Once you have done a security assessment be it a penetration test, application evaluation, or even a vulnerability scan; you want to see positive changes made as a result. All too often we see little or no change made. However, there are ways to have our assessments be more effective in causing the change that we want to and these ways are grounded in organizational behavior and nearly identical to practices which are part of everyday processes like change control and defect management.
Matt gets paid to commute and assesses software security for free, although his employers think it is the other way around.