Skip to content

Introduction to the BRACE Model

Metamodel on Secure Product Development

Brace for Impact

Let us introduce you to the BRACE model. BRACE aims to assess and improve an organization's security maturity to positively impact value creation in the CI-CD pipeline. The model includes generic Epics, User Stories, and ways to shorten feedback loops while putting people first.

In a Fast-Paced World..

Globally, we are in the midst of a major digital transformation! How we communicate and learn has changed, and with the help of the latest and greatest technology, companies are bringing their time-to-market back from years to days. Pretty cool, right?

Yes, it certainly is! But as the world is changing much faster and more frequently, we also need to change. So, we're learning new capabilities, such as Agile, to work more effectively, maximize value, and optimize for adaption. Still, no matter how many new skills we collect, non-stop change will always result in an omnipresent level of uncertainty and force companies to become more resilient.

... Maturity MATTERS!

The pressure is on. Companies often can't see the forest for the trees when they want to improve resilience and security. What can help them is a metric such as maturity, which reveals the extent to which your company is optimized for security, for example.

But is this enough?

We certainly believe that maturity matters!
But, we also believe that we need a model that reflects the complexity of real life. For example, greater maturity does not necessarily mean greater value. And without acquiring new capabilities, establishing new behaviors will be pretty challenging.

That's why we developed BRACE.

Introducing the BRACE model

BRACE is based on various Secure Software Development Lifecycle and DevOps Maturity models. It identifies how security enablers, like vulnerability management, automation, or access control, contribute to value creation in the CI/CD pipeline while considering the organizational context. BRACE determines your security status (maturity level) and what capabilities you need to acquire to achieve the desired outcome, both in terms of behavior and value.

The BRACE model sets out four levels of security maturity: creating stability (level 0), adding robustness (level 1), adding resilience (level 2), and building antifragility (level 3). The ultimate goal of progressing from one level to the next is optimizing security.

After assessing your security maturity level, the BRACE model offers generic epic descriptions and generic user stories per cloud and security enabler. Both Epics and Stories focus on developing capabilities instead of checking boxes in a spreadsheet.

Prepare for the PARADIGM SHIFT!

While securing information is becoming a shared responsibility, improving resilience and mitigating risk is shifting to IT. At the same time, new regulations are inspiring the creation of Cyber Resilience frameworks and DevSecOps maturity models. Add to this the fact that the EU is now funding long-term academic research on resilience, and we can conclude that we're facing a paradigm shift in the field of resilience and security. Are you ready for that? BRACE for impact with a model that is as dynamic (and resilient) as its industry!

BRACE is not a fixed concept. Instead, it's always subject to change. For example, we'll soon be rewriting the value chain epics and attaching user stories to them, and we'll change the content of the security enablers' user stories from time to time.

If you feel you have something to add or are excited to use the model, we'd be thrilled to hear from you!

Download Whitepaper

We use Brace as a toolkit and applied this to the following customers

  • ANWB
  • Nationale Nederlanden
  • achmea