John Taylor
|
Information Security Leader
October 17, 2024

Driving Your Threat Modeling Program Further

We recently held a webinar focused on successfully advancing your threat modeling program. During this session, we covered various essential topics, including gathering feedback and data, preparing for future program growth, and measuring value. You can watch the full webinar here.

Are You Prepared to Deliver?

“As threat modeling adoption in your organization continues, you’ll need to be ready for growth and scale. Be prepared, things may move faster than you think.”

As your program expands, readiness for growth is critical. You might find yourself saying, “I have 150 models from so many different groups, and they won’t stop making models. That is success, but you better scale and grow with your peers.” Always keep in mind how you'll manage an increasing number of models. Engaging with your community and continuously evaluating the program's effectiveness is crucial to meeting their needs.

Keeping all risk assessments and threat models in a central repository is a best practice. However, as many have learned, decentralized teams can lead to a lack of visibility if not managed properly. This experience underscores the importance of planning for scalability from the beginning, even with a simple plan that accommodates both fast and slow growth.

Ultimately, the goal is to ensure your program is adaptable, delivering value regardless of your organization’s size. Whether managing thousands of applications globally or just a handful of products, tracking your threat models is a sign of success.

Increasing Value Delivery

“Things grow and can become unwieldy to the point where we don’t know if we are meeting our organization's needs, not to mention are we delivering with quality. We must measure and show value constantly and consistently.”

Demonstrating value is essential, especially in the early stages of your program. Show how threat modeling can save time, enhance security, and improve team efficiency. Instead of measuring metrics like the number of threat models written, focus on how many security requirements from those models are actually implemented.

Additionally, it’s vital to engage with detractors. Often, they fear your program will disrupt their existing processes. By creating a safe space for feedback, you can address their concerns and potentially convert them into supporters.

Keep in mind that not everyone adopts change at the same pace. Early adopters will likely lead the charge, but some may take longer to get on board. Recognize that career growth is a motivator for many; when they see positive changes, they may become more inclined to participate.

Extending Threat Modeling to Other Teams

“One of the first areas we can look at supporting are other security teams. Threat modeling works in a proactive and reactive nature. Most security organizations have a similar approach to how they build defense in depth.”

Starting small is often key. Work with different groups and gradually expand your efforts while focusing on support and training. If you don’t have a Champions program, consider starting one; Champions can help spread knowledge and encourage adoption across teams.

When extending threat modeling into other areas, consider the following:

  • Threat Intelligence: This can inform and update your models based on changes in the landscape.
  • Operations and Testing: Validate your threat models through testing to ensure effective implementation of controls.
  • Iterative Refinement: Treat threat models as living documents, refining them based on insights gained through testing.

This holistic approach integrates threat modeling with broader product security initiatives, enhancing risk identification and mitigation.

Security Operations and Incident Response

Effective collaboration with Security Operations and Incident Response teams is essential. Threat modeling can:

  • Help determine where critical threats reside in applications.
  • Aid in developing high-fidelity detection content based on actual threats against design.
  • Assist in investigations and prioritize security monitoring use cases.

Leveraging their insights about ongoing threats can significantly inform and enhance your threat modeling efforts.

Privacy by Design

“Privacy by Design is here. We are faced with more and more requirements from regulators and within our organizations regarding the protection of data. Threat modeling is a great way to assist in achieving Privacy by Design.”

Incorporating privacy considerations into threat modeling is crucial, especially with increasing regulatory requirements. Threat models can help teams meet privacy needs by examining application designs and data flows.

Conclusion

Ultimately, threat modeling should connect various teams, breaking down silos and fostering a culture of security. The value of threat modeling is that it can be distributed across the organization, enhancing overall security posture and offering opportunities for growth, even in smaller organizations.

As we refine our reporting based on feedback from security professionals, we are making information more consumable for those who need it. This step is essential in demonstrating value and ensuring our program aligns with the needs of various stakeholders.

By collaborating and sharing insights across teams, organizations can build a more robust security posture. Remember, even small steps in threat modeling can lead to significant improvements, contributing to a safer environment for everyone involved.