If you’ve ever brought in a technology consultant, you’ve probably been through some version of this. A discovery process, a series of interviews, a document — sometimes a very long document — delivered at the end with findings, recommendations, and a list of things to address.
And then, usually, not much changes.
The document gets reviewed. Some items get flagged as priorities. A few quick fixes happen. The rest sit in a backlog until the next audit cycle, when a new version of the same document arrives with many of the same findings.
This isn’t a cynical observation. It’s a pattern that repeats itself so consistently across organizations that it’s worth asking why, and whether there’s a better way.
The problem with leading with insight
An audit can tell you what’s broken. It cannot fix anything.
That sounds obvious, but the implications are significant. An organization that has completed a security assessment and received a detailed report now knows about its vulnerabilities. The problems haven’t been addressed. They’ve been documented. In some ways, the risk has increased. The organization now has a paper trail confirming it was aware of specific issues. If something goes wrong before those issues are fixed, that awareness becomes a liability.
This is the trap of insight without execution. The assessment creates the appearance of due diligence without delivering the substance of it. And because assessments are easier to sell and easier to produce than actual remediation, the consulting industry has organized itself heavily around them.
Why consultants lead with audits
It’s worth being honest about the incentives at play.
Audits are scoped, time limited, and deliverable focused. They have a clear beginning and end. They’re easier to price, easier to staff, and easier to sell than open ended implementation work. They generate reports that look thorough and professional. And they almost always surface enough findings to justify follow on work — which may or may not get done, but which creates the next sales conversation.
None of this means audits are useless. A well executed assessment by someone who understands your environment can surface genuinely important information. The problem is when the assessment is the product rather than a precursor to actual change.
What actually reduces risk
Risk doesn’t go down because you know about it. Risk goes down because you do something about it.
In practice, that means replacing the workflows that create exposure. Automating the manual processes where human error introduces vulnerability. Building systems that are secure by design rather than patched after the fact. Establishing controls that persist because they’re built into how the organization operates, not because someone is manually enforcing a checklist.
This kind of work is harder to scope, harder to sell, and harder to deliver than a report. It requires understanding not just what’s wrong but how the organization actually operates. Where the real friction is, what people are actually doing versus what the policy says they should be doing, and which fixes will stick versus which ones will erode the moment the consultant leaves.
It also requires accountability for outcomes, not just deliverables. A report can always be declared complete. A system either works or it doesn’t.
What a better engagement looks like
The alternative to leading with an audit isn’t skipping the discovery process. It’s making sure the discovery process exists to serve execution rather than replace it.
That means scoping discovery narrowly around a specific problem. Not a broad sweep of everything that might be wrong, but a focused look at a particular workflow, system, or area of exposure. It means the output of discovery is a specific plan for a specific fix, not a general report on the state of things. And it means the engagement doesn’t end when the document is delivered. It ends when the problem is actually solved.
This is a different kind of consulting relationship. It requires more trust, more specificity, and more willingness on both sides to be accountable for what actually changes. But it’s the only model that reliably produces a different outcome than the status quo.
The question to ask before the next engagement
If you’re evaluating a technology consultant or a security firm, one question cuts through a lot of noise: what does done look like?
If the answer is a report, a presentation, or a set of recommendations, you know what you’re buying. That may be exactly what you need. But if what you actually need is for something to get fixed, it’s worth finding out early whether the person you’re talking to is in the business of finding problems or solving them.
The Takeaway
Assessments have value. But they’re a starting point, not a solution. An organization that knows about its vulnerabilities and hasn’t addressed them isn’t more secure than one that never looked. It may actually be in a worse position. The standard for any technology engagement should be what actually changed, not what was documented.
What To Do This Week
Pull the last technology or security assessment your organization received. Look at the recommendations. Count how many have been fully implemented. If the number is low, the question isn’t whether to do another audit. It’s what’s preventing execution on the findings you already have.
Resource Worth Knowing
If you’re looking for an engagement that ends with something fixed rather than something documented, Neulinc works specifically on workflow replacement and secure system implementation. Start at neulinc.com.
Ross Baker is the founder of Neulinc, a digital services company building AI systems, automation, and secure infrastructure for businesses, nonprofits, and local governments.