One question I am often asked by the many organizations I work with is where do I begin ? How do I get started Threat Modeling? What do I Threat Model, and what do I need to be concerned with? As with everything you do, you must be willing to take the first step. Taking on a new challenge is often very intimidating and the fear of failure is real.
My advice is to start with the smallest, most simple application or workflow you have. Keep your model small and specific to a singular process.
If you identify 1 new threat today, then you have accomplished something significant.
I also encourage people to not take this task on by themselves. Threat Modeling is a collaborative process. No one know everything, so leverage the knowledge of your teams. And because you have kept your model compartmentalised, your collaborators will not feel overwhelmed.
Finally, I highly encourage people to move the process of Threat Modeling left. By this I mean, start the process very early in the software development process. It is much easier to change the design of an application or workflow during the early stages, vs. an application that is ready to go into production.
I am curious as to what advise others may have on this topic.