Coaching with Shostack + Associates
Corporate culture shifts are challenging. Changing how you deliver to your customers is difficult. Improving security engineering involves both, and that makes the journey a complex one.
Observing the many challenges that our customers encounter as they travel down this road has led to our coaching service. We cannot run the race for you, but we can help you prepare, plan and execute by sharing the secrets of success. Even when we talk with executives and convince them that threat modeling is a good idea, for change to happen, someone internal needs to be accountable.
Our Appsec Enablement Coaching package includes a toolkit and a coaching team to listen and advise. The Enablement Toolkit is aligned with the stages of the program:
- Get executive support
- Set the stage (often with training)
- Start the rollout
- Sustain the change with formal policies and procedures
Each company’s journey is unique. We hate the cliche, too, and let us share some important specific questions:
- What corporate initiatives are underway?
- What language does the sponsoring executive use?
- Is your application security journey focused on cost-cutting, beating the competition, or perhaps regulatory compliance?
- What concerns do leaders and staff have? How much proof do they need?
At each stage, there’s tradeoffs to be made. Those tradeoffs include:
- What approach and methods will work for us?
- Is the work done by a central team? Consultants? Every engineer?
- How specific should our guidance be here?
- Who’s accountable for what? What does our RACI matrix look like?
Your answers to these questions influence how your program can rollout, and choices about the tradeoffs influence what processes, training and support make sense for you. The timing each stage is dependent on the size, culture and history of the company. We work with each client to drive change quickly and effectively.