How UK businesses are managing risk and compliance with automation

Trust is critical to the success of every business. But building, scaling and demonstrating trust is getting harder for UK organisations. 

‍

Vanta’s second annual UK State of Trust Report uncovers key trends across these areas of security, compliance and the future of trust. Surveying 1,000 business and IT leaders in the UK, our research found that more than half (54%) of UK organisations say that security risks for their business have never been higher. 

‍

Paulo Rodriguez, Vanta’s Head of International, recently hosted a webinar that brought together leading cyber security experts Ciaran Martin, founding CEO of the National Cyber Security Centre, and Victoria Baines, professor of Information Technology, to discuss the findings from this report and how they impact organizations in the UK. 

‍

We’ll dive into the main takeaways from the session and highlight some key points to consider. Or, check out the full webinar on-demand for free.

‍

How is AI impacting the security landscape?

Half (49%) of UK organisations have concerns around the use of AI and the risks it poses for the security of the organisation. As AI adoption accelerates, security concerns increase. In just the past 18 months: 35% of leaders surveyed report an increase in phishing attacks, 34% have faced AI-based malware, and 27% have dealt with compliance violations.

‍

Rather than focusing on fear, Ciaran stresses the need for a strategic approach to AI and cybersecurity. Over the years, cybersecurity has maintained a stable balance due to three key factors: 

1. Critical safety systems are designed to function independently of IT failures.
2. Only a limited number of highly skilled actors can carry out advanced cyberattacks, and they typically act with specific objectives rather than reckless intent.
3. Cybersecurity is a constantly evolving field where defensive capabilities can keep pace with threats.

‍

AI introduces new dynamics, but its impact depends on the choices we make. For example, the cautious rollout of autonomous vehicles shows how safety can be prioritized through careful decision-making. Similarly, AI can be used to enhance cybersecurity just as it is being exploited by attackers. “If you can use math and engineering and code for bad, you can use it at least as well if not better for good,” Ciaran says. “So defense and attack can keep up with each other.”

‍

Victoria says that it’s important to move beyond sensationalized fears of AI and instead focus on real-world developments. AI is often framed in extremes, but the reality is likely to be more nuanced. Cyber threats like ransomware emerge over time, underscore the need for proactive security. While AI aids cybercriminals, fully autonomous malicious AI remains distant. Beyond security, AI is reshaping trust and authenticity, demanding cybersecurity evolve to keep it a force for good.

‍

Are people now more conscious of how businesses use their data?

Consumer trust in digital platforms is volatile. Victoria cites the Cambridge Analytica incident as a pivotal moment when people realized they had unwittingly exchanged their privacy. This underscores the importance of transparency, explainability, and accountability—principles now being incorporated into global discussions on responsible AI use.

‍

She also calls out the rapid evolution of social media platforms and how trust has shifted dramatically. The rise of viral misinformation on social media platforms reinforces concerns about the integrity of digital spaces. As traditional targeted advertising models wane—brands are turning to first-party and zero-party data collection to establish direct relationships with customers. 

‍

While privacy concerns tend to surge in response to major events, now is an opportune moment for businesses to focus on strengthening trust—both with customers and within their broader digital ecosystems.

‍

Do security teams have too much on their plates?

Cybersecurity isn’t just about protecting systems—it’s also about supporting the people behind them. Victoria says that while much attention is given to preventing human error, less focus is placed on the well-being of security professionals. She says that there is research to show that CISOs and security teams face high levels of stress, impacting their mental and physical health, as well as job performance. Security operations are overwhelmed by alerts, contributing to burnout and retention challenges. 

‍

Automation for initial threat detection and triage can help alleviate this burden, but human oversight remains essential. “I think it probably is already saving people's lives, people's careers, people's health and wellbeing,”  says Victoria. “It's just also about striking that balance. We don't want to automate so much that we can't explain the decisions that our systems have taken.” 

‍

To maximize security teams without overburdening them, Ciaran emphasizes that compliance should support, not hinder, security objectives. While regulations in the EU and UK are evolving, they remain functional—though industry professionals must push back if they become excessive. Automation can ease some tasks, but security teams will stay busy, focusing on higher-value defenses.

‍

Organizations must also balance AI-driven innovation with addressing legacy IT vulnerabilities, as adversaries are already using AI to enhance attacks. Effective risk management requires aligning compliance with practical security measures and balancing new technology security with maintaining older systems.

‍

How can trust deliver ROI? Are there other business benefits from prioritizing trust?

According to Vanta’s UK State of Trust Report, UK businesses increasingly recognise the value of trust and its connection to security. We have seen a 13% increase in this area from last year. 53% of UK organisations say good security practices directly contribute to customer trust.

‍

But it’s not just customers who expect security and compliance; investors and suppliers are also asking for it. Nearly 70% of UK organisations report that stakeholders increasingly require proof of compliance— underscoring how central trust is in the modern landscape. 

‍

According to Victoria, measuring cybersecurity prevention is challenging because it involves assessing events that don’t happen. However, cybersecurity should be framed as a risk management function rather than just a technical defense. She says that boards already understand risk, so integrating cyber risk into overall business risk makes it easier to secure buy-in and demonstrate value. 

‍

While security programs can quantify behavioral improvements—such as reduced phishing email clicks—true success lies in mainstreaming cybersecurity as a standard risk consideration. This shift helps organizations better communicate return on investment without needing to justify cybersecurity spending differently from other risk management efforts.

‍

Get even more insights about the State of Trust in the UK by downloading our report. You can also hear the full discussion between Ciaran Martin and Victoria Baines by watching the free on-demand webinar.