How Pearson's security team used threat modeling to achieve digital transformation for mitigating risk and improving the lives of its students.

A major part of Pearson’s approach to security is threat modeling. A systematic process that allows security teams to identify product-specific threats and mitigating countermeasures.

Traditional threat modeling can have significant limitations when used at scale, because the process is manual. Due to the size of Pearson’s operations, it knew that traditional threat modeling couldn’t keep up with the pace of technological advancements – and therefore the advancements in security threats. So the company took the decision to embrace automation in its threat modeling.

Watch the video below now to discover what happened.

The outcomes...

IriusRisk's flexibility allowed Pearson to integrate existing tech into a centralised threat modeling solution
Constantly quantify threats and help set the direction of software security as they scale
Reducing days spent manually threat modeling through automation and incorporating their custom risk libraries

The problem we wanted to solve was getting a holistic view of security risks across our products, and quantifying those risks in a consistent and accurate way.  We want to identify security requirements as early on as possible in the software development lifecycle with a view that remediating them early on is much easier and much less expensive.  We were evaluating other tools in the space and based on our criteria and requirements, IriusRisk came out on top. That was predominantly because it had the flexibility for us to define our own custom risk libraries and an API where we could integrate our existing security testing.

Nick Vinson

Director of DevSecOps, Pearson