Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to advocate the benefits of information security threat modeling

Expert Nick Lewis discusses how best to advocate the benefits of a new security initiative like threat modeling to the key enterprise players.

I'm having a difficult time selling the benefits of information security threat modeling at my organization. Where...

do you think I should start with the process? Are there any areas where some quick benefits could be realized?

Ask the expert!

SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)

Regardless of how security-aware an organization may be, starting a new information security initiative is a challenging endeavor; executives outside the security realm will potentially see a new security program as a money vacuum, sucking up all available funds in sight. Getting these key enterprise figures on your side will be a challenge, but one that is definitely doable, especially now when infosec has a lot of visibility in the C-suite.

To get the necessary organizational support to make such a significant change, you'll have to be able to detail how threat modeling will improve the state of software security. To build some momentum, I'd start by documenting and communicating the quick benefits made possible by threat modeling, namely knowing where and how your applications may be vulnerable to rudimentary but damaging attacks. The long-term benefits, including improved security and potentially reduced costs due to software vulnerabilities, should also be conveyed. Once key stakeholders have bought in to the new initiative and the quick benefits have been shown in a pilot, expanding the program out to the production environment will help convince the other developers to follow. The success of such an initiative could be used to build support for future security projects too, so be sure to document how the long-term benefits you sold stakeholders on eventually paid off.

For software development organizations specifically, threat modeling's benefits have been documented by Microsoft in the design process section of their Software Development Lifecycle. Identifying where in your software development lifecycle practices to include threat modeling so it provides the most benefit will also help aid adoption. You could use the quick and dirty threat model to get started while support is built for a more formal threat modeling program. Starting with new software development efforts might be an easier way to introduce the changes.

This was last published in March 2014

Dig Deeper on Secure software development

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.