And probably we will never have them all. Nobody says that we have all the answers, yet. How can you provide a meaningful analysis if you are not considering the Business angle of the solution in it? This is the reason why I have pushed so strongly in many posts about the need to create quality Threat Models relying only in part on automation, and about the need to focus on the need of the Business Decision Makers. The Threat Modeling Manifesto correctly states that “ The outcomes of threat modeling are meaningful when they are of value to stakeholders“. As discussed in many posts here, a Threat Model is nothing if it is not aligned with the Business. And cause, because this separation makes harder to understand what is needed to evolve our language in a way that would make communication with the Business more effective.Īnd this is the problem. Caused, because most frequently than not we, as security experts, are not able to communicate with the Business in a way that would be easily understandable and would allow to make decisions. This separation is also both caused by and cause for an objective difficulty to communicate security risks to the Business.
This hampers its ability to impact the decision process and limits the perceived value. In fact, Threat Modeling is still perceived as an activity separated from the Business. This can be achieved by working on the quality of the outcomes, to improve the value, and also by increasing efficiency for example with automation, to lower the cost.īut this is not enough. The obvious goal is of course to maximize the value for money ratio. Our convincement is that the problem is not Threat Modeling, but how it is implemented. What to do, then? Shall we drop any ambition with Threat Modeling? The problem is that sometimes the adopted process is not providing a significant value for the cost.
But we are also seeing already signs of fatigue: members of Business teams from a few Companies are starting to challenge the need for Threat Modeling. On the contrary, we see significant signs of health, including the recent publishing of a Threat Modeling Manifesto and of a new book. This growth trend has yet to reach its apex. We recognize that Threat Modeling is becoming more and more important for small and large Enterprises. I guess you wonder what we did and why it should matter to you.įirst of all, we discussed our experiences about Threat Modeling and Security Risk Analysis and Management. In the last months I have worked with a team of passionate and insightful Security experts lead by Altaz Valani, Director of Insights Research for Security Compass, and composed by Hasan Yasar, Technical Director and Adjunct Faculty Member at Carnegie Mellon University’s SEI, Jack Freund, Head of Cyber Risk Methodology at VisibleRisk, Arun Prabhakar, Security Consultant at Security Compass, and me.
0 kommentar(er)
