US-based Mutual Life Insurance Company

Company Background 

The company is one of the largest mutual life insurance companies in the world and is based in the United States. They have a mature architecture review board process today and they are seeking a product to automate and drive efficiencies within that process. 

Challenges: 

The company was using a spreadsheet-driven approach to threat modeling. Due to the manual nature and time-consuming method of this process, they faced challenges that included: 

  • Lack of adoption
  • Limited scalability
  • Difficulty in process sustainment
  • Limited reporting to stakeholders

Ultimately, they needed a tool that would help automate these activities and bridge the gap between the application and security teams.

Solution:

The company sought a diagram-first tool that led them to implement IriusRisk as a secure-by-design product for engineers to design secure applications.

Onboarding:
IriusRisk partnered with the company to audit its current threat modeling process to define how it would be reconstructed within the tool. This also included a deep analysis of the content. These items were then overlaid and reconstructed within the platform. Unapproved diagramming components were hidden from developers' view so that only approved configurations and components were used to generate diagrams and architecture.

Training and Support:
Primary stakeholders were trained on the platform to ensure that administrators were able to customize and configure the platform ahead of general user rollout. Secondary training was provided to the first set of users followed by additional training provided by IriusRisk customer success team as additional teams were added as users.

  • Integrations: Critical integrations were added to ensure that downstream teams had access to information as it was made available to them. 
  • Preliminary Rollout: This included specific time and ROI objectives to provide a superior solution compared to conventional Architecture Risk Board (ARB) processes. 
  • Scaling & Automation: Product was further adopted within the business and rolled out to secondary audiences across the organization and security architecture teams. 
  • Continuous Improvement: IriusRisk meets with the customer periodically to discuss current problems, feature requests, and product roadmaps to ensure alignment with customer priorities and objectives.

Benefits: 

The company now has a sustained and scalable process that includes direct insight and reporting into milestones with the threat modeling process. Additional benefits include: 

  • Centralized and extensible solution that integrates with multiple teams and systems to provide integrations and data into multiple systems for critical stakeholders.
  • Automated platform that guides the user from the beginning to the end of the ARB process. This automation sustains the acceptable process and provides key process inputs that drive the right secure by design practices. 
  • Automated and real-time reporting to allow critical stakeholders to view relevant information that is filterable through business units or by product line.
  • IriusRisk embedded Architecture Risk Board review process that provides users with a set of secure by design architectural components which match the organization’s security preferences.

The outcomes...

Customer has an IriusRisk embedded Architecture Risk Board review process which provides the users with a set of secure by design architectural components which match the organization’s security preferences. 
Process is sustained and scalable and includes direct insight and report into critical milestones within the threat modeling process.
Bridged the Gap Between Current & Future-State Threat Modeling Processes