Achieving the highest Security Belt might not make economic sense and may therefore not be necessary.
- Estimate which Security Belt might be sufficient for the business criticality of your software. Your estimate might be just a first guess. To estimate, take a look at:
- which kind of data is processed by your software.
- how important your software is for your core business.
- possible attack scenarios and how they could harm your software and data.
- your compliance and regulatory requirements.
- Or, in case you have a central security department that requires you to adhere to the central risk management, consider one of the following:
- start an agile transformation.
- adhere to their risk judgement.
- leave the company.
- Commit on your estimation with your Product Owner.
- Challenge your estimation after each achieved Security Belt. Since you should have a better understanding of security, your estimation should become more profound.
- The team is motivated by a given goal for their journey.
- It is easier for the team to track their progress with a finish line ahead.
- The white belt shall create the commitment to work on the Security Belts. Therefore, it does not require any assessment.