Reporting is hard, it really is. Any ideas?

1200×300 163 KB

Hey friends, this week’s topic is a tricky one - reporting.

The SOTM Report 2024-2025 found that 52% of companies don’t produce regular reports, and for many, reporting remains the least clear part of the process.

At the same time, 1 in 4 companies has some form of a threat modeling dashboard.

Let’s talk about:

How have you made reporting work for you? Or what is the problem that makes reporting hard?

This post is part of our new weekly ‘Peer Perspectives’ series! Each week, we’ll explore a new threat modeling topic and open it up for community discussion. For the coming weeks ahead, we’ll discuss key findings from the recently-released State of Threat Modeling Report 2024-2025.

Hmm, maybe it would help if we had figured out

Essential / TL;DR / Take Home Message Threat Model - Techniques & Tooling - Threat Modeling Connect Forum

A lack of reports could be a sign of maturity, but not in the way people may think. In my case, we have a system of record in our ALM that tracks all threat modeling effort, responsible parties, threats identified, and countermeasures prescribed. Each countermeasure links out to either stories or defects.

So in our case, the threat model (most of the time) shouldn’t have a report. The output of the threat model links directly back to work items that can be measured. This allows us to track the outcomes, which is part of how we measure the ROI of our threat modeling practice.

Reports are sometimes necessary, especially for executive visibility.