In your experience, where do security orgs typically go wrong when it comes to threat modeling?

Security & GRCThreat & Vulnerability Management
3.3k viewscircle icon9 Comments
Sort by:
Director of IT in Manufacturing2 years ago

In my view, threat modeling can seriously go wrong when business buy-in or inputs are ignored. It is also very essential to understand that not every threat can be quantified. If there is attempt of such is made, threat modeling can become frustrating and it is bound to be just a documentary formalities.

CISO/CPO & Adjunct Law Professor in Finance (non-banking)2 years ago

Presuming past cyber issues will be the future threat or otherwise restricting the scope of possibilities is dangerous. Prediction of the future involves unknowns, therefore the brainstorming element of threat modeling should be as freewheeling as possible, with prohibitions against labeling input as “impossible’ or a “silly idea”. It is essential that the widest possible net be cast to prepare for the next step. The next step is to determine which of the items from the brainstorming session are currently a realistic issue, which are conceivable given the upcoming infrastructure/business changes, and those which don’t seem to have any possible connection to the business.  If all of the items from the brainstorming session are currently realistic issues then the process was conducted improperly and it should be re-done correctly. Imagination wasn’t employed.

Next estimate the likelihood and severity of the issue. Prioritize the issues/risks. Determine the resources required to implement the risk mitigation strategies. Build out a plan to implement the mitigation strategies taking the resources required, resources available and the priority of the issues/risks. If new issues/risks crop up at this point the initial brainstorming should be augmented with the new risks and the subsequent phases should be re-done.

Senior Information Security Manager in Software2 years ago

A lot of firms think they can do it themselves.

This is a great book on the topic: Threat Modeling: Designing for Security by Adam Shostack.

https://amzn.to/3Hh1yRu

Too few firms take the time to have their people read it.

Lightbulb on1 circle icon1 Reply
no title2 years ago

Adam's book is one of the best. 

Director of IT in Healthcare and Biotech2 years ago

Threat modeling is complicated, and if you don't understand how to perform it, the details of your actual threat actors, and the technical aspects of the attacks, you won't be able to complete your assessment.  Companies really interested in threat modeling should ensure the team has the appropriate training and experience.  Engaging with an external partner to build a team is a great way to ensure success.

Lightbulb on1
VP of IT2 years ago

Threat model limited to external perimeter and not including internal threat.

Lightbulb on1 circle icon1 Reply
no title2 years ago

+1

Content you might like

Have you observed evidence of cybersecurity candidates using GenAI/AI agents in their job applications or interviews?

Yes - I’ve seen clear evidence of this42%

Yes - I strongly suspect some candidates used AI42%

No11%

Unsure/other5%

View Results

How are you making sure the security team has visibility into social engineering attempts on helpdesk staff, especially with attacks using voice impersonation or other deepfake techniques?

What steps do you typically take when you notice a security team member becoming less and less engaged? How do you approach them to diagnose/address the issue?

Do you think your data security budget will likely increase or decrease within the next year?

Significant increase

Moderate increase40%

Minor increase30%

Neither – budget will likely be the same30%

Minor decrease

Moderate decrease

Significant decrease

Unsure for now

View Results

I'm looking to go for the Certified CISO certification & training as I'm an aspiring CISO. Any recommendations and additional certifications that I should be doing along with that? I already have CISSP. 

Read More Comments