Guest Author: Eoghan Kenny, Founder & Principal Advisor, The Compliance Team
Passing a security or compliance audit is often treated as the end goal. Organisations proudly display their certification and leadership assume they are safe. Yet history shows this confidence is misplaced. Time and again, businesses that have passed audits still fall victim to costly and disruptive breaches.
The danger lies in equating compliance with adequate levels of security. An audit is a snapshot, reflecting controls at a point in time. Cyber threats, however, are dynamic. They evolve faster than any checklist and rarely fit neatly into the categories auditors measure. A ransomware attack launched weeks after an organisation secures ISO 27001, for example, will not care that the paperwork was in order, only that a control has not been adequately implemented and a vulnerability is available to exploit.
To understand the risks, it helps to look at what audits do well, where they fall short, and the habits that ultimately determine whether a business is resilient or exposed.
Checkbox Security vs Real Resilience
Audit frameworks are valuable, but they were never designed to catch every blind spot. Too many organisations approach certification as a box ticking exercise. Policies may exist on paper, but in reality, daily behaviours and routines don’t always match the documentation. Security awareness fades, patches are delayed, and supply chain risks slip through unnoticed.
We regularly see businesses invest heavily in preparing for the audit window, only to scale back the available time for those responsible once the certificate is awarded. Staff training is conducted in the run-up to inspection, but refresher sessions are postponed afterwards. Incident response plans are written and approved, but not rehearsed. This cycle of peaks and troughs creates dangerous gaps, periods where an organisation may be certified yet less prepared than it was during the assessment.
False Confidence and Irish Context
In Ireland, breaches reported to the Data Protection Commission often stem not from a lack of compliance policies, but from overlooked execution. According to the DPC’s annual reports, the majority of complaints and incidents arise from human error, poor oversight of third parties, or outdated processes rather than deliberate disregard for compliance.
Similar patterns are echoed across Europe by ENISA, which has repeatedly warned against “security theatre”, when organisations appear compliant on paper but lack operational depth. This false confidence is particularly risky for SMEs, which often face resource constraints and cannot afford the cost or disruption of a serious breach. Certifications provide reassurance, but they do not guarantee that staff, systems, and vendors behave securely in practice.
The Gaps Audits Rarely Expose
Audits test documented evidence quite well, but it is not as easy to audit behaviours. They confirm that documents exist, and an auditor can sample an organisation to see whether employees understand or apply them consistently. However, it is common for organisations to put forward their most knowledgeable staff for these interviews. The result is that audit findings are not always a true reflection of the wider culture and everyday behaviours around security.
Resilience requires going further. Continuous monitoring, layered defences, and cultural awareness are critical. For example, SMEs that conduct regular tabletop exercises discover weaknesses long before
attackers do. Others run vendor security reviews twice a year, and more for critical vendors. These additional steps are rarely mandated by audit frameworks but make a decisive difference in practice.
Conclusion
Certification is valuable, but it is not the goal. The real risk lies in what organisations don’t do after the audit. Without ongoing training, regular system updates, and proactive monitoring, the certificate quickly loses meaning. Like an NCT certificate on your car, it’s required, but day to day the reliability and readiness of car is what matters, not the certificate.
From our experience at The Compliance Team, working with Irish SMEs and international businesses, the strongest outcomes emerge when audits are treated as milestones, not finish lines. The lesson for the wider cybersecurity community is clear: compliance provides structure, but only continuous effort delivers resilience.
As cyber threats continue to evolve, Irish organisations have an opportunity to demonstrate leadership by embedding security into culture, not just compliance into processes. The certificate may hang on the wall and be displayed proudly on the website, but the real measure of protection lies in the habits sustained long after the auditor has left the building.