I'm having a difficult time selling the benefits of information security threat modeling at my organization. Where
do you think I should start with the process? Are there any areas where some quick benefits could be realized?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Regardless of how security-aware an organization may be, starting a new information security initiative is a challenging endeavor; executives outside the security realm will potentially see a new security program as a money vacuum, sucking up all available funds in sight. Getting these key enterprise figures on your side will be a challenge, but one that is definitely doable, especially now when infosec has a lot of visibility in the C-suite.
To get the necessary organizational support to make such a significant change, you'll have to be able to detail how threat modeling will improve the state of software security. To build some momentum, I'd start by documenting and communicating the quick benefits made possible by threat modeling, namely knowing where and how your applications may be vulnerable to rudimentary but damaging attacks. The long-term benefits, including improved security and potentially reduced costs due to software vulnerabilities, should also be conveyed. Once key stakeholders have bought in to the new initiative and the quick benefits have been shown in a pilot, expanding the program out to the production environment will help convince the other developers to follow. The success of such an initiative could be used to build support for future security projects too, so be sure to document how the long-term benefits you sold stakeholders on eventually paid off.
For software development organizations specifically, threat modeling's benefits have been documented by Microsoft in the design process section of their Software Development Lifecycle. Identifying where in your software development lifecycle practices to include threat modeling so it provides the most benefit will also help aid adoption. You could use the quick and dirty threat model to get started while support is built for a more formal threat modeling program. Starting with new software development efforts might be an easier way to introduce the changes.
Dig deeper on Software Development Methodology
Related Q&A from Nick Lewis, Enterprise Threats
Researchers reportedly succeeded in extracting decryption keys using sound-based attacks. Is this a threat enterprises should worry about?continue reading
The amount of malware using peer-to-peer communications has increased dramatically. Enterprise threats expert Nick Lewis explains how to detect P2P ...continue reading
Cloaked malware, like DGA.Changer, can reportedly evade sandbox detection. Nick Lewis explains how to handle the risk.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.