I'm having a difficult time selling the benefits of information security threat modeling at my organization. Where...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
do you think I should start with the process? Are there any areas where some quick benefits could be realized?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Regardless of how security-aware an organization may be, starting a new information security initiative is a challenging endeavor; executives outside the security realm will potentially see a new security program as a money vacuum, sucking up all available funds in sight. Getting these key enterprise figures on your side will be a challenge, but one that is definitely doable, especially now when infosec has a lot of visibility in the C-suite.
To get the necessary organizational support to make such a significant change, you'll have to be able to detail how threat modeling will improve the state of software security. To build some momentum, I'd start by documenting and communicating the quick benefits made possible by threat modeling, namely knowing where and how your applications may be vulnerable to rudimentary but damaging attacks. The long-term benefits, including improved security and potentially reduced costs due to software vulnerabilities, should also be conveyed. Once key stakeholders have bought in to the new initiative and the quick benefits have been shown in a pilot, expanding the program out to the production environment will help convince the other developers to follow. The success of such an initiative could be used to build support for future security projects too, so be sure to document how the long-term benefits you sold stakeholders on eventually paid off.
For software development organizations specifically, threat modeling's benefits have been documented by Microsoft in the design process section of their Software Development Lifecycle. Identifying where in your software development lifecycle practices to include threat modeling so it provides the most benefit will also help aid adoption. You could use the quick and dirty threat model to get started while support is built for a more formal threat modeling program. Starting with new software development efforts might be an easier way to introduce the changes.
Dig Deeper on Secure software development
Related Q&A from Nick Lewis
DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains ...continue reading
A new POS malware downloads a RAM scraper to avoid detection. Expert Nick Lewis explains the tricks MajikPOS uses to target retail terminals and how ...continue reading
An Apache Struts vulnerability is still being exploited, even though it has already been patched. Expert Nick Lewis explains why the Struts platform ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.