Introduction
Adopting this framework
How to get started with this framework.
1. Understand the framework
Read through the framework core concepts to understand how to frame the work of building security capabilities into your software delivery organisation.
2. Clarify your organisation's compliance requirements
All security capabilities in the PSCF are derived from, and mapped to, regulatory frameworks and industry and community standards. If your organisation must be GDPR compliant and its software delivery function needs to adhere to NIST SSDF then you can limit the security capabilities to just the ones you require.
3. Determine your accountable roles and responsible groups
The framework comes with suggested accountable roles and responsible groups for each security capability. These are accountabilities and responsibilites that work well and scalably across most organisations, but yours may differ in certain ways. It's extremely important to clearly define these accountabilities and responsibilities as a lack of clarity here is what leads to most security programmes failing.
See Accountability & Responsibility for details on how to fairly and scalably assign accountability and responsibility in your organisation.
4. Appraise your organisation
Once you know the security capabilities your delivery organisation must have to meet its compliance requirements, and the people who are involved in doing them, you can determine how effective your organisation currently is at each of those capabilities.
The framework uses a 1-5 scale of effectiveness for each capability across three areas (Understanding, Information and Opportunity). This gives you all the detail you need to plan for capabiity uplift where needed. A capability may have:
- An understanding issue where people need to be trained or supporting tooling needs to be brought in to help
- An information issue that work on data gathering, analysis and presentation can solve by putting actionable information in front of the right people
- An opportunity issue requiring an investment in automation or in additional people to carry out the required security capabilities during product delivery
There is an example appraisal Google Sheet included in the project that you can make a copy of to use for your own appraisal (simply replace the random numbers with your own).
The appraisal gives you all the information you need for the next step.
5. Plan your product security programme
Now you've identified where you have gaps in understanding, information or opportunity across the security capabilities your organisation requires, you can prioritise the most important areas of concern with a programme of work for capability uplift.
6. Update your security policy
With a clear view of the security capabilities your organisation needs and the people who are accountable and responsible for them, you can update your security policy for software delivery to define the requirements for everyone.
Involve all your defined accountable people and representatives from the responsible groups in the security policy update. Software product security comes from within the delivery organisation, it can't effectively be imposed on it from outside.
Mind the gap!
The difference between how you think people are working and how they are actually working is known as an "Alignment Gap". These gaps introduce substantial risk to the organisation and can be created by an aspirational policy that isn't grounded in reality or by gradual changes in working practices not being tracked by updating policy.
You can manage this alignment gap by setting a future date at which new policy will come into effect for the organisation and aligning that date with your product security programme of work. Making sure that all the necessary improvements to understanding, information and opportunity are in place before the new policy comes into effect.
7. Regularly re-appraise
After an interval that makes sense, most likely determined by how quickly your organisation can implement improvements, re-appraise the delivery organisation against the required security capabilities. Doing this means:
- You can quantitatively show the ROI of strategic improvement work through capability uplift
- You can update your product security programme to be more effective, if needed
- Everyone in the delivery organisation can see how their hard work is benefiting them, and their customers
Security Capability Agility
If your organisation is entering new geographic markets or industry verticals that bring new compliance requirements, you can proactively bring in any new required security capabilities or any higher capability effectiveness needed to meet these requirements using the PSCF!