It’s easy for everyone in security to agree on doing extra work to create secure systems. In my experience, it seems that once we begin to socialize or implement the process/idea/system/etc. there is pushback from others. Threat modeling is no exception.
Implementing change, even if it is for the good, is difficult. Has anyone engaged with pushback to threat modeling? Either as a security practice or specific details in the methodology?
If so, I’d love to hear your thoughts on how the pushback was approached. Or, like my kids would say, how did you clapback??