I have long been a fan of Philippe Kruchten's work 4+1 showed a new way to look at software architecture and I still consider it the defining work in the profession due to its simplicity and clarity.Philippe's Tao of the Software Architect is a little known gem, one of my favorite parts:
When the process is lost, there is good practice.
When good practice is lost, there are rules.
When rules are lost, there is ritual.
Ritual is the beginning of chaos.
You can see this play out in infosec over and over again.
We try for Security in SDLC
When that fails, we try for better coding, deployment practices, checklists and tooling
When that fails we update policies
When that fails - chaos.
Of course, it does not always fail, and I think turning this list on its head and working from the bottom up is the way to go for most companies. So many companies start with "we need a Secure SDLC!" No question about it, you definitely do buddy; but first you need to have policies, tooling, coding practices, training, and checklists all in place before that can happen. If you try to go straight for the Secure SDLC you will likely cascade to fail.
There is a lot of ritualistic behavior in infosec - determining priorites based on an auditor spreadsheet or what you did last year, but rituals are not substitute for thinking and pragmatic actions. I recommend that you eschew top down. Good SDLCs are built from the bottom up - with training,supported by tools, and simple to follow checklists and guidelines that make doing the right thing easier.