Secure Design Accelerator from Shostack + Associates
Building a great threat modeling program requires change. We want people to ask ‘what can go wrong’ early, when the concrete hasn’t been poured. That means changing the definition of success, and that means culture change. Corporate culture shifts are challenging. Changing how you deliver to your customers is difficult. Improving security engineering involves both, and that makes the journey a complex one.
Observing the many challenges that our customers encounter as they travel down this road has led to our Accelerator program. We cannot run the race for you, but we can help you prepare, plan and execute by sharing the secrets of success. Even when we talk with executives and convince them that threat modeling is a good idea, for change to happen, someone internal needs to be accountable.
Our Secure Design Accelerator Advisory package includes what you need to drive change. The elements include a review or assessment of your existing materials, a toolkit, a coaching team to listen and advise, and consulting to help with the execution, including briefings, interviewing and surveying. The Accelerator Toolkit is aligned with the stages of the program:
- Rally executive support
- Set the stage
- Start the rollout
- Sustain the change
Each company’s journey is unique. (We hate the cliche, too! But) Let us share some important specific questions:
- What corporate initiatives are underway?
- What language does the sponsoring executive use?
- Is your application security journey focused on cost-cutting, beating the competition, or perhaps regulatory compliance?
- What concerns do leaders and staff have? How much proof do they need?
At each stage, there’s tradeoffs to be made. Those tradeoffs include:
- What approach and methods will work for us?
- Is the work done by a central team? Consultants? Every engineer?
- How specific should our guidance be here?
- Who’s accountable for what? What does our RACI matrix look like?
Your answers to these questions influence how your program can rollout, and choices about the tradeoffs influence what processes, training and support make sense for you. The timing each stage is dependent on the size, culture and history of the company. We work with each client to drive change quickly and effectively.
The Toolkit includes tools for each stage of the process. Some elements include:
- Executive Interview Presentation
- Sample RACI charts
- Job descriptions
- Procedure templates
- Success criteria and metrics
| Stage | Description | Benefit |
|---|---|---|
| Rally executive support | Effective support must include an understanding that threat modeling is a team sport, and will involve prioritization questions and thus escalations. We help you frame that, listen to priorities and synthesize them into specific and measurable goals. | Ensure executive goals are understood and met. |
| Set the stage | Once you know what you're going to do and what success looks like, what does your organization need to succeed? Draft procedures, support, and other aspects are often crystallized as we get ready to deliver training. | A visible investment signals the programs formal kick off. |
| Start the rollout | With executive support and the needed tools, find willing participants and set them up for success. | Systematically improve product security. |
| Sustain the change | With executive and process support, formal policies and success stories, we can successfully bring everyone on board. | Ensure that threat modeling is happening across your product lines. |