Mission-Driven TeamsMission-Driven Teams

Workbook

Make the Mission Yours

Role: Security Engineer

Use these activities to apply each principle to your current product, service, or project. These activities are a sample to get you started, not an exhaustive list. Adapt and expand them based on your team's context and needs. Capture your answers, share them with your team, and revisit them as you learn.

⚠️

Important: When Using AI Tools

When using AI-assisted activities, always double-check for accuracy and meaning each and every time. AI tools can help accelerate your work, but human judgment, validation, and critical thinking remain essential.

Review AI-generated content with your team, validate it against real user feedback and domain knowledge, and ensure it truly serves your mission and user outcomes before proceeding.

1) Shared Mission and Vision

Frame security work in terms of protecting mission-critical user journeys.

πŸ’‘

Learn More

For more information and deeper understanding of this principle, refer to the 1) Shared Mission and Vision section in the framework.

Workbook Activities (do now)

  • ☐Identify two mission-critical user journeys and map the key controls that protect each.
  • ☐Rewrite one security requirement in user language (who is protected, from what, why) and share it.
  • ☐Add β€œmission risk” to the current security ticket with the user harm it prevents.
  • ☐Review a planned feature and note one security implication to the user journey; tag the owner.
  • ☐State in standup which journey you are protecting this week and how you will know it’s working.

AI Assisted Activities

  • ☐Use AI to help draft security requirements that map to mission outcomes, but have your team review and refine them to ensure they truly protect user value.
  • ☐Ask AI to generate potential security controls based on user journeys, then validate each control against direct user feedback and threat intelligence.
  • ☐Use AI to help structure your "mission risk" notes in security tickets, but ensure human team members validate that each control truly serves the mission before implementing.
  • ☐Have AI analyze past security requirements to identify mission alignment patterns, then use those insights in team discussions to improve how security connects to user outcomes.

Evidence of Progress

  • ☐Controls are described by the user harm they prevent.
  • ☐Security tickets cite mission risk, not only CVSS or CWE.

2) Break Down Silos

Embed security early with product/engineering.

πŸ’‘

Learn More

For more information and deeper understanding of this principle, refer to the 2) Break Down Silos section in the framework.

Workbook Activities (do now)

  • ☐Join the next feature kickoff to add threat scenarios and early mitigations.
  • ☐Co-create a lightweight SDL checklist with engineering for this feature.
  • ☐Pair with QA to design a regression test for a recent vuln class tied to this feature.
  • ☐Hold a 15-minute dev/QA/security review of auth/permissions for the current change.
  • ☐Replace one async review with a live threat modeling mini-session for this story.

AI Assisted Activities

  • ☐When AI generates security controls or threat models, have cross-functional team members (developers, product managers, QA) review them together to ensure they serve users and integrate well.
  • ☐Use AI to help draft threat modeling sessions or security checklists, but ensure all roles contribute their perspectives during the actual security review.
  • ☐Have AI analyze security review patterns and vulnerability reports to identify handoff friction, then use those insights in cross-functional discussions to improve collaboration.
  • ☐Use AI to help structure security collaboration sessions, but ensure human team members make decisions together about what to protect and how it serves users.

Evidence of Progress

  • ☐Features launch with pre-agreed mitigations and tests for key threats.
  • ☐Security findings decrease for the vuln class you paired on.

3) User Engagement

See how security controls affect users.

πŸ’‘

Learn More

For more information and deeper understanding of this principle, refer to the 3) User Engagement section in the framework.

Workbook Activities (do now)

  • ☐Review a real user flow and note where security friction appears; propose a UX-friendly adjustment.
  • ☐Listen to a support call about auth/access issues and capture user language verbatim.
  • ☐Observe telemetry for auth errors and correlate with a specific user journey.
  • ☐Shadow a usability/auth session to see how MFA/permissions impact task completion.
  • ☐Document one real user pain from security friction and suggest a mitigation to product/UX.

AI Assisted Activities

  • ☐Use AI to analyze user feedback, support tickets, or auth error logs to identify security friction patterns, but always validate AI insights through direct user observation or usability testing.
  • ☐Have AI generate questions for user interviews based on your security assumptions, then use those questions in real conversations with users to build genuine empathy.
  • ☐Use AI to help summarize user research findings related to security, but ensure you review the summaries and add your own observations from direct user interactions.
  • ☐Have AI analyze user behavior patterns from your security telemetry, then discuss those patterns with actual users to understand the "why" behind security friction before implementing controls.

Evidence of Progress

  • ☐You have at least one security UX friction item logged with a user quote.
  • ☐Auth/permission changes reference observed user pain, not assumptions.

4) Outcomes Over Outputs

Track security by risk reduction and user impact.

πŸ’‘

Learn More

For more information and deeper understanding of this principle, refer to the 4) Outcomes Over Outputs section in the framework.

Workbook Activities (do now)

  • ☐Set one measurable outcome for this control (e.g., reduced high-risk findings, reduced auth lockouts).
  • ☐After deploying, report before/after for that outcome and propose a next step.
  • ☐Add a rollback/exception path with conditions to this security change.
  • ☐Align one control to a user journey SLO (e.g., auth success rate) and track it.
  • ☐For one missed outcome, suggest a tuning (rule, threshold, UX change) to reduce friction or risk.

AI Assisted Activities

  • ☐When AI generates security controls or configurations, define security outcome metrics upfront and measure whether AI-generated controls achieve intended user protection outcomes, not just technical compliance.
  • ☐Use AI to help analyze security outcome data and identify patterns, but have human team members interpret what those patterns mean for users and the mission.
  • ☐Have AI help draft security outcome definitions and success criteria, but ensure the team validates them against real user needs and business goals before implementing.
  • ☐Use AI to track and report on security outcome metrics, but schedule human team reviews to discuss what the metrics mean and how to adjust controls based on observed impact.

Evidence of Progress

  • ☐Security changes ship with outcome hypotheses and are measured post-release.
  • ☐You can show reduced risk or reduced user friction from a change.

5) Domain Knowledge

Map threats and controls across the service ecosystem.

πŸ’‘

Learn More

For more information and deeper understanding of this principle, refer to the 5) Domain Knowledge section in the framework.

Workbook Activities (do now)

  • ☐Build a threat map for a key journey (front/back stage) and list compensating controls.
  • ☐Identify third-party dependencies for this journey and note access/keys/rotation status.
  • ☐Review one policy/regulatory requirement and align it to the threat map and owners.
  • ☐Check logs/alerts for a known threat path and note gaps to close in this sprint.
  • ☐Document one least-privilege or segmentation improvement to apply for this work item.

AI Assisted Activities

  • ☐Use AI to help summarize domain documentation, threat intelligence, or compliance requirements, but validate AI-generated domain knowledge through direct engagement with domain experts and security reviews.
  • ☐Have AI generate questions about domain constraints or threat ecosystem relationships, then use those questions in conversations with domain experts to build deep understanding.
  • ☐Use AI to help draft threat maps or security architecture diagrams, but ensure team members review them with domain experts to verify accuracy and completeness.
  • ☐Have AI analyze past incidents or domain-related security issues, then discuss those insights with the team and domain experts to identify patterns and prevent similar problems.

Evidence of Progress

  • ☐You can show where threats intersect with services and who owns the control.
  • ☐Policy requirements are mapped to concrete controls and owners.

6) The Art of Storytelling

Explain security work as protecting people and outcomes.

πŸ’‘

Learn More

For more information and deeper understanding of this principle, refer to the 6) The Art of Storytelling section in the framework.

Workbook Activities (do now)

  • ☐Tell a short story: β€œWe added X so that Y user is protected from Z scenario.” Share in review.
  • ☐Create two versions of a recent incident writeup: one for engineers, one for business stakeholders.
  • ☐Present a β€œday in the life” of an attacker vs. defender for one vuln class to the team.
  • ☐Add a user or business impact line to your next security update to make it memorable.
  • ☐Record a 60-second explainer on how a control prevents a real user-harming scenario.

AI Assisted Activities

  • ☐Use AI to help structure or draft security stories and incident summaries, but refine them with real user anecdotes, emotions, and personal observations from direct user interactions.
  • ☐Have AI generate different versions of security explanations for different audiences (technical peers vs stakeholders), but ensure each version includes authentic human stories about real user protection.
  • ☐Use AI to help summarize security work in demos, but lead presentations with human stories about real users protected by security controls, using AI-generated summaries as supporting material.
  • ☐Have AI help draft security documentation or incident reports, but always include real user quotes, data points, or anecdotes that connect your security work to human impact.

Evidence of Progress

  • ☐Stakeholders can retell the value of a control in plain language.
  • ☐Engineers reference your attacker/defender story in design discussions.