The Next Era of Cyber Certification: A Personal Perspective on Scaling Trust

Expert insights, industry analysis, and thought leadership on ISO compliance, construction safety, cyber security, and regulatory excellence.

Table of Contents

In my 20 years in the cyber industry, I’ve watched certification evolve from a periodic checkbox exercise into a strategic necessity. 

Whether I’m speaking with clients about PCI-DSS, GDPR, DORA, NIST, or CMMC, the underlying story is always the same: regulatory expectations are rising, cyber risk is intensifying, and the value of credible, third-party assurance has never been higher. 

Data protection privacy concept. GDPR. EU. Cyber security network. Business man protecting data personal information on tablet. Padlock icon and internet technology networking connection on digital dark blue background.

For cyber service providers — consultancies, managed security firms, specialist auditors, and embedded compliance partners — this should be an era of sustained growth. Yet the reality I see is more complicated. Demand is increasing, but delivery capacity isn’t keeping pace. The engines of certification are still heavily dependent on scarce expert assessors, manual evidence processes, and inconsistent workflows that are difficult to scale across industries and frameworks. 

The result is a widening gap between what the market needs and what traditional assessment models can sustainably supply. 

A compliance landscape that won’t slow down

The growing array of frameworks isn’t new to me. What is new is the pace and breadth of change. Organisations are rarely dealing with a single standard in isolation. Increasingly, they’re expected to demonstrate compliance across multiple overlapping requirements, often at the same time. 

A mid-market company processing card payments may need PCI-DSS. A healthcare or SaaS provider working in Europe has to address GDPR-aligned security and privacy expectations. Financial services organisations are adapting to detailed operational resilience obligations under DORA. Government suppliers face rising expectations through frameworks like NIST-aligned models and CMMC in the U.S. 

Even when the control intent overlaps, the evidence packaging, audit language, and reporting expectations can vary. I see this making multi-framework delivery challenging, especially when the work is still structured as separate projects rather than a unified, reusable assessment model. 

For service providers, this leads to a blunt operational truth I repeat often: 

The more frameworks your clients need, the more your delivery model must standardise and scale or your costs will compound quickly. 

The human assessor bottleneck

From my perspective, the most under-discussed constraint in cyber certification is not the standards themselves. It’s the limited supply of qualified people who can interpret them consistently and validate evidence with credible professional judgement. 

Experienced assessors are expensive, time-starved, and increasingly pulled in multiple directions. Many are asked to cover expanding portfolios of frameworks while also supporting advisory, incident response, or broader risk programmes. 

Even for well-resourced firms I speak with, staffing this demand is difficult. For smaller cyber companies growing into assurance services, it can be a barrier to entry. 

This creates several familiar knock-on effects: 

  • Longer lead-times for assessments as schedules fill up 
  • Rising delivery costs tied directly to the scarcity of senior expertise 
  • Inconsistent client experiences when methodology varies across assessors or teams 
  • Pressure on margins when effort expands faster than fees can realistically increase 

Crucially, I don’t believe this is a problem that can be solved simply by “hiring more”. The development curve for a skilled assessor across complex, regulated frameworks takes time and the market is already competing intensely for the same talent. 

Manual evidence is still the biggest cost driver

When assessment programmes run over budget or over schedule, in my experience the root cause is rarely a single complex control. It’s typically the accumulation of manual work: 

  • evidence requests issued and re-issued 
  • screenshots and exports stored in scattered folders 
  • policy reviews repeated across frameworks 
  • cloud configurations verified through inconsistent methods 
  • remediation tracked in disconnected spreadsheets 
  • reporting compiled from scratch for each cycle 

These tasks are essential, but they’re not where human expertise adds the most value. 

When senior assessors are spending large portions of their time chasing evidence, formatting documentation, and reconciling duplicate requirements across different standards, the model becomes inefficient by design. 

This is the moment I believe the industry needs to confront plainly: 

We are using scarce expert time on work that should be structured, systematised, and accelerated. 

The multi-framework reality is now the norm

Modern clients often require more than a single badge to operate confidently in global supply chains or regulated sectors. It’s increasingly common for me to see combinations such as: 

  • PCI-DSS + GDPR 
  • NIST-aligned risk models + sector regulations 
  • DORA + third-party and cloud risk assurance 
  • CMMC readiness alongside broader enterprise security frameworks 

For cyber firms delivering these programmes, there’s a strategic choice: 

  • Treat each framework as a separate delivery motion, with separate evidence, separate tooling, separate timelines; or 
  • Unify the underlying assessment architecture, allowing overlap to be mapped once and reused intelligently. 

From where I sit, the second model is the only path that scales without burning out teams or inflating client costs beyond what the market will tolerate. 

