If you follow our blog and understand our philosophy then you already know we think Threat Modeling is a Process Not a Project. It’s not a one-time deliverable with a beginning, a middle and an end. Instead, it’s an ongoing series of steps that an organization embraces. But it can be even more than that.
At the next level of maturity, threat modeling evolves from a process to a program. In this step of evolution, threat modeling morphs from a series of steps to a full-blown organizational capability built right into the company’s DNA. Of course, a threat modeling program doesn’t happen overnight. It has to go through a series of stages. Stages can take two or three years to navigate.
Stages of a Threat Modeling Program
There are three stages of a threat modeling program: emerging, growing, and maturing.
The emerging stage commences on day one and may last up to a year. During this stage, you will identify the applications you have in your enterprise (there are more than you think), what assets you have and what doomsday scenarios you fear the most.
This stage occurs at the application “title” level, but it must be written down. It must include not just the applications you develop, but also those you purchase from others, including libraries and components. Over the course of the emerging stage, you can expect to prioritize and spend less on defect discovery.
The growing stage lasts from approximately 12 months to 24 months. During this stage, you will develop a traceability matrix that describes who, what, where, when, how, and why you care for every application and every line of business. It would be best if you had a diagram for each of those high-risk or critical applications too.
At this stage, you’ve established the problem and now you’re engineers know about it and can go about solving it. By the end of this stage, security becomes more of default and something you don’t spend any money on because it’s just baked in.
The final stage, the maturing stage, can last from 24 to 36 months. By the end of this stage, your software releases will be cognizant of and also reflective of threat modeling information. And you should have proof that you’ve designed security controls against the threats.
At the end of the maturity journey, you should see a reduction in the amount of time spent on the hygiene of security and some evidence that you’ve right-sized your security initiative. At that point, security becomes a differentiator to your business. It’s a business enabler, it’s strategic. You can actually leverage it to grow revenue.
One of the benefits of building a threat modeling program is the ability to start right sizing your security spend. But that doesn’t happen on day one. It is only realized over time, as your organization progresses through the three stages of threat modeling maturity.
There are some strategies for accelerating the adoption of a company-wide threat modeling program, most of which depend on your company’s culture and willingness to change. But there is no way of avoiding navigating through the three stages to get to the finish line.
If you’d like to learn more about how your organization can begin the process of adopting a threat modeling program, reach out to ThreatModeler and start a conversation. We’d love to help.