John Taylor
|
Information Security Leader
December 12, 2024

Delivering Value with your Threat Modeling Program

You can demonstrate value early on, whether that be how security fits in with a developers remit or design, or when analyzing an architecture to see what the attack vector could be for example. Threat modeling increases the security analysis—feature planning gives value, if the same thing is done for security and threat modeling, the benefits will be seen right away. 

This blog takes a look at how you can demonstrate and deliver value from your threat modeling program. If you wish you can also watch the full episode about this topic here: How to build a successful threat modeling program: Episode 5 - Delivering Value

Start Small, Deliver Big

Self service is a great delivery model but takes time to get there. We walk, then run; we have to start somewhere. At the start I found the full service model is where you wind up.

One critical takeaway is the importance of keeping things straightforward as you get started. Programs often begin with a full-service model, where a dedicated team handles the bulk of the work. This approach allows teams to learn, validate processes, and build a strong foundation. While the initial costs—particularly in time and effort—may seem high, the early focus on teaching, learning, and collaboration pays dividends by creating a culture where threat modeling becomes a common practice.

Costing with Delivery Models 

Delivery Models to consider:

  1. Self Service – We train and have teams start and complete their threat models
  2. Collaborative Service – Threat modeling team works with product teams to build, analyze and deliver the threat model with outputs to take action on. Place these in your backlog
  3. Full Service – A threat modeling team does all the work but validates and still works with the product team to ensure model accuracy

Each model delivers value differently at various stages of program maturity. For instance, the full-service model is about learning and proving immediate value, while collaborative and self-service approaches emphasize scalability and ownership.

Demonstrating Value and Building Relationships

Collaboration is key. This is where teams build strong relationships and trust. Modeling together reduces friction and builds cohesion. You’re already headed here.

Measuring the value of threat modeling can be a challenge, but it’s essential for demonstrating impact. Success often starts with showing teams how threat modeling directly aligns with their goals. For example, by highlighting how a model uncovers where security fits within a product’s design, teams can quickly grasp its relevance. This process fosters collaboration and builds strong cross-functional relationships, which are vital for long-term program success.

Many engineers already apply similar principles for performance or scalability, asking questions like, "If we deploy on a single instance, can we handle scale?" The shift to thinking from a security perspective—such as asking, "If an attacker did this, then what would happen?"—feels natural when framed this way.

Security expertise from product security teams aids this transition, when they see that threat modeling is the same thing they've been doing for other parts of engineering, but now focused on cyber security, that’s a very useful click to see happen. This realization leads teams to recognize the value of threat modeling as an integral part of their design process. By incorporating security considerations early, they can ensure they’re not only building the right features but also embedding the right level of security.

Leveraging Tools to Deliver Further Value

Everyone is adopting, has found value, leverages models and makes informed decisions about the security of their products. Now you have common practice.

When discussing the intersection of tools and human expertise, a key analogy stands out: the role of a shovel in digging a hole; “I can use my hands to dig a hole, but it’s going to take me a while, and I’ll get dirty and exhausted. If I use a shovel, I move more dirt faster and with greater efficiency.” Tools can help with repeatable tasks to free the human to do other considered work. Similarly, in threat modeling, tools excel at identifying repeated patterns of vulnerabilities while human security professionals interpret these findings in the context of the application's specific use case.

Tooling becomes valuable as organizations grow and need to manage numerous models or accelerate processes. However, its necessity depends on organizational objectives, team size, and delivery speed. Tools can centralize and streamline threat modeling but are not universally required. A balanced approach—tailored to the team’s maturity and workflow—is essential.

Measuring Success in Threat Modeling

Reduction of Risk

A main goal of product security is to reduce risk for our organization and its customers. We want to reduce defects, re-work and speed up delivery.

  • Establish baselines by analyzing past app scans and penetration test reports.
  • Identify patterns and standardize countermeasures across projects.
  • Use threat models to proactively inform security testing and validate implemented controls.

Speed of Delivery

Threat modeling increases the speed of delivery. Proactive measures take less time during design and build stages than in staging or production.

  • Early threat modeling reduces rework and accelerates approval during design and build stages.
  • Security-approved reference architectures and design patterns streamline development and reduce time-to-market.

Focusing on What Matters

Threat models can serve as a foundation to product security. We have many opportunities that add value and further drive threat modeling to becoming a common practice. The other parts of our organization matter and we should share what we learn with those groups. 

  • Prioritize impactful vulnerabilities rather than overwhelming teams with findings.
  • Provide testers with targeted insights from threat models, enhancing testing efficiency and effectiveness.

Conclusion

The ultimate goal is to achieve a self-service model where teams autonomously perform threat modeling because they recognize its value. Reaching this stage requires consistent training, support, and trust-building. Some teams may require ongoing guidance, while others will embrace the process quickly. The self-service model signifies a mature, integrated practice, where threat modeling becomes second nature, driven by its demonstrated impact on security and development outcomes.

Threat modeling is a journey, not a one-time task. By focusing on collaboration, meaningful metrics, and gradual program evolution, organizations can build a sustainable practice that benefits both security and product teams.