Where SmartAssessor fits the new reality

At Sendient, we built SmartAssessor to help cyber companies modernise how they deliver certification — reducing cost and time while improving consistency and scalability. 

Rather than treating each framework as an independent silo, we designed SmartAssessor to industrialise assessment through: 

  • Multi-framework control mapping: Reducing duplication by aligning overlapping requirements across standards and building a clearer, unified evidence approach. 
  • Structured evidence management: Making it easier to request, ingest, organise, validate, and reuse evidence in a controlled, audit-friendly way. 
  • Guided assessment workflows: Helping teams apply consistent methodology across assessors, clients, and geographies. 
  • Faster gap identification and remediation tracking: Turning findings into structured action plans, not static documents. 
  • Client-ready reporting: Producing clear outputs that inspire confidence and accelerate sign-off. 

In short, my goal with SmartAssessor is to help shift certification delivery from an artisanal, person-dependent process to a repeatable, platform-supported capability. 

As I often say: 

The biggest inefficiency in cyber certification isn’t the standard, rather it’s the way we still chase evidence like it’s 2010. We built SmartAssessor to bring structure, speed, and reusability into a process that has become too expensive to run manually at scale. 

Why this is a commercial advantage for cyber companies

The value of SmartAssessor isn’t limited to end customers. The strategic impact is just as significant for the cyber companies delivering assessments as a service. 

For me, four outcomes matter most: 

  • Reduced reliance on scarce senior assessors: By standardising workflows and evidence handling, senior experts can focus on judgement, risk interpretation, and quality — not administrative overhead. 
  • Greater delivery capacity without proportional headcount growth: If each assessment requires fewer manual hours, firms can serve more clients with the same team. 
  • More consistent quality across engagements: Repeatable methodology reduces variation across different assessors and helps protect brand credibility. 
  • Easier expansion into new frameworks: A structured assessment engine makes it more viable to add services across PCI-DSS, DORA, NIST, CMMC, and other regimes without rebuilding delivery from scratch. 

I often frame the market dynamic like this: 

Cyber firms are being asked to deliver more certifications, more often, under more scrutiny. The winners won’t just be the ones with the most expertise, they’ll be the ones who can operationalise that expertise efficiently. 

A better model for clients, too

Clients feel the assessor bottleneck just as sharply as providers do. Longer timelines delay projects, strain internal teams, and create uncertainty. This is especially significant for organisations that need certification to sign contracts, access markets, or reassure stakeholders. 

From my experience, a platform-led assessment approach can help reduce: 

  • business disruption 
  • audit fatigue 
  • repeated evidence requests 
  • confusing or inconsistent reporting 

It also improves how clients perceive the process. Instead of experiencing certification as a stressful, opaque audit event, they see a structured, collaborative effort with clear expectations and trackable progress. 

The future is not “assessor replaced” — it’s “assessor amplified”

I’m very clear on what modernisation should — and shouldn’t — mean. 

The future of cyber certification is not about eliminating expert humans from the process. Standards-based assurance requires professional judgement. It requires context. It requires the ability to interpret control intent against real-world environments. 

But it does require modern tooling that respects the time and value of those humans. 

That’s exactly the balance we built SmartAssessor for: 

  • platform structure to reduce repetitive effort 
  • human expertise to validate, interpret, and assure 

I often summarise this principle like this: 

We don’t need fewer assessors; we need to stop wasting assessor time. The goal is to help providers and their clients move faster without compromising the rigour that certification is built on. 

What this enables next for certification providers

When cyber companies modernise their assessment delivery, they gain more than efficiency. They create a foundation for new service models and deeper client value, such as: 

  • rapid multi-framework readiness programmes 
  • sector-specific certification bundles 
  • repeatable annual or biannual assessment cycles 
  • better portfolio visibility across clients and industries 
  • clearer metrics for internal quality and performance management 

These are the building blocks of scalable, profitable, compliance-led growth, exactly the kinds of outcomes I want SmartAssessor to unlock. 

Closing thought

After two decades in cyber, I’m convinced of one thing: cyber certification is becoming more central, more frequent, and more commercially critical. But the market’s ability to deliver it is increasingly constrained by the scarcity and cost of qualified human assessors, and by manual, fragmented assessment processes that haven’t evolved at the pace of modern requirements. 

SmartAssessor is built for this moment. 

It helps cyber companies reduce assessment costs and timelines, increase delivery consistency, and scale multi-framework certification services without relying on unsustainable headcount growth. 

In a landscape where trust is currency and capacity is constrained, the firms that win will be those that combine expert judgement with a modern, structured assessment engine and make rigorous certification delivery repeatable at scale. 

If you’d like to discuss how SmartAssessor can support your certification services, you can reach me at mwatts@sendient.ai, or visit www.smartassessor.ai. 

Scroll to Top