Remediation is where testing becomes management

1. Grounded opening

Testing is easier to schedule than remediation is to govern.

Assessments can be commissioned. Exercises can be planned. Reviews can be written up. A list of findings can appear quickly enough to create a sense of momentum. The harder part arrives later, when those findings have to compete with delivery work, budget limits, change windows and the ordinary friction of getting something fixed in a live environment.

That is the point where the work stops being diagnostic and starts becoming managerial.

I think organisations sometimes understate this because testing sounds more decisive than remediation. Testing produces an artefact. Remediation produces arguments about ownership, timescale, risk acceptance and whether an item is genuinely closing or just being moved around in more formal language.

That is exactly why remediation matters. It is where assurance work either changes the live service position or settles into commentary about why the issue is still there.

2. What the issue actually is

The weak version of the problem is that organisations do not always fix issues quickly enough.

That is true, but it is too shallow.

The stronger version is that many organisations are better at discovering issues than governing their closure. They know how to produce findings, but they are less disciplined about converting those findings into owned action, realistic sequencing, evidence of change and a review standard strong enough to distinguish “in progress” from “done”.

That distinction matters because the word remediation sounds simpler than the work actually is. It suggests a direct path from issue to fix. In practice, remediation often involves triage, dependencies, trade-offs, temporary controls, review points and a decision about what level of residual exposure the organisation is prepared to tolerate while the work remains incomplete.

That is why I think remediation should be understood as management rather than tidy closure administration. It is not just about whether something gets fixed. It is about how an organisation carries risk while the fix is still being negotiated with reality.

3. Why it matters in practice

This matters because testing without disciplined remediation creates a false sense of seriousness.

The organisation can point to assessment activity, exercises, review notes and open actions. It can say the issue has been identified. It can say the work is in progress. Sometimes all of that is true and still not especially reassuring, because the operating position has not changed enough to justify the language around it.

That is the real consequence of weak remediation. Findings remain active longer than they should. Closure becomes vague. Review meetings drift into narrative rather than decision. Leadership receives updates without getting a clear view of what is stuck, what is accepted temporarily and what actually moved since the last checkpoint.

This is one of the places where cyber governance earns or loses credibility. If remediation is strong, assurance activity improves the service position over time. If it is weak, the organisation becomes better at describing its issues than reducing them. That is not a technical shortcoming. It is a management one.

4. What had to be balanced

Good remediation work is full of trade-offs that are uncomfortable to describe too casually.

Some items should move immediately. Some need sequencing because the underlying infrastructure change is larger than the finding itself. Some can be reduced partially in the short term while a fuller fix waits for time, budget or project alignment. Some are not solved by technology at all, but by clearer ownership, better documentation or a stronger review process.

There is also the balance between urgency and absorbability. If everything is treated as equally urgent, nothing is governed properly. If the prioritisation becomes too relaxed, open actions start ageing into background noise. The quality of remediation often depends on whether leadership can hold a firm line between what genuinely needs immediate movement and what needs structured follow-through.

That is why I am wary of remediation plans that look very complete very quickly. A cleaner spreadsheet is not the same thing as a stronger control response. The stronger question is whether the organisation has enough judgement to decide what it is fixing now, what it is tolerating temporarily and what evidence will justify closure later.

5. What changed or what the work clarified

What this clarified for me is that remediation quality depends heavily on how closure is defined.

If closure simply means “somebody touched the issue”, the whole process weakens. If closure means “the organisation can show that the position changed in a way proportionate to the finding, and somebody is prepared to stand behind that claim”, then the governance standard becomes much more useful.

That change in thinking shifts attention away from remediation as queue management and towards remediation as operating discipline. Ownership matters more. Review cadence matters more. Evidence matters more. So does honesty about partial progress. Something can move forward without being complete, but it needs to be described as partial without pretending the residual exposure has disappeared.

That is also where assurance work becomes more relevant to infrastructure leadership. Remediation is rarely happening in isolation. It competes with live service, project work, maintenance cycles and technical debt. Governing it properly means understanding the estate well enough to make trade-offs without losing sight of the control standard.

6. What stayed messy

Remediation is almost never neat.

Some issues remain open because the underlying change is larger than expected. Some are awkward because the ownership sits between teams or service boundaries. Some actions are delayed for reasons that are legitimate, but still uncomfortable to explain cleanly. Some improvements are real but incomplete, which means the status language around them has to be more precise than most organisations are used to.

There is also a behavioural problem that does not disappear. People are often comfortable with findings and plans. They are less comfortable with hard review points that expose drift, weak closure or over-optimistic status updates. That discomfort is not incidental. It is part of why remediation is management work.

The answer is not to make the language softer. It is to make the review better.

7. Broader lesson

The broader lesson is that assurance should be judged by the quality of its remediation, not by the amount of testing that preceded it.

That is a stricter standard, but it is the right one. Once you apply it, testing becomes more useful because it stops being confused with improvement. The assessment tells you something important, but the real question is what the organisation did next, who carried it, how it was reviewed and why anyone should believe the closure claim when it eventually arrives.

That is where governance becomes operationally credible. The process is no longer there to record concern. It is there to change the service position over time and to do so honestly enough that leadership can make decisions on top of it.

8. Closing

I do not think testing is overrated. I think its value is often credited too early.

The hard part begins afterwards, when the findings stop being analytical and start competing with the rest of the organisation’s work. That is where remediation begins, and that is where management quality becomes visible.

If remediation is disciplined, testing becomes useful. If not, the organisation may still be learning things about itself, but not changing fast enough for the learning to count.