in Cyber Security
Careers
FAQs
A short read by CEO and Managing Director of Ionize Cyber Security, Andrew Muller
In my experience of securing organisations against cyber security threats, inside and out, I’ve often heard people argue that security compliance and certifications are pointless.
“They do not make an organisation good at security.” That may be true, but it only answers half the question.
What do they do? What is their true nature?
In the business world, security compliance and certifications are not really about security. Peel back the platitudes and doublespeak, and what they actually represent is an important avenue for market access.
That might sound cynical — but it is largely true.
Frameworks and certifications like ISO/IEC 27001, IRAP, SOC 2, and the Essential Eight among others, rarely mean an organisation is “secure.” What they prove is that an organisation can document, evidence, and audit its controls.
To be fair, that’s a good start. But on their own, they do not prevent, detect, respond, or recover from cyber-attacks.
And that is the point.
Certifications reduce risk for the buyer. They create a common language between vendors and customers. They allow procurement teams to shortlist suppliers. They enable entry into government panels, enterprise ecosystems, and regulated industries.
In other words: they unlock markets.
Real security is cultural. It is an operational discipline. It is how incidents are handled at 2am, not how policies read at 2pm.
Certifications matter — but we should be honest about their true nature. They are:
✔️ A trust signal
✔️ A procurement enabler
✔️ A competitive differentiator
❌ Not a guarantee of security.
The strongest companies understand and leverage both sides. They pursue certification for commercial access and for continued existence. At the same time, they invest in real security, because cyber resilience supports long-term viability.
While this thesis holds true in the business world, the inverse applies to regulators and governments. What compels them to achieve compliance or certification? Is the public going to start “shopping” at another Department of Health?
In these cases, we might observe waning compliance with standards (ASD reported a decline in E8 ML2 compliance from 25% to 15% between 2023 and 2024). There are several possible explanations for this decline, but the key question remains: does it matter? What are the consequences? Individual careers may be affected, but an organisation’s existence is unlikely to be threatened.
What is threatened are the Ministers responsible for those government functions. If government departments consistently fail to meet these benchmarks and breaches occur (as they do now), then constituents may vote accordingly.
This is much slower and less direct than in the business world where CEOs are held to account quickly by shareholders and boards. But it can still occur.
In short, understanding the true nature of both business and government allows us to encourage and support their security certification and compliance objectives. However, this must be done in the context that resonates with them, one that motivates the right decisions.
Security compliance and certifications are not for everyone. Investment should only be committed if it helps the organisation achieve its goals.
