In your experience, where do security orgs typically go wrong when it comes to threat modeling?

Security & GRCThreat & Vulnerability ManagementSecurity Operations Center (SOC)+1 more
3.3k views9 Comments
Sort By:
Oldest
Director of IT in IT Services8 months ago
Underestimating evolving threats undermines effective threat modeling. 
1 1 Reply
CISO in Software8 months ago

I concur

1
VP of IT8 months ago
Threat model limited to external perimeter and not including internal threat.
1 1 Reply
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
CISO in Software8 months ago

+1

Director of IT in Healthcare and Biotech8 months ago
Threat modeling is complicated, and if you don't understand how to perform it, the details of your actual threat actors, and the technical aspects of the attacks, you won't be able to complete your assessment.  Companies really interested in threat modeling should ensure the team has the appropriate training and experience.  Engaging with an external partner to build a team is a great way to ensure success.
1
Senior Information Security Manager in Software8 months ago
A lot of firms think they can do it themselves.

This is a great book on the topic: Threat Modeling: Designing for Security by Adam Shostack.

https://amzn.to/3Hh1yRu

Too few firms take the time to have their people read it.
1 1 Reply
CISO in Software8 months ago

Adam's book is one of the best. 

CISO/CPO & Adjunct Law Professor in Finance (non-banking)8 months ago
Presuming past cyber issues will be the future threat or otherwise restricting the scope of possibilities is dangerous. Prediction of the future involves unknowns, therefore the brainstorming element of threat modeling should be as freewheeling as possible, with prohibitions against labeling input as “impossible’ or a “silly idea”. It is essential that the widest possible net be cast to prepare for the next step. The next step is to determine which of the items from the brainstorming session are currently a realistic issue, which are conceivable given the upcoming infrastructure/business changes, and those which don’t seem to have any possible connection to the business.  If all of the items from the brainstorming session are currently realistic issues then the process was conducted improperly and it should be re-done correctly. Imagination wasn’t employed.

Next estimate the likelihood and severity of the issue. Prioritize the issues/risks. Determine the resources required to implement the risk mitigation strategies. Build out a plan to implement the mitigation strategies taking the resources required, resources available and the priority of the issues/risks. If new issues/risks crop up at this point the initial brainstorming should be augmented with the new risks and the subsequent phases should be re-done.

Content you might like

What’s on your IAM roadmap for the next 18-24 months?

Identity & Access Management (IAM)Threat & Vulnerability ManagementSecurity Strategy & Roadmap
Director of IT in IT Services4 days ago
Implementation of Zero trust architecture, its modules across the organisation is a priority for us. So, we will be implementing zero trust strategies in IAM, inline with overall strategy.
1.4k views1 Comment

What is your organization’s current status for implementing endpoint security to protect O365 on mobile devices?

End-User Services & CollaborationSecurity & GRCDevice Management+14 more

Implementation complete23%

Implementation in progress54%

Planned within the next 12 months12%

Not planned7%

Not enabling O365 on mobile2%

View Results
2.4k views2 Upvotes

How can CISOs influence (or perhaps even contribute to) the business’s AI adoption strategy?

Security Strategy & RoadmapSecurityDisruptive & Emerging Technologies+3 more
CISO in Manufacturinga month ago
CISOs have a unique opportunity to proactively shape their organization's AI adoption strategy, Because AI adoption is either in the process of emerging or companies that have already gone down a path are readjusting their ...read more
1
Read More Comments
701 views6 Comments

Are below the operating system vulnerabilities a top concern for your organization?

EngineeringGovernance, Risk & ComplianceSecurity & GRC+1 more

Yes79%

No20%

5k views3 Comments

Can you share advice for leaders looking to shift to a multi-cloud strategy for better resilience in the event of major disruption (such as the recent CrowdStrike outage)? What best practices or common pitfalls are most important to consider?

Security Strategy & RoadmapSecurityPeer Insights+2 more
CISO/CPO & Adjunct Law Professor in Finance (non-banking)a month ago
1.       Ensure the “different” providers are not front ends for the same foundational provider.

2.       Review the track record of each provider on the whole as well as their record with organizations of your size, ...read more
1
Read More Comments
506 views3 Comments