Marc Krisjanous, SixBlocks Audit

Cybersecurity: The false promise of flawed certifications

Marc Krisjanous, SixBlocks Audit

April 23 2025

Cybersecurity certifications are often waved like talismans in boardrooms and underwriting meetings. These badges of honour decorate websites and annual reports, offering comfort to insurers, investors, and partners.

But this comfort may be dangerously misplaced.

The fundamental flaw in our reliance on certifications lies in their very nature – they’re frozen moments in time. When an organisation displays its ISO 27001 certification, it’s showing proof of compliance at the moment of audit, not proof of its current security posture.

Considering that the average time to detect a data breach is still 204 days, a company can maintain its certification while being completely compromised.

This temporal disconnect creates significant problems across industries. Financial institutions might require PCI DSS compliance from vendors handling credit card data, yet major breaches still occur at “compliant” organisations.

Healthcare providers in the US achieve HITRUST certification to satisfy HIPAA requirements, only to suffer ransomware attacks months later.

The insurance industry faces particular challenges in this environment.

A false dichotomy

Underwriters reviewing cyber policies often treat certifications as risk mitigants, yet there’s little correlation between holding certifications and avoiding breaches.

A company could have a perfect SOC 2 attestation while neglecting basic patch management. Another might maintain PCI DSS compliance while failing to monitor for credential stuffing attacks.

The uncomfortable truth is that certifications, while valuable for establishing a baseline security posture, create a false dichotomy between being “certified” and being “secure.”

“True security requires continuous monitoring and improvement of the security posture, which periodic assessments and audits simply cannot provide.”

It is important to remember that most standards are designed to provide only the absolute basic controls for establishing a security posture.

If a standard becomes too prescriptive, it can stop organisations from using it. Further, the scope of the certification audit may not be the same as what is to be insured.

This isn’t to say certifications lack value – they establish important frameworks and demonstrate initial commitment and a baseline security posture. But they were never designed to be the finish line.

True security requires continuous monitoring and improvement of the security posture, which periodic assessments and audits simply cannot provide.

How do you know you’re secure today?

The most sophisticated organisations now supplement certifications with real-time monitoring, automated threat detection, third-party audits, and continuous improvement processes.

They understand that security isn’t a state to achieve but a process to maintain and improve on.

For insurers, rather than treating certifications as sufficient proof of security, they should demand evidence of ongoing monitoring of their security posture.

This might include regular vulnerability scan reports, incident response testing logs, or third-party assessments and audits of the security posture.

The question shouldn’t be, “Do you have certification X?” but rather “How do you know you’re secure today?”

The cybersecurity landscape evolves too quickly for annual checkups to be sufficient. As threats grow more sophisticated and attack surfaces expand, our approach to assurance must keep pace.

Certifications can be part of the solution, but only if we stop treating them as the complete answer.

The organisations that understand this – those that view security as a continuous journey rather than a destination – will be the ones truly managing their risk.

Everyone else is just waiting for their next audit.

This article is written by Marc Krisjanous, associate director of audit at SixBlocks Audit, and Qubit Underwriting CEO Helen Ye.

MORE FROM: Comment

  • Trade credit: Amid trade war, APAC firms must stay agile and ensure adequate protection

    • April 2

    The US has implemented a new tariff regime across industries and countries, with import duties being a central aspect of US economic and foreign policy. These measures aim to protect domestic industries from what the US government perceives as unfair trade practices, global excess capacity, and imbalanced trading relationships. The policy includes mainland China, delayed […]

  • Insurtech: Tech predictions for the insurance sector in 2025

    • January 27

    2024 was the year we saw signs that the insurance industry is rapidly transitioning from experimenting with generative AI (GenAI) to deploying scaled production use cases. Fuelled by new data streams and advancements in IOT, and wearables, predictive capabilities are reaching new heights. However, prediction alone is insufficient to reduce loss ratios systemically; meaningful impact […]

  • 2004 tsunami: Loss, and lessons: reckoning with the Indian Ocean tsunami 20 years on

    • December 20

    Though two decades have passed, the 2004 Indian Ocean tsunami is still fresh in my memory. I was in Australia at the time. It was a warm summer’s day, with many people starting to watch the Boxing Day test cricket match between Australia and Pakistan in Melbourne, when the news first hit. Like all of […]

  • IFRS 17: Making your financial controls automation truly work for you

    • September 26

    Shifting towards a more automated and streamlined workstream can free up time for insurers to critically analyse results that inform future financial planning.

Partner Content
Join the mailing list Designed to help you stay ahead, our daily newsletter provides a round-up of the latest news and insights, delivered straight to your inbox.
Print Edition
Subscribe to receive our quarterly print magazine.