Figuring out the difference between where you are and where you want to be as an organization. This gives you something to work towards.

You might compare your organization against a baseline like: National Institute of Standards and Technologies (NIST) Special Publication 800-171 Revision 2. And the title of that document is Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Or

International Organization for Standardization and the International Electrotechnical Commission, ISO/IEC 27001

Part of this may include creating a gap report, in which you identify the components of your security posture that are compliant or noncompliant, evaluate which are the highest priority, and begin to fix those.