How to Build a Program Plan for Security by Design

Security by Design is a proactive approach to embedding security into every phase of the software development lifecycle. Once you have established the value drivers and created a compelling business case for Security by Design, the next crucial step is to build a program plan. 

This plan should include clearly defined goals, a stakeholder engagement plan, and phased execution to ensure successful adoption and implementation. Here’s how to build an effective program plan for Security by Design.

Establishing Goals

Setting clear and measurable goals is the foundation of a successful Security by Design program. These goals should be derived from the value drivers and business case you have established. 

We recommend conducting a goal-planning workshop with key stakeholders to ensure alignment and buy-in. 

The Workshop Should Follow these Five Steps:

1. Pain Points: Identify the specific pain points and challenges the Security by Design initiative aims to address. This includes understanding the current security gaps, vulnerabilities, and improvement areas.
2. Goals: Define the overall goals of the Security by Design initiative. These should be broad, high-level objectives that align with the organization’s strategic priorities and address the identified pain points.
3. Actionable Objectives: Break down the goals into specific, actionable objectives. These should be clear tasks and initiatives that can be implemented to achieve the broader goals. Examples include conducting regular threat modeling sessions, implementing secure code reviews, and providing secure coding training to developers.
4. Metrics/Measures: Determine the metrics and measures that will be used to track progress and success. These should be quantifiable and include proactive metrics such as the number of threat models created, the percentage of secure code reviews completed, and the number of developers trained.
5. Success Criteria: Establish success criteria to evaluate the effectiveness of the Security by Design program. This includes setting specific targets for each metric, such as reducing high-risk vulnerabilities by 50% within the first year and defining what successful implementation looks like for each objective.

Example Output From a Goal Planning Workshop:

• Pain Point: The current process of reviewing applications by a security team member results in a bottleneck and impacts our ability to ship software quickly
• Goal: Increase scalability of security design reviews
• Actionable Objectives: 
  • Use a Security by Design platform to perform design reviews for 10 applications.
    • Metric: Number of applications onboarded; Target: 100%
  • Measure the time taken in reviews using automation vs. manual process
    • Metric: Time to complete process using automation, Target: 2 hrs. (vs. 40 hours manually)

• Success Criteria: Onboard at least 10 applications in 90 days and reduce security design review time by at least 300 hours in total.

Selecting Metrics and Targets

Selecting metrics and targets is one of the program’s most important aspects. As W.E. Deming said, “What’s measured gets done.” Often, application security programs only measure lagging and reactive metrics such as vulnerability count, defect density, and Mean Time To Resolution (MTTR). 

If these are the only benchmarks for measurement, security and development teams may not be encouraged to work on Security by Design activities. This is because Security by Design takes time to implement and ultimately impacts the lagging indicators. Security requirements added to a backlog may take months or years to fully implement as they compete with user-facing features for development time. 

Examples of Proactive Metrics Include:

For executive reporting, tie these metrics back to business value, such as reduced remediation costs, improved compliance, and enhanced risk management.

Stakeholder Engagement

Creating a business case is just the beginning of launching a Security by Design initiative. It’s crucial to engage and gain buy-in from all relevant stakeholders. This can be achieved by outlining the key benefits for each stakeholder group and using a framework like INSPIRE to guide your engagement strategy:

1. Initiate

• Objective: Explain the need for Security by Design to the stakeholders.
• Action: Conduct initial meetings to highlight the importance and benefits.

2. Nurture

• Objective: Foster an understanding of each stakeholder’s roles and responsibilities in the program.
• Action: Provide training sessions and resources to build knowledge.

3. Support

• Objective: Offer continuous support and resources to stakeholders throughout the implementation.
• Action: Set up a help desk or support system for ongoing assistance.

4. Participate

• Objective: Engage stakeholders actively in the implementation process.
• Action: Involve them in planning sessions and decision-making processes.

5. Implement

• Objective: Execute the plan with the active involvement of all stakeholders.
• Action: Carry out the defined actions and strategies to embed Security by Design.

6. Review

• Objective: Regularly assess the progress and impact of the implementation.
• Action: Conduct periodic reviews and gather feedback from stakeholders.

7. Evolve

• Objective: Ensure continuous improvement and adaptation based on feedback and changing requirements.
• Action: Update the strategies and plans to address new challenges and opportunities.

