Compliance scores are easy to ignore when they are low. There is always a reason the number is not where it should be, too many assets, not enough resource, competing priorities. The gap between where you are and where you need to be can feel so large that it stops being a motivator and starts being background noise.
But compliance targets have consequences. Missed deadlines affect audits. Audit failures affect contracts, insurance, and in some industries, the ability to operate. And in organisations where individual and team performance is tied to security metrics, a low compliance score does not just reflect badly on the security function, it affects people’s pay.
This is the situation one of our largest enterprise customers was in when we started working closely together. Their internal compliance scorecard, a measure of how many of their assets had been scanned and tested within required timeframes, was sitting somewhere between 30 and 50 percent. A significant portion of their estate was either untested, blocked, or simply not covered. And the gap between that number and where they needed to be felt, by their own admission, overwhelming.
By the end of their fiscal year, we had reached 92 percent. Here is how that happened.
Understanding What the Score Actually Measured
Before we could improve the number, we needed to understand what was driving it down.
This organisation manages a large global estate, thousands of assets over time, with around 1,700 active at any given point. Each asset carries its own compliance obligations depending on what it does, what data it handles, and what regulatory frameworks apply to it. Some assets require scanning on a regular cycle. Others require a full penetration test at least once a year. Some have both requirements.
The compliance scorecard reflected the organisation’s overall position across all of those obligations. An asset that had not been scanned within its required window dragged the score down. An asset that was blocked , and therefore not being scanned at all , dragged it down further. At the time we started, a significant proportion of assets fell into one or both of those categories.
What made the estate manageable was the organisation’s internal metadata. They had detailed records for each asset: what compliance requirements applied, how the information it handled was classified internally, when it had last been tested, and when its next test was due. We worked with that data to build a prioritisation framework , identifying which assets were closest to falling out of compliance, and tackling those first.
Without that structure, the volume would have been unworkable. With it, we had a clear and defensible order of operations.
Clearing the Blockers
A significant portion of the compliance gap came down to blocked assets , applications and systems that Edgescan could not scan because something was preventing access. Expired credentials. IP whitelisting gaps. API documentation that was incomplete or incorrect. Licences that had not been renewed.
Each of these was fixable. But fixing them required the right people to know there was a problem. We have written separately about how Edgescan’s point-of-contact and custom notification functionality solved the communication layer of this problem. The short version: we made sure that when an asset was blocked, the person who could actually resolve it was informed directly and promptly.
We also ran working sessions, direct calls between our team and the technical teams responsible for specific blocked assets. Rather than managing blockers through email chains, we got on calls, diagnosed issues in real time, and resolved them together. At peak, we were meeting with their teams multiple times a week to keep momentum going.
Over the course of the year, we cleared around 80 percent of the existing blockers. As that happened, more assets moved into active scanning. More active scanning meant more of the estate was covered. And more coverage meant the compliance score began to move.
Onboarding at Scale
Clearing existing blockers was one part of the picture. The other was growth.
That same year, the organisation wanted to onboard approximately 700 to 800 additional assets into the programme. This was a significant ask on top of the remediation work already underway. At the point we began, around 40 percent of their existing assets were already blocked , adding hundreds more without first addressing that would have compounded the problem rather than solved it.
We made the case for sequencing: stabilise the existing estate first, then scale. And then we did both simultaneously, using the prioritisation framework we had built and the weekly planning and strategy sessions we had established with their team to keep both workstreams moving.
By the end of the year, close to 700 new assets had been onboarded and tested. Combined with the blocker remediation work, this contributed directly to the overall compliance score improvement.
What 92 Percent Actually Meant
When we presented the year-end results internally, what struck people most was not the percentage itself, it was what that number represented for this particular customer.
Reaching a compliance score in that range was something the organisation had not achieved in the previous ten years. The score had persistently sat below the thresholds they needed, and the gap had come to be seen as a structural problem rather than a solvable one.
More concretely: this customer’s internal compliance score was tied directly to individual and team performance metrics. People’s bonuses were linked to whether the assets they owned were within compliance. A compliance score of 92 percent did not just improve the organisation’s security posture, it meant that teams across the business met their targets and were paid accordingly.
That is the kind of outcome that changes how people think about a security programme. It stops being something the security function owns and everyone else tolerates, and starts being something the wider organisation has a stake in.
The Conditions That Made It Possible
It would be easy to present this as a story about a dramatic turnaround. But the more accurate framing is that it was a story about sustained, structured effort over twelve months, and about having the right operational infrastructure in place to support that effort.
The compliance scorecard gave us a shared, objective measure of progress that both teams could align around. The prioritisation framework gave us a rational order of operations rather than an overwhelming list. The notification system meant blockers were surfaced and resolved quickly rather than sitting in queues. The working sessions maintained momentum through the periods where progress would otherwise have stalled.
None of these elements was complex on its own. But together they created the conditions for consistent forward movement over a long period. And in a programme operating at this scale, consistency over time is what actually moves the needle.
The Question Worth Asking
If your organisation’s compliance score is not where it needs to be, the instinct is often to look for a technical fix, a new tool, a different scanning configuration, a change in methodology. Sometimes that is the right answer.
But more often, the gap between where you are and where you need to be comes down to operational factors: assets that are blocked and nobody is fixing, coverage that exists on paper but not in practice, a programme that is running but not connecting to the people who need to be part of it.
The first step is usually not a new tool. It is an honest look at what is actually preventing the existing programme from delivering, and a structured plan for addressing it systematically.
That is where the work starts. And in our experience, when the operational layer is right, the compliance score follows.
To find out how Edgescan supports enterprise compliance programmes at scale, start here.
