said human expertise is needed to interpret complex regulations, and a further 32% said it is key to challenging the credibility or completeness of automated compliance evidence. These findings suggest that practitioners are well aware of the limits of software-driven compliance: an automated system can gather data, but it cannot exercise the nuance needed to decide whether a particular control genuinely addresses a specific risk, or whether a documented process is actually being followed on the ground.
Newton-Smith emphasised that genuine resilience requires controls that are “embedded, understood, and actively maintained, not just documented for inspection.” He laid out the foundations that practitioners see as essential: controls that are monitored continuously, governance with named accountability, and human expertise kept in the loop. “These are the foundations that allow an organisation to keep operating through disruption, demonstrate its security posture on demand and absorb regulatory change without starting from scratch,” he said. “Compliance done rigorously delivers all this. It is not just a certification, but the capability to audit faster, absorb new requirements without disruption, face fewer costly surprises, keep the business running and keep earning trust.”
The broader cybersecurity landscape reinforces the need for this approach. The integration of artificial intelligence into security tools presents a dual challenge: while 79% of UK and US organisations are using AI for security, 52% say it is actually hindering their efforts, with concerns including data poisoning attacks and the rapid, often unmanaged deployment of AI tools – so-called shadow AI. In such an environment, the ability to rely on human oversight and professional judgement becomes even more critical. Regulations such as the Data Protection Act 2018, the UK GDPR, the NIS Regulations 2018 and the Telecommunications (Security) Act 2021 already impose obligations that demand nuanced interpretation and sustained attention, not a single compliant moment.
Ultimately, the commercial implications may be the most powerful driver of change. Newton-Smith noted that procurement teams and partners are increasingly assessing not just whether an organisation holds a certification, but how it manages compliance on an ongoing basis. “Certification remains an important signal of trust, but organisations are increasingly expected to demonstrate that compliance is embedded into day-to-day operations through governance, monitoring and continual improvement,” he said. “The ability to demonstrate live, integrated governance is becoming a commercial differentiator for businesses.” For any organisation tempted by a quick certificate, the warning from the research is clear: if the process was too fast for the fundamental questions about understanding, embedding and resilience to have been properly answered, the certificate itself is a risk, not a reassurance.
