New Research Finds 87% of Cybersecurity Managers Say Speed-Focused Compliance Certification Undermines Credibility

Research from IO underscores widespread concerns that the growing market for accelerated and highly automated compliance implementation services could undermine businesses' long-term resilience

LONDON, U.K. – 30 June 2026 – New research from business resilience specialists, IO, suggests growing concern that the rise of accelerated compliance offerings is contributing to a perception that certification alone delivers resilience, when the greatest business value comes from establishing, embedding and continuously improving the management systems that sit behind it. The research revealed that 87% of senior cybersecurity managers in the UK believe the speed at which certification is achieved affects its credibility.

The concern is not that speed is inherently the wrong approach. It is that compliance done fast, compressed, automated end-to-end, stripped of rigour, doesn't deliver what compliance is actually for. It delivers a certificate. It doesn't deliver a business that can handle what comes next.

As more providers promise quick, automated routes to compliance, businesses risk mistaking speed for resilience and security. The stakes are significant. Cyber incidents and compliance failures can lead to substantial financial losses, operational disruption, reputational damage, customer attrition and higher insurance costs. As a result, many organisations now view cybersecurity compliance not simply as a certification exercise, but as a core component of business resilience and long-term risk management.

Chris Newton-Smith, CEO of IO, explains, “Organisations that focus on achieving certification as quickly as possible are at risk of leaving gaps in their security posture. Certification can open doors to new contracts and demonstrate commitment to recognised standards but treating certification as the end goal rather than the outcome of establishing and embedding effective compliance is more often than not at the expense of long-term resilience. Businesses must treat compliance not as a tick-box exercise but an evolving, iterative, and business critical project.”

This is echoed in the findings with 21% of respondents saying third-party certifications may somewhat reflect the real-world effectiveness of an organisation’s security controls at the time of audit but can quickly become outdated, raising further questions about how much confidence businesses should place in certification achieved through accelerated implementation approaches alone. Additionally, nearly a third of those surveyed (31%) cited continuous monitoring of controls as the best indicator of an organisation’s security compliance resilience – not a rapid certification result.

ISO standards, including ISO 27001, are all explicitly built on continuous improvement cycles. Software platforms that treat certification as a one-time documentation exercise are structurally at odds with that principle and practitioners appear to know it. Those organisations that treat compliance as a continuous operating discipline rather than a cost to be minimised through speed are the ones that compound their advantage over time.

Newton-Smith continues, “Certification provides valuable independent assurance that an organisation has implemented controls. However, where implementation has been heavily compressed, there may be limited opportunity to demonstrate that those controls have been embedded, monitored and improved over time. Genuine resilience requires that controls are embedded, understood, and actively maintained, not just documented for inspection.

“The research gives us a clear picture of what practitioners believe genuine compliance resilience looks like, with controls that are monitored continuously, governance with named accountability and human expertise kept in the loop. These are the foundations that allow an organisation to keep operating through disruption, demonstrate its security posture on demand and absorb regulatory change without starting from scratch. Compliance done rigorously delivers all this. It is not just a certification, but the capability to audit faster, absorb new requirements without disruption, face fewer costly surprises, keep the business running and keep earning trust.”

Humans are essential to credible compliance

The broader cybersecurity landscape is placing increasing emphasis on governance and resilience. The World Economic Forum's Global Cybersecurity Outlook highlights the growing complexity of cyber risks and the need to embed cybersecurity into business strategy, governance and long-term risk management. As automation expands, human oversight remains essential to maintaining effective cyber resilience.

The findings also show why human expertise remains essential to credible compliance. While automation can speed up evidence gathering and routine checks, it cannot replace professional judgement when interpreting complex regulatory requirements, assessing context or identifying where an organisation's documented compliance posture may not fully reflect its day-to-day operational resilience.

45% of respondents believe that human expertise is still essential when evaluating whether the suggested automated compliance processes and actions are relevant or accurate, with 33% saying human expertise is needed to interpret complex regulations. A further 32% said human expertise is key to challenging the credibility or completeness of automated compliance evidence.

"The question to ask of any compliance programme isn't how long it took. It's: do the people in this organisation understand what they're doing and why? Are the controls genuinely embedded? Would this hold if something went wrong tomorrow? If the answer to those questions is yes, the certification means something. If the process was too fast for those questions to have been properly answered, the certificate is a risk, not a reassurance.

“Procurement teams and partners are increasingly assessing not just whether an organisation holds certification, but how it manages compliance on an ongoing basis. Certification remains an important signal of trust, but organisations are increasingly expected to demonstrate that compliance is embedded into day-to-day operations through governance, monitoring and continual improvement. The ability to demonstrate live, integrated governance is becoming a commercial differentiator for businesses,” concludes Newton-Smith.

About IO

IO is the business resilience platform helping organisations move beyond compliance to build information security, data privacy and AI governance that holds up in the real world.

Most compliance tools are only built to help you pass an audit. IO is built for audit and what comes after. That requires governance with the operational depth to back the certificate up; controls that are embedded, understood and actively maintained. Our platform gives organisations the structure, workflows and evidence management to run compliance properly, backed by a team that works directly with customers every day to make sure the right judgement is applied at every point where it matters. We have been doing this for over a decade.

IO brings Information Security, Data Privacy and AI Governance together in one joined-up SaaS platform, supporting over 100 global frameworks including ISO 27001, ISO 27701, ISO 42001, SOC 2, GDPR, NIS2 and DORA. Trusted by over 1,000 organisations worldwide, including ScottishPower, Siemens, TUI, Rightmove and Panasonic. Rated G2 Leader 9 quarters in a row.

IO. Setting the standard for business resilience.

Research Methodology

The research was conducted by Censuswide, among a sample of 251 UK cybersecurity managers+ (aged 23+). The data was collected between 08.04.2026 - 13.04.2026. Censuswide is a member of the Market Research Society (MRS) and the British Polling Council (BPC), and a signatory of the Global Data Quality Pledge. It adheres to the MRS Code of Conduct and ESOMAR principles.