Moving Beyond Checklists: Why Security Assurance Is the Future of Cybersecurity

For years, the cybersecurity conversation has centered around whether organizations have the right controls in place. Do you have endpoint protection? Do you use multi-factor authentication (MFA)? Is there a security awareness training program in place? 

According to new research from Marsh McLennan’s Cyber Risk Intelligence Center (CRIC), those questions no longer go far enough. Today, the difference between resilience and risk is not about whether a control exists. It’s about whether it is implemented comprehensively, configured correctly, and tested continuously. 

This shift has profound implications for how organizations should approach cyber risk management, how insurers evaluate exposure, and how regulators and business partners assess security assurance. 

What the report found 

The CRIC report reveals a maturing cybersecurity landscape where effectiveness matters more than existence. 

• Controls are widespread, but uneven in execution. Most organizations now deploy basics like patching processes, privileged access management, and email security tools. The challenge is ensuring those controls are applied consistently across the enterprise. 

• Coverage and completeness matter. Endpoint detection and response (EDR) is a good example: every 25% increase in deployment reduces breach likelihood, but only full coverage delivers meaningful protection. A partial rollout leaves critical blind spots. 

• MFA must evolve. MFA has become table stakes. Insurers and security leaders now look deeper, asking: Are phishing-resistant methods in use? Is enforcement universal? Without those, MFA is just a façade of protection. 

• Quality beats quantity in training. Running employees through countless simulations doesn’t guarantee readiness. The research shows fewer, higher-quality exercises with realistic and evolving attack scenarios yield better outcomes. 

• Preparedness saves. Incident response planning consistently ranks among the most effective measures to reduce risk, particularly when bolstered by tabletop and red-team exercises that test readiness against real-world attack scenarios. 

Why this matters for HITRUST 

Assurance over existence 

At HITRUST, this has always been our philosophy. Our security assurance methodology doesn’t stop at verifying whether a control exists. It requires proof that it is operationalized, aligned with best practices, and auditable. Marsh’s findings validate what HITRUST has been delivering for years: assurance that controls are not just present, but effective in practice. 

A stronger market narrative 

Independent voices like Marsh strengthen HITRUST’s message to customers, regulators, and the market: Risk outcomes improve only when controls are deployed effectively. HITRUST certification provides that proof. 

This positions HITRUST as the bridge between governance frameworks, which define what should be done, and trusted assurance, which proves it has been done right. 

New leverage with insurers 

As a major global insurance broker, Marsh has significant influence over how insurers evaluate cyber risk. Its report underscores that superficial compliance is no longer enough. If HITRUST certification is seen as credible evidence of control maturity and completeness, insurers may reward organizations with certifications with better premiums, lower deductibles, and preferred underwriting status. That translates into real financial value alongside security assurance. 

Alignment with emerging risk differentiators 

The findings also align with HITRUST’s cyber threat-adaptive controls, which evolve to reflect emerging risks.  

• Phishing-resistant MFA is already an expectation in HITRUST assessments. 

• Enterprise-wide EDR coverage is reinforced within the HITRUST framework. 

• Incident response exercises, including tabletop simulations, are evaluated during assessment, providing measurable assurance of preparedness. 

HITRUST demonstrates that certification is not static. It evolves with the threat landscape and remains a reliable marker of resilience. 

The bottom line 

Marsh McLennan’s research should be a wake-up call for organizations still relying on governance checklists or partial implementations. Cybersecurity isn’t about having the right controls on paper; it’s about proving they work where it counts. 

This is where HITRUST delivers unmatched value. Our certification approach ensures that organizations are not just compliant but credible in the eyes of partners, regulators, and insurers. In an era where outcomes depend on security assurance, not assumptions, HITRUST stands as the trusted path forward.