I'm having a difficult time selling the benefits of information security threat modeling at my organization. Where...
do you think I should start with the process? Are there any areas where some quick benefits could be realized?
Ask the expert!
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Regardless of how security-aware an organization may be, starting a new information security initiative is a challenging endeavor; executives outside the security realm will potentially see a new security program as a money vacuum, sucking up all available funds in sight. Getting these key enterprise figures on your side will be a challenge, but one that is definitely doable, especially now when infosec has a lot of visibility in the C-suite.
To get the necessary organizational support to make such a significant change, you'll have to be able to detail how threat modeling will improve the state of software security. To build some momentum, I'd start by documenting and communicating the quick benefits made possible by threat modeling, namely knowing where and how your applications may be vulnerable to rudimentary but damaging attacks. The long-term benefits, including improved security and potentially reduced costs due to software vulnerabilities, should also be conveyed. Once key stakeholders have bought in to the new initiative and the quick benefits have been shown in a pilot, expanding the program out to the production environment will help convince the other developers to follow. The success of such an initiative could be used to build support for future security projects too, so be sure to document how the long-term benefits you sold stakeholders on eventually paid off.
For software development organizations specifically, threat modeling's benefits have been documented by Microsoft in the design process section of their Software Development Lifecycle. Identifying where in your software development lifecycle practices to include threat modeling so it provides the most benefit will also help aid adoption. You could use the quick and dirty threat model to get started while support is built for a more formal threat modeling program. Starting with new software development efforts might be an easier way to introduce the changes.
Dig Deeper on Secure software development
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ... Continue Reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common... Continue Reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.