Claire Allen-Addy
|
Head of Product Marketing
August 13, 2024

Roles & Responsibilities of Threat Modeling

All roads lead to threat modeling, albeit the journey may differ by organization. Are you the only advocate or owner for threat modeling at your organization? Or are you part of a team that is responsible for implementing and using a threat modeling solution? Whichever the case may be - or something else entirely - this blog takes a look at the roles and responsibilities of successfully implementing a threat modeling solution to maximize your investment. 

There are a lot of resources out there to debunk threat modeling, support you to roll out threat modeling, and even to initiate a Security Champions Program. You can even head over to the OWASP Security Champions Guide for further reading. For now, let’s take a look at some roles we see frequently in our customer interactions whereby automated threat modeling is being rolled out across a company. The expression ‘it takes a village’ also applies to threat modeling and becoming more secure-by-design. Having multiple stakeholders around the decision-journey gets the best outcomes for your organization’s cybersecurity strategy. 

The Tool Assessor

The actual job title for this person can vary. We often find they are in the Security Team, and are perhaps a Security Architect, or similar. The Tool Assessor is responsible for looking at and testing new tools to understand where they can add value, prior to a purchase being made. They will likely have a demo of the software, and if possible get access to a Freemium version to trial it for themselves. This is usually done across vendors to identify the best potential solution. 

This feedback is then collated and passed on to the Senior Manager, for further discussion about whether a purchase is necessary and beneficial. Or if another route needs investigation.

The Senior Manager 

This person is often in the Security Team, but not always. They are budget holders, and therefore need to be able to view all information on compared softwares - in order to make the best decision for the business and teams which will use a new tool. The Senior Manager needs to consider ease of use, rate of user adoption and likelihood of success, not just the cost or a tool being fit for business purpose. It must integrate into existing processes, pipelines and activities for it to have the best chance of adoption. 

However, predicting costs now and in the future is still important. This is why we offer an online ROI Calculator to aid this process. In addition, we recommend considering a Security Champions Program alongside implementation of a threat modeling tool, to maximize likelihood of success from other threat modeling advocates and champions. 

The Threat Modeling Lead

The landscape of threat modeling activity has certainly matured in recent years. With many firms having a Threat Modeling Lead, or an entire team, focused on threat modeling its products or services. There are useful places to identify your own maturity in threat modeling, such as the OWASP SAMM Project. And we often find the individuals in these roles are dedicated to their threat modeling knowledge, and aim to stay up to date with the industry advancements. We recommend signing up to Toreon’s newsletter for a roundup on threat modeling happenings.

If your company has a Threat Modeling Practitioner or Lead, it will be them that end up managing the threat modeling tool purchase, and supporting the Senior Manager(s) to roll it out with successful and demonstrable adoption rates. It is likely that the Threat Modeling Lead will also set up reports or dashboards that can be used by the Compliance or GRC Teams. And if you have a Security Champions Program, these two people will work very closely together.

The Compliance Manager 

Governance, Risk and Compliance (GRC) remains an imperative part of cybersecurity. Most organizations will have a dedicated team or role, such as a Compliance Manager, to capture the organizational requirements and check across processes and software that compliance considerations are consistent. Visibility is important for this person, and they will need to know how they get data from a threat modeling tool which demonstrates the company conforming to specific industry standards or activities. They will likely liaise with the Senior Manager, and the Threat Modeling Lead, to identify crucial information and reports for auditing, governance and risk management purposes. Having a Standards Library is essential for GRC Teams. With IriusRisk, Compliance Managers can export their own Compliance Reports, and view project dashboards to assess the level of mitigated risks. 

Fortunately, when customers buy Enterprise Edition from us, the whole threat model data can be exported, not just the data flow diagram, but the threats and countermeasures too. This is helpful if perhaps a Compliance Team uses a Risk Management System as a single source of truth to manage all risk information for the company. It also benefits Development Teams if using a particular pipeline or system to centrally manage their work. One example of this is the ArmorCode integration within their ASPM and RBVM platforms.

AppSec is increasingly a collaboration between teams - read Gartner’s view 

According to Gartner®, “As the responsibility for application security is increasingly shared, security and risk management leaders question how to scale programs and foster collaboration with stakeholders.”

Gartner states, "However, the responsibility for application security (AppSec) processes is increasingly being shared between teams with less security knowledge as organizations strive to advance the culture of security ‘shifting left.”

Read more about threat modeling as part of a secure design strategy, and to see what other risk roles may need consideration. Download the Gartner report “An Introduction to Threat Modeling Best Practices” here: https://www.iriusrisk.com/threat-modeling-best-practices-with-gartner .

Conclusion

To summarize, we believe all the roles listed above are crucial to your threat modeling program and its success. Without an impartial colleague vetting tools, to then a senior manager identifying if it fits budget and requirements, the incorrect purchase could be made. And of course taking into account the view of the threat modeling practitioner and compliance manager, will result in the threat modeling initiative starting off well, with outcomes considered across all teams and existing processes.

Business sizes and setups vary, and job title do too, but ultimately if you can get buy-in and contribution from multiple stakeholders, from different areas of your organization, especially if they have clear areas of responsibility, you can be confident your cybersecurity budget has been spent on an initiative that will add mountains of value to your threat modeling journey. 

What next?

Why not take a look at our Security Champions Guide.