UK cybersecurity leaders have delivered a blunt verdict. 87% say programs that rush companies toward certification actually heighten risk and weaken long-term staying power.
The finding comes from fresh research by IO, a firm focused on operational endurance. Its survey of 251 senior managers paints a picture of certification as theater. Companies chase badges like ISO 27001 to win contracts and project confidence. Yet the haste leaves gaps that attackers can exploit.
Chris Newton-Smith, CEO of IO, put it plainly. “Organizations that focus on achieving certification as quickly as possible are at risk of leaving gaps in their security posture.” He added that treating certification as the finish line, rather than the result of solid practices, often sacrifices endurance. (TechRadar, June 24, 2026)
Short bursts of automation promise speed. They generate evidence, flag controls, and spit out reports. But nearly half the managers—45%—insist human judgment remains essential to decide whether those automated suggestions still fit the current environment. Another 33% highlighted the need for people to interpret tangled rules. And 32% stressed that automated proof still demands human review before anyone can trust it.
Only 31% pointed to continuous controls monitoring as the best sign of genuine strength. Meanwhile 21% noted that a certificate might capture a snapshot during audit season yet turn stale weeks later. The system creates an illusion. Boards see the stamp. Insurers offer better rates. Sales teams close deals. Yet the underlying machinery may have shifted.
But the problem runs deeper than rushed timelines. Recent analyses show compliance often stays locked in documents while real threats evolve in real time. A January 2026 report from MetricStream flagged AI-driven weaknesses as the fastest-climbing concern, cited by 87% of respondents in related World Economic Forum data. (MetricStream, Jan. 29, 2026)
That overlap matters. Automated compliance tools now promise to handle both regulatory checkboxes and emerging AI risks. Yet the same executives who doubt speed-focused programs also question whether technology alone can bridge the gap. Human expertise keeps surfacing as the missing piece.
Consulting firm BCG reached similar conclusions in its 2026 risk review. Ninety percent of companies rank technology, data, and cyber issues among their top priorities. Barely 60% have folded those concerns into core risk processes. Even fewer describe their programs as advanced. The gap between declared importance and operational reality has widened. (BCG)
Regulators have noticed. Frameworks once treated as voluntary guidance now carry real penalties. NIST updated its Cybersecurity Framework to stress enterprise risk integration and workforce factors. The EU’s Cyber Resilience Act and AI Act demand documented controls and secure design from the start. Point-in-time audits no longer satisfy examiners. Evidence must flow continuously.
So organizations face a fork. One path doubles down on faster automation to meet tighter reporting windows. The other invests in sustained monitoring, skilled people, and iterative improvement. Early signals suggest the second choice delivers better outcomes. Companies that treat compliance as an evolving effort report stronger incident response and fewer surprise breaches.
The Human Factor Cannot Be Automated Away
Automation excels at repetition. It scans logs, maps controls, and compiles audit packs at impressive scale. Yet interpretation requires context. A control that passed last quarter may fail this month after a cloud migration or supplier change. Managers in the IO study repeatedly circled back to this reality.
Newton-Smith’s warning carries weight because it matches patterns seen across industries. Certification wins business. It rarely stops determined intruders. Attackers don’t care about audit dates. They probe for the weakest link, often one that emerged after the last review.
Recent guidance from Bitsight drives the point home. Modern rules have shifted toward continuous, evidence-based approaches. Annual snapshots fall short when supply chains stretch across borders and threats change weekly. (Bitsight)
Executives who ignore the data do so at their peril. Insurance premiums rise for firms with recent certifications but poor monitoring. Boards face tougher questions after incidents that “should not have happened” given the paperwork on file. The credibility gap the IO survey revealed has started to affect valuations and partnerships.
Forward-looking teams have begun to blend the two worlds. They use automation for speed on routine tasks while keeping skilled analysts focused on judgment calls, scenario planning, and validation. The result looks less like a checkbox sprint and more like steady, measurable progress.
That progress shows in lower dwell times, fewer successful phishing incidents, and audit reports that examiners accept without endless back-and-forth. Speed still matters. But it must serve resilience rather than replace it.
The message from UK cybersecurity managers lands at a pivotal moment. Regulations tighten. AI attacks accelerate. Boards demand proof that spending actually reduces danger. Rushing the paperwork no longer fools anyone who matters. Real endurance comes from practices that outlast the next audit cycle. Companies that grasp this difference will separate themselves from those that merely collect certificates.
WebProNews is an iEntry Publication