Leadership Q&A's: Why Fast Security Certifications No Longer Signal Trust

Security certifications were once a clear signal of maturity. They offered buyers confidence that an organisation took risk seriously and had invested in proper governance, controls and oversight.

Today, that signal is weaker.

“Get SOC 2 in weeks” and “ISO in 30 days” are now common claims. Certification has become faster, cheaper and easier to package. For organisations under commercial pressure, especially growing SaaS businesses, the appeal is obvious.

But speed changes meaning. And when certifications are achieved too quickly, they often raise more questions than they answer.

“When a company achieves a complex security certification in 30 to 90 days, it’s a red flag. It should make you ask more questions, not fewer.”
Matt Davies

This is not an argument against certifications. They still matter. But the way they are being pursued and interpreted has shifted, and that shift has consequences for trust.

When an organisation achieves a recognised certification in a very short timeframe, it tells you one thing clearly: a process has been completed.

What it does not tell you is whether security is embedded, understood or consistently applied.

In some cases, rapid certification is legitimate. A mature organisation may have operated effective controls internally for years before formalising them through independent assurance. In those situations, certification simply reflects work already done.

The concern arises when younger organisations with limited security resources achieve complex certifications almost immediately. Especially when there is little visible evidence of security leadership, governance structures or operational depth behind the badge.

“You can make a certification almost worthless by scoping out the things that matter.”
Matt Davies

Without context, the presence of a certificate alone tells you very little about real risk.

Security certifications have not lost their value. But they no longer function as blanket indicators of maturity.

Historically, buyers asked simple questions: Do you have SOC 2? Are you ISO certified?

Today, those questions are only the beginning. The real signal lies beneath the surface.

What is the scope?
Which parts of the organisation are covered?
Who issued the report?
What does the language in the report actually say?

Two organisations can hold the same certification while representing very different risk profiles.

“SOC 2 is self-attestation that someone validates. It’s not the same as an independent audit.”
Matt Davies

Certifications now act as an entry point into an evidence-led assurance conversation, rather than a conclusion.

Security maturity is cumulative. It is shaped by habits, behaviours, leadership involvement and operational discipline. These things do not compress neatly into a few weeks.

Policies can be written quickly.
Tools can be configured quickly.
Evidence can be assembled selectively.

What cannot be rushed is whether those controls are actually followed over time.

“You can write policies quickly. The real question is whether anyone follows them.”
Matt Davies

The rise of pre-packaged compliance and templated approaches has made it easier than ever to pass an audit without meaningfully changing behaviour. In doing so, it has quietly devalued the signal that certifications were designed to provide.

Automation has transformed compliance, often for the better.

For small teams, technology makes it possible to monitor controls continuously, identify failures quickly and maintain consistency at scale. Without automation, many organisations simply would not cope.

The problem is not automation itself. The problem is how it is positioned.

“Automation helps you maintain controls, but buying a platform doesn’t make you secure.”
Matt Davies

When automation is sold as a shortcut to certification rather than a tool to support real security, assurance becomes compressed. Compliance becomes the goal, rather than the outcome of good risk management.

This shift encourages organisations to optimise for audit success rather than operational resilience.

Some elements of security maturity simply take time, regardless of tooling.

Cyber hygiene and culture

People ignore policies. They reuse passwords. They upload sensitive information to unapproved tools. They fall for phishing attacks, even in security-aware organisations.

“You can have an incredible tech stack, and one person can undo it with a bad decision.”
Gabriel Few-Wiegratz

Changing behaviour requires education, reinforcement and visible leadership commitment. If security training becomes a tick-box exercise, behaviour does not improve.

“If security education becomes a tick-box exercise, people will cheat the test and behaviour won’t change.”
Gabriel Few-Wiegratz

Leadership oversight

Frameworks like ISO 27001 explicitly require evidence of sustained management involvement. Not approval, but active oversight and engagement over time.

This is difficult to demonstrate quickly, and impossible to fake convincingly.

Communication and reporting

There is often a disconnect between how security teams measure success and what business leaders understand or care about.

“There’s a disconnect between how security teams talk and what business leaders care about. Bridging that gap takes leadership, not tooling.”
Gabriel Few-Wiegratz

None of these maturity signals appear reliably in a fast audit.

As certifications have become commercialised, the audit market has followed.

Some auditors apply rigorous, evidence-led scrutiny. Others are more willing to accept belief statements, limited samples or partial evidence.

“Not all auditors are equal. More buyers are starting to ask who issued the report, not just whether you have one.”
Matt Davies

Large enterprises are responding by pre-qualifying auditors or reserving the right to audit suppliers directly.

“Some contracts now include the right to audit you at any point. A certificate won’t save you if you can’t produce evidence on demand.”
Matt Davies

In that environment, point-in-time certification offers little protection.

Perhaps the most damaging shift is the quiet assumption that compliance equals trust.

Certifications have become commercial table stakes. A minimum requirement to enter a supply chain rather than a meaningful signal of assurance.

“Trust has been productised. Branding can look like assurance, even when operational reality is messier.”
Gabriel Few-Wiegratz

Trust does not come from badges. It comes from transparency, consistency and the ability to demonstrate that controls work over time.

The answer is not to abandon certifications. It is to interpret them more intelligently.

Buyers should:

1. Treat certifications as starting points, not conclusions

2. Look beyond logos to scope, evidence and operational reality

3. Expect transparency and access to supporting information

4. Be sceptical of extreme speed claims

5. Value continuous assurance over point-in-time success

“Documentation isn’t proof that people are actually doing the right things. That’s why continuous proof matters.”
Gabriel Few-Wiegratz

Increasingly, trust is built by organisations that can show what is true today, not just what was true during an audit window.

Certifications will continue to play a role. But as they become easier to obtain, they will matter less on their own.

The organisations that stand out will be those that can demonstrate consistency, transparency and control operation over time.

Fast badges. Slow security.

Real trust is earned in the space between audits.