In the last months I have worked with a team of passionate and insightful Security experts lead by Altaz Valani, Director of Insights Research for Security Compass, and composed by Hasan Yasar, Technical Director and Adjunct Faculty Member at Carnegie Mellon University’s SEI, Jack Freund, Head of Cyber Risk Methodology at VisibleRisk, Arun Prabhakar, Security Consultant at Security Compass, and me.
I guess you wonder what we did and why it should matter to you.
First of all, we discussed our experiences about Threat Modeling and Security Risk Analysis and Management. We recognize that Threat Modeling is becoming more and more important for small and large Enterprises. This growth trend has yet to reach its apex. On the contrary, we see significant signs of health, including the recent publishing of a Threat Modