From "What" to "What Now?": How to Turn Security Assessments into Action

Blog
Written By Matthew Martin

Security assessments often end with a long list of recommendations, but that’s not where the real work happens. Too many organizations invest time and budget into audits, maturity reviews, or compliance readiness only to hit a wall after the final report. Everyone nods at the findings. The documents get saved. The urgency fades. Progress stalls.

It’s not that the issues aren’t real. It’s that moving from identifying a problem to actually resolving it is a different kind of effort.

As cybersecurity partners, we’ve led dozens of maturity assessments, program evaluations, and risk workshops. We’ve seen organizations at every stage of their security journey, from early-stage startups trying to establish controls to global enterprises struggling to unify siloed teams.

What we’ve learned is this: progress doesn’t begin with a checklist. It starts with alignment, context, and a commitment to change. A well-written set of recommendations won’t make an impact unless there’s a clear path to execution…and a team that's ready to walk it.

So how do you make sure those recommendations become momentum?

How to Move from "What" to "What Now?"

1. Start with Shared Context

Security recommendations are rarely just technical tasks. They affect how people work, how teams interact, and how risk is managed across the organization.

Before implementation begins, everyone needs to understand the "why."

  • What risk or pain are we solving—for the business and for day-to-day work?

  • How will this change or improve the way teams operate?

  • What does success look like, and how will we support people getting there?

Whether you’re deploying endpoint controls or restructuring your vendor management process, start by clarifying the impact and intent behind each recommendation. Get cross-functional buy-in by grounding the work in business value, not just compliance.

Tip: Translate findings into simple language for executive sponsors, and highlight what not doing the work will cost (time, money, disruption, audit failure, etc.).

2. Prioritize Through Alignment

Not every recommendation carries equal weight, and not everything can (or should) be done at once.

Many organizations fall into the trap of treating the post-assessment list as a sequential to-do list. That’s a mistake.

Instead, sequence efforts based on alignment between:

  • Risk: Which items materially reduce the likelihood or impact of real threats?

  • Strategic value: Which changes support broader business objectives?

  • Capacity: What can teams reasonably take on right now?

Bring security, IT, and business leadership together to rank, combine, or phase efforts. This avoids wasted energy on low-value tasks and creates a shared, defensible roadmap.

3. Build Real Implementation Plans

Recommendations are not self-executing. They need structure, ownership, and accountability just like any other business initiative.

Each recommendation (or cluster of related actions) should be tracked as a project, with:

  • A named owner or lead

  • Defined scope and outcomes

  • Milestones and delivery targets

  • Coordination across relevant stakeholders

Avoid treating security actions as side work or afterthoughts. Fold them into your existing project management practices: agile sprints, work intake processes, steering meetings, etc.

Tip: If your teams use Jira, Asana, or Monday.com, use it. Don’t reinvent the wheel. The goal is to normalize security work as part of the business rhythm.

4. Embrace Change Management

Fixing problems isn’t just about technical implementation, it’s about human adoption.

If your recommendation is to enable MFA or restructure permissions, the rollout matters just as much as the configuration. You’re not just deploying features, you’re asking people to change behavior.

That requires intentional communication, training, and support.

  • What questions will users have?

  • Who needs to approve or coordinate?

  • What processes or habits need to shift?

Security improvements often fail not because of poor design, but because people weren’t brought along. Don’t underestimate the power of storytelling, stakeholder engagement, and internal champions.

5. Establish Governance and Feedback Loops

Security maturity isn’t a one-and-done effort. It’s an ongoing process of review, iteration, and adjustment.

That means putting the right governance structures in place:

  • Who tracks progress?

  • How are decisions made when priorities shift?

  • What happens when a recommendation is blocked?

Build recurring feedback loops (monthly reviews, dashboards, or check-ins) to keep momentum alive and adjust based on what’s working (and what’s not).

Tip: Don’t aim for perfection. Aim for visibility and continuous movement.

Bridge the Gap

Security assessments provide the map, but you still have to drive the journey. Moving from “what” to “what now” means bridging the gap between insight and impact.

When implementation is treated as a shared, strategic effort, not just a technical task, real progress becomes possible.

  • Start with shared context

  • Align and prioritize strategically

  • Treat actions as real projects

  • Lead with change management

  • Reinforce progress through governance

Maturity assessments are a mirror.
Implementation is the motion.
 And real maturity is built through consistent, collaborative progress.

If your team is looking at a long list of recommendations and wondering how to start—we’re happy to help chart the course.

Matthew Martin

Matthew is a Senior Manager at ImagineX specializing in Cyber Resiliency, bringing over 20 years of IT and cybersecurity experience to designing and leading scalable, governance-driven security and remediation programs that reduce risk, ensure compliance, and deliver sustainable, organization-wide impact.

https://www.linkedin.com/in/matthew-martin-b8310752/
Next

AI Made Me 10x Faster—Here's What I Had to Change