I'm having a difficult time selling the benefits of information security threat modeling at my organization. Where...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
do you think I should start with the process? Are there any areas where some quick benefits could be realized?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Regardless of how security-aware an organization may be, starting a new information security initiative is a challenging endeavor; executives outside the security realm will potentially see a new security program as a money vacuum, sucking up all available funds in sight. Getting these key enterprise figures on your side will be a challenge, but one that is definitely doable, especially now when infosec has a lot of visibility in the C-suite.
To get the necessary organizational support to make such a significant change, you'll have to be able to detail how threat modeling will improve the state of software security. To build some momentum, I'd start by documenting and communicating the quick benefits made possible by threat modeling, namely knowing where and how your applications may be vulnerable to rudimentary but damaging attacks. The long-term benefits, including improved security and potentially reduced costs due to software vulnerabilities, should also be conveyed. Once key stakeholders have bought in to the new initiative and the quick benefits have been shown in a pilot, expanding the program out to the production environment will help convince the other developers to follow. The success of such an initiative could be used to build support for future security projects too, so be sure to document how the long-term benefits you sold stakeholders on eventually paid off.
For software development organizations specifically, threat modeling's benefits have been documented by Microsoft in the design process section of their Software Development Lifecycle. Identifying where in your software development lifecycle practices to include threat modeling so it provides the most benefit will also help aid adoption. You could use the quick and dirty threat model to get started while support is built for a more formal threat modeling program. Starting with new software development efforts might be an easier way to introduce the changes.
Dig Deeper on Software Development Methodology
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.