The Checkbox Isn’t the Point: Does Speed Undermine Compliance Credibility?

Share Article:

Table of Contents:

A new piece of research landed recently that should make any MSP concerned with cybersecurity and compliance stop and think.

According to a June 2026 study⁽¹⁾ by business resilience specialists IO — conducted among 251 senior UK cybersecurity managers — 87% of respondents believe the speed at which compliance certification is achieved affects its credibility . Read that again. Nearly nine in ten practitioners, people who live inside these programs every day, believe a fast certification is a less credible one.

That’s not a fringe opinion. That’s a consensus.

Speed Is Being Sold as a Solution

There’s a growing market for accelerated compliance services. Vendors promise rapid, heavily automated routes to frameworks like CMMC, SOC 2, and NIST. The pitch is seductive: move fast, get certified, unlock contracts, demonstrate security posture. All true things, in isolation.

The problem is what gets lost in the compression.

Chris Newton-Smith, CEO of IO, put it plainly: “Organisations that focus on achieving certification as quickly as possible are at risk of leaving gaps in their security posture… treating certification as the end goal rather than the outcome of establishing and embedding effective compliance is more often than not at the expense of long-term resilience.”

The research backs this up with uncomfortable precision. 21% of respondents said third-party certifications may only reflect real-world security effectiveness at the time of audit — and can quickly become outdated . A certificate is a snapshot. Threats are not.

The Audit Passes. The Risk Stays.

This is the quiet danger of compliance-by-checkbox: the documentation looks right, the audit goes through, and everyone exhales. But unless controls are genuinely embedded — understood by the people who operate them, monitored continuously, and actively maintained — what you have is a paper fortress.

The 2024 City of Hamilton, Ontario ransomware breach illustrates the cost of that illusion. On paper, the city appeared compliant. MFA had been confirmed as “enabled.” In practice, it was only applied to administrative accounts. When attackers exploited those gaps, the city faced more than $18 million in damages, with 80% of systems taken offline and a denied cyber-insurance claim . Automation confirmed settings — not safeguards. The distinction cost millions.

This is not an isolated story. It’s a pattern.

What Practitioners Actually Trust

Here’s what the IO research found practitioners trust most: not a fast certification result, but continuous monitoring of controls, cited by nearly a third (31%) of respondents as the best indicator of an organization’s genuine compliance resilience .

On the question of human expertise: 45% said it is essential for evaluating whether automated compliance processes and actions are relevant or accurate . Another 33% said human expertise is needed specifically to interpret complex regulations, and 32% said humans are key to challenging the credibility or completeness of automated compliance evidence .

That last data point deserves emphasis. Practitioners aren’t just saying automation can’t do everything. They’re saying someone has to be willing to question what the automated evidence is actually telling you. That requires professional judgment, organizational context, and accountability — none of which live inside a dashboard.

Standards Were Built for This

None of the major compliance frameworks were designed with urgency in mind.

ISO 27001 is built on the Plan-Do-Check-Act cycle — a deliberate, iterative loop meant to embed security management deeply into how an organization operates, not to be sprinted through before a contract signing deadline. SOC 2 Type II requires controls to demonstrate operating effectiveness over time, not just documented existence at a point in audit . PCI-DSS, HIPAA, NIST — the same principle runs through all of them.

The standards are asking: is this real? Is it embedded? Will it hold? Speed is structurally at odds with those questions. And yet the business pressure to rush is entirely real. A startup needs SOC 2 to land its first enterprise customer. A consultancy needs ISO 27001 to qualify for a government tender. A fintech needs PCI compliance before it can process a single card transaction.

Those are legitimate commercial drivers — but a certificate obtained under deadline pressure answers a procurement question, not a security one.

  • Okta held ISO 27001 certification at the time of its 2023 breach, which ultimately affected 100% of its customer support users.
  • LastPass held SOC 2 Type II when attackers compromised a developer account and eventually installed a keylogger on a senior engineer’s home computer to capture vault credentials .
  • Drizly, later acquired by Uber, had been aware of critical security weaknesses since 2018 — credentials stored in plaintext, no MFA, no centralized monitoring, all outside of Uber’s SOC 2 scope. — and still suffered a breach exposing 2.5 million customers’ data.

In each case, the certificate said compliance. The breach said otherwise. Getting certified to win business is a reasonable goal; treating the certificate as proof of security is where organizations get into trouble.

Compliance as a Discipline, Not a Destination

This is the distinction Blacksmith has always built its work around. Compliance isn’t a milestone to be crossed and then filed away. It’s an operating discipline — a continuous practice woven into how a security program actually runs, day over day, audit cycle over audit cycle.

That means treating a compliance framework not as a checklist to satisfy an auditor, but as a living security program. It means monitoring controls in production, not just at point-of-audit. It means building governance structures — named ownership, review cycles, documented reasoning — that allow an organization to explain its security posture on demand, not just on the day an assessor shows up.

Commercially, the ability to demonstrate live, integrated governance is becoming a differentiator.

The Question to Ask

The IO research concludes with a challenge any organization should put directly to its compliance program:

“Do the people in this organization understand what they’re doing and why? Are the controls genuinely embedded? Would this hold if something went wrong tomorrow?”

If the answer is yes — controls running continuously, governance with clear accountability, human expertise guiding the hard calls — then the certification means something real. If the process was too fast for those questions to be properly answered, the certificate is a liability disguised as an asset.

The goal of compliance has never been a faster audit. It’s a more resilient organization. Those two things are not always the same path — and right now, 87% of the people closest to this work are telling us exactly that .

Blacksmith helps organizations build and sustain compliance programs that hold up beyond the audit — treating security governance as a continuous operating discipline, not a one-time event. Schedule a demo!


¹ IO’s Research Methodology

The research was conducted by Censuswide, among a sample of 251 UK cybersecurity managers+ (aged 23+). The data was collected between 08.04.2026 – 13.04.2026. Censuswide is a member of the Market Research Society (MRS) and the British Polling Council (BPC), and a signatory of the Global Data Quality Pledge. It adheres to the MRS Code of Conduct and ESOMAR principles.

Additional Sources:

Cyberdefense Wire

Schedule a Demo of Blacksmith!

Check Out Our Compliance Podcast on Spotify!