Coaching with Shostack + Associates
Corporate culture shifts are challenging. Changing how you deliver to your customers is difficult. Improving security engineering involves both, and that makes the journey a complex one.
Observing the many challenges that our customers encounter as they travel down this road has led to our coaching service. We cannot run the race for you, but we can help you prepare, plan and execute by sharing the secrets of success. Even when we talk with executives and convince them that threat modeling is a good idea, for change to happen, someone internal needs to be accountable.
Our Appsec Enablement Coaching package includes a toolkit and a coaching team to listen and advise. The Enablement Toolkit is aligned with the stages of the program:
- Rally executive support
- Set the stage
- Start the rollout
- Sustain the change
Each company’s journey is unique. (We hate the cliche, too! But) Let us share some important specific questions:
- What corporate initiatives are underway?
- What language does the sponsoring executive use?
- Is your application security journey focused on cost-cutting, beating the competition, or perhaps regulatory compliance?
- What concerns do leaders and staff have? How much proof do they need?
At each stage, there’s tradeoffs to be made. Those tradeoffs include:
- What approach and methods will work for us?
- Is the work done by a central team? Consultants? Every engineer?
- How specific should our guidance be here?
- Who’s accountable for what? What does our RACI matrix look like?
Your answers to these questions influence how your program can rollout, and choices about the tradeoffs influence what processes, training and support make sense for you. The timing each stage is dependent on the size, culture and history of the company. We work with each client to drive change quickly and effectively.
The Toolkit includes tools for each stage of the process. Some elements include:
- Executive Interview Presentation
- Sample RACI charts
- Job descriptions
- Procedure templates
- Success criteria and metrics
Stage
Description
Benefit
Rally executive support
Effective support must include an understanding that threat
modeling is a team sport, and will involve prioritization
questions and thus escalations. We help you frame that, listen to
priorities and synthesize them into specific and measurable
goals.
Ensure executive goals are understood and met.
Set the stage
Once you know what you're going to do and what success looks like, what does your organization need to succeed? Draft procedures, support, and other aspects are often crystalized as we get ready to deliver training.
A visible investment signals the programs formal kick off.
Start the rollout
With executive support and the needed tools, find willing participants and set them up for success.
Start building security into your products.
Sustain the change
With executive and process support, formal policies and success stories, we can successfully bring everyone onboard.
Ensure that threat modeling is happening across your product lines.