Continuous compliance: a three-tiered strategy for cybersecurity assurance

That pressure is only intensifying, compounded by escalating cyber threats, data breaches, and tightening regulatory demands. Cyber security leaders are under more scrutiny than ever.

In our recent 2025 Security Leaders Peer Report, we found 92% of security leaders feel they are being asked to provide more assurances. Almost half (48%) are actively being asked by the board to provide metrics that demonstrate compliance and, perhaps more importantly, how best to maintain it.

This growth in assurance is fuelling a surge in reporting demands. On average, security teams spend up to one-third of their time collecting, analyzing, and reporting data. This reduces the time available for actively strengthening the organization’s security posture.

To explore a more effective approach, we sat down with Simon Goldsmith, Enterprise Security and Platforms Lead at OVO Energy, during our cybersecurity leadership webinar series. He shared his three-tiered view of assurance:

• staying alive,
• detecting exposures,
• and strategic reporting and alignment.

It’s designed to simplify reporting needs, enhance security oversight, and avoid the compliance ‘checkbox’.

Staying alive: the foundational level to continuous compliance

The starting point, or foundational level, of Simon’s approach focuses on the basic protections to keep the organization secure.

Simon described it as answering: are we doing a good job of preparing for and responding to incidents? The goal of this level is to demonstrate preparedness, ensuring the tools and processes are in place to detect and respond effectively to potential incidents – and remediate urgently if that is not the case.

With that in mind, this foundational level includes information on assessing detection capabilities, updating or refining ‘playbooks’ to establish clear plans for how to respond to incidents, and establishing baseline security metrics.

Detecting exposures: the proactive step for vulnerability management

While foundational cybersecurity measures ensure basic protections, organizations are increasingly attempting to take a more proactive stance in detecting and addressing potential vulnerabilities before they escalate.

The next step in this approach focuses on delivering assurance on more proactive cybersecurity measures. This is achieved by sharing details on detection and remediation efforts. Simon explains:

Information shared in this tier includes “how good of a job are we doing of detecting and generating signals of those to asset owners to go and fix and remediate”.

It emphasizes a shift from merely reacting to incidents to actively seeking out vulnerabilities that could allow an attack to occur.

It’s at this stage that security leaders start to implement ongoing security checks to identify emerging threats, using methods like Continuous Controls Monitoring to identify and remediate vulnerabilities before attackers can exploit them.

The final stage: the strategic board-level cyber reporting

Beyond identifying vulnerabilities, security teams must elevate their efforts to a strategic level. One that aligns cybersecurity measures with business goals and regulatory expectations.

The third layer of assurance forms much of the focus for more strategic, board-level conversations.

As Simon describes, “This is much more about how good of a job are we doing operating an information security management system. It is about doing the planning, the risk management and the risk treatment in terms of security controls”.

Simon suggests that this strategic level of assurance should aim to answer questions such as:

“How well set up are we as a business to be doing that more strategically? Are we detecting control gaps? Are we planning control improvements in a scheduled way, rather than just running around and fixing problems as attackers or regulators raise them to us?”

Information included as part of board-level communication should include:

• Risk management: Identify, assess, and prioritize risks, facilitating discussions on controls effectiveness, resourcing, and budget
• Controls review: Ensure that the right security measures are in place
• Continuous monitoring: Review the performance and effectiveness of controls, using results to address the biggest gaps and threats

At this level, delivering assurance is not just about being able to put out the fires as they emerge; it’s about building a proactive, strategic approach to cyber resilience that protects an organization and enables the business to achieve its goals in a resilient and sustainable manner.

How to deliver three tiers of assurance and reporting

Now you’re probably thinking, this is all well and good. But how do I go about delivering this approach? That can depend on how mature you are as an organization, what industry you operate in, and the industry standards and regulations you must comply with.

For many highly regulated organizations (such as Financial Services), the need to demonstrate compliance will often drive a more robust assurance and reporting program.

“If you’ve got a regulator that is very demanding from a compliance perspective, you are going to spend more time looking at the evidence that you’ve got control coverage and effectiveness,” explains Simon. “Financial services is obviously the sector that gets the most headlines around regulations but, increasingly, other sectors are also starting to see more on the regulatory front.”

For many, compliance is viewed as a double-edged sword. It’s a time-consuming and manual process that detracts from time spent on actually doing meaningful work. However, having to comply with standards and regulations also gives security leaders the impetus they need to secure board buy-in and investment.

As Simon explains, “I think something worth bearing in mind is that compliance is quite scalable, especially when you work in large organizations. Having a standard that business and technology teams have to comply with is a much more scalable thing than going around everywhere and saying ‘what are the risks? What are your threats? And what are the controls that are best placed to mitigate those risks?’ That is quite an involved exercise, but compliance helps with scale”.

The real risk arises when regulations and frameworks aren't tailored to specific industries or organizations. Instead of helping to reduce and manage risk, they become a tick-box exercise that detracts from more valuable cybersecurity operations.

Continuous Controls Monitoring: The holy grail of compliance and assurance

Where do you start with achieving sustainable and scalable security assurance? Look no further than Continuous Controls Monitoring. This approach provides real-time visibility into control effectiveness, ensuring compliance and risk management efforts remain dynamic and responsive.

By adopting a three-tiered approach, such as Simon’s, organizations can better shift from reactive to proactive security. This is a structured strategy that both protects against immediate threats and builds long-term cyber resilience.

But beyond just enhancing security operations, the model fosters greater trust with stakeholders, regulators, and customers. In today’s modern-day landscape, CISOs who can effectively communicate risk, demonstrate control effectiveness, and streamline compliance will position themselves – and their organizations – for sustained success.

If you’d like to hear more from cybersecurity leaders and their challenges, subscribe to our Continuous Controls Monitoring webinar channel.