Here are some Common Stakeholder Groups and their Benefits:

Role	Responsibility	Common Motivators	Desired Outcomes
CISO, Chief Product Security Officer, or Security Leader	Program executive sponsor Drives board and technology leadership support	Scale security team Reduce risk Demonstrate compliance Reduce liability in the event of a breach	Increased  # of applications served per full-time employee Decreased # of vulnerabilities Audit artifacts demonstrating compliance with laws, standards, and best practices
CTO or Development Leader	Top-down support and driving adoption program from development teams	Demonstrate compliance to improve competitiveness Reduce liability in the event of a breach Improve time to market by reducing security bottlenecks	Audit artifacts demonstrating compliance with laws, standards, and best practices Faster project delivery / less time spent on security activities
Application Security Team Member	Champion program Drive adoption Select & administer tools	Reduce risk across all development teams Scale limited number of security professionals Demonstrate compliance	Increased adoption of security by design activities Decreased # of vulnerabilities Increased  # of applications served per full-time employee Audit artifacts demonstrating compliance with laws, standards, and best practices
Security Champion	Lead security by design activities, such as threat modeling on the development team Drive adoption of training Answer security questions and liaise with the central security team	Reduce risk in their applications Improve career prospects with security knowledge	Increased adoption of security by design activities Accreditations/certifications demonstrating security knowledge
Software Developer	Participate in security by design activities, including threat modeling Take security training	Reduce the amount of time spent on security & compliance, such as remediating vulnerabilities and audit findings Improve career prospects with security knowledge	Faster project delivery / less time spent on security activities Accreditations/certifications demonstrating security knowledge
Application Owner (Product Manager or Business Lead)	Provide business context for threat modeling	Turned planned work (security vulnerabilities) into planned work (security requirements) Satisfy compliance requirements	List of security requirements in backlog Audit artifacts demonstrating compliance with laws, standards, and best practices
Application/Information Security Architect	Provide information on company security architecture standards and strategy	Ensure security is integrated into the design	Reports demonstrating security has been embedded into the design
Compliance and Risk Management Lead / Internal Audit	Assess development teams on compliance status	Ensures compliance status of applications	Audit artifacts demonstrating compliance with laws, standards, and best practices

Project Plan

The project plan for rolling out Security by Design will differ depending on the size and goals of your company. However, successful programs generally follow four phases of execution:

1. Align: Create a detailed plan and ensure all stakeholders are aligned with the goals and responsibilities.
2. Execute: Begin implementation with a pilot team, setting up tools and processes to test the approach.
3. Realize: Expand the rollout based on feedback and results from the pilot phase, measuring impact and making necessary adjustments.
4. Advocate: Advocate for the program across broader applications, leveraging successes from earlier phases to drive adoption.

Example Plan for a Large Enterprise

Phase 1: Align

• Conduct goal planning workshop
• Define scope, metrics, targets, responsibilities, and timeline
• Secure executive sponsorship

Phase 2: Execute

• Select a pilot team and application
• Implement Security by Design practices (e.g., threat modeling, secure code reviews)
• Gather feedback and refine processes

Phase 3: Realize

• Expand to additional teams and applications
• Measure and report on key metrics
• Adjust program based on feedback and results

Phase 4: Advocate

• Share success stories and case studies
• Conduct training and awareness sessions
• Drive continuous improvement and scale the program

Communication Plan

Effective communication is crucial for the successful rollout of Security by Design. Your communication plan should include multiple steps and channels to inform and engage all stakeholders. 

Key Elements of the Communication Plan Include:

• Kickoff Meetings: Host one or more meetings to describe the program, answer questions, and set expectations.
• Mass Email: Send an email announcing the program to all stakeholders, soliciting participation (if voluntary), or describing necessary changes.
• Follow-up Emails: Send periodic emails to provide updates, share progress, and address concerns.
• Cascading Communication: Use security champions to drive follow-up communications within their teams.
• Additional Channels: To reinforce messages, utilize other channels such as Slack, one-on-one meetings, staff meetings, town halls, and leadership meetings.
• Wiki/Intranet Page: Create a central repository of information, including FAQs, training materials, and progress reports.

Your Communications Should Address the Following Themes:

• Why the organization is adopting Security by Design

• How success will be measured

• Which processes and tools will be used

• How existing processes will change

• Who is accountable for following the processes

• Stakeholder-specific benefits

• How to provide feedback

Conclusion

Building a comprehensive program plan for Security by Design is a strategic and detailed process. It involves setting clear goals, selecting the right metrics, engaging stakeholders, creating a phased project plan, and implementing an effective communication strategy. 

By following these steps, organizations can ensure the successful adoption and implementation of Security by Design, ultimately leading to more secure, resilient, and compliant software systems. As cybersecurity threats continue to evolve, a proactive approach to security is essential for safeguarding digital assets and maintaining a competitive edge.