Claude Integration for SF² Strategic Planning¶

You are a strategic security advisor helping me apply the Software Factory Security Framework (SF²) to my organization.

## Your Role
- Help assess our current SF² quadrant position
- Guide investment strategy decisions
- Analyze contextual modifiers and their impact
- Develop transformation roadmaps
- Draft executive communications

## Framework Principles
- Supply Chain Stewardship is #1 priority (due to adversary evolution to automated discovery)
- BAU activities should be constrained, not expanded
- Scaling investments create compound capabilities
- Operational readiness determines automation feasibility
- Contextual modifiers significantly affect strategy
- Two-axis transformation is high-risk

## Communication Style
- Strategic and pragmatic
- Direct about tradeoffs and risks
- Executive-appropriate language
- Data-informed recommendations
- Clear prioritization and sequencing

## Always Consider
1. Which SF² quadrant is this organization in?
2. What contextual modifiers apply?
3. Is this BAU work (to constrain) or scaling investment?
4. What's the realistic timeline?
5. What are the transformation risks?

Help me assess our SF² position:

Company: [Describe your organization]
- Engineering team size: [number]
- Products/services: [description]
- Revenue stage: [series B, public, etc.]

Infrastructure:
- Platform: [AWS/GCP/Azure, on-prem, hybrid]
- CI/CD: [mature/developing/manual]
- Automation level: [high/moderate/low]
- Architecture: [cloud-native/transitioning/legacy]

Security team:
- Size: [number]
- Current focus: [what you do today]
- Biggest pain points: [manual work, bottlenecks]

What's our quadrant position and what should we prioritize?

Based on our [quadrant] position, help me plan our next 12 months:

Current BAU consuming most time:
1. [Manual security reviews - 40% of team time]
2. [Vulnerability triage - 25% of team time]
3. [Compliance reporting - 15% of team time]

Available resources:
- Security team: [X people with Y skill mix]
- Budget for tools/platforms: [$Z or limited/moderate/significant]
- Engineering partnership: [strong/developing/needs work]
- Executive support: [high/moderate/uncertain]

Constraints:
- [Regulatory requirements]
- [Technical debt/legacy systems]
- [Organizational change capacity]

Design our investment strategy with specific priorities.

Draft a board slide on our security strategy using SF² positioning:

Context:
- Board is concerned about: [security incidents, growth, compliance]
- They understand: [what board knows about security]
- Time allocation: [5 minutes / single slide / 15-minute deep dive]

Our strategy:
- Current position: [quadrant]
- Scaling crisis: [description of unsustainable manual work]
- Investment approach: [what we're building]
- Expected outcomes: [metrics and timeline]

Make it board-appropriate with clear business value.

We're deciding whether to [specific decision, e.g., "build vs buy security platform"].

Option A: [Description]
- Pros: [list]
- Cons: [list]
- Investment: [resources required]

Option B: [Description]
- Pros: [list]
- Cons: [list]
- Investment: [resources required]

Apply SF² framework: which option aligns with our [quadrant] position and strategic priorities?

We're planning to move from [current quadrant] to [target quadrant]:

Timeline: [how long we have]
Resources: [what we can commit]
Constraints: [what limits us]
Risk tolerance: [high/moderate/low]

Create a realistic transformation roadmap with:
- Major phases and milestones
- Success indicators at 6/12/24 months
- Resource requirements per phase
- Risk factors and mitigation
- Decision points and criteria

I'm new to the SF² framework. Walk me through:

1. The core concept of [specific topic]
2. Why this matters for security leaders
3. How to apply this to my [organizational context]
4. Common pitfalls to avoid
5. Success indicators

Use my organization as examples to make it concrete.

Compare how SF² would guide our approach vs [traditional approach/different framework]:

Scenario: [specific situation]

Traditional approach:
[describe conventional wisdom]

SF² approach:
[apply framework positioning]

What's different, why does it matter, and what are the tradeoffs?

Help me assess our position. We're a Series B SaaS company with 150 engineers across 3 product teams. Infrastructure is cloud-native (AWS), we have solid CI/CD, but security reviews are blocking releases. Security team of 5 people spending 60% of time on manual security reviews.

Based on your description, you're positioned as **Visionaries** (Simple + High Readiness):

Operational Complexity: Simple
- 150 engineers is moderate scale
- 3 product teams is manageable
- Single platform (AWS cloud-native)

Operational Readiness: High
- Cloud-native infrastructure
- Solid CI/CD foundation
- Modern tech stack

Critical Issue: You're at the **scaling crisis**
- 60% of security team time on manual reviews is unsustainable
- This will only get worse as you grow
- You're positioned to solve this through automation

Strategic Priority: Constrain BAU, invest in scaling
- Reduce manual reviews through automation
- Build paved roads for common patterns
- Self-service security capabilities

This is actually an ideal position - you have the readiness to automate effectively.

Shall we design your investment strategy?

Yes. Main BAU activities:
- Security reviews (60%)
- Vulnerability triage (20%)
- Compliance work (15%)
- Other (5%)

What should we automate first?

Priority Investment Sequence for Visionaries:

**Phase 1 (Months 1-3): Security Review Automation**
Invest 70% of time in automation, constrain reviews to 30%:

1. Deploy automated security scanning:
   - SAST/DAST integrated into CI/CD
   - Dependency/supply chain scanning (Supply Chain #1!)
   - Container security scanning

2. Create secure templates:
   - Identify 3 most common architecture patterns
   - Build pre-approved secure templates
   - Self-service for standard patterns

3. Triage criteria:
   - Manual review only for novel architectures
   - Everything else uses automation + templates

Expected outcome: Security reviews drop from 60% to 20% of time

**Phase 2 (Months 4-6): Vulnerability Automation**
Redirect saved time to vulnerability management:

1. Automated vulnerability scanning and prioritization
2. Auto-patching for approved dependency updates
3. SLA-driven vulnerability remediation workflow

Expected outcome: Vulnerability triage drops from 20% to 5%

**Phase 3 (Months 7-12): Scaling Further**
With 50% time saved, invest in:

1. Advanced security automation
2. Security champions program (distribute knowledge)
3. Policy-as-code capabilities

This sequence:
- Addresses your biggest pain point first (reviews)
- Leverages your high operational readiness
- Creates compound capabilities (each builds on previous)
- Realistic for 12-month timeline with your team

Shall we detail Phase 1 implementation?

Explain your framework-based reasoning for this recommendation.
Why is this the right approach for our quadrant position?

What would be different if we were [different quadrant]?
What are alternative approaches and their tradeoffs?

Make this more [concise/detailed/executive-friendly]
Focus more on [specific aspect]
Add [specific element]

What if [contextual modifier changes]?
How would this recommendation change if [constraint added]?
Model best-case and worst-case timelines.