“Who owns your application” is the question that has always kept me on my toes but I see security rarely being thought of as a enabler & often an afterthought by delivery teams. As I picked up the role of a security consultant, the following pain points are what I strove to understand across the teams: Why does ownership and accountability of secure development falls onto security team Why are account leads not completely aware of the security requirements and integration of these practices in development work Why is security roadmap not being able to be integrated by leads A year later, we have engineers who have learned the value of “why” in security and SDLC, as opposed to checking a box and a maturity model that helped leadership take informed decisions. Via this talk, I would present the engagement model a product team can use to self-plan their security journey; a model that highlights the value of it which enhanced the engineering practice as a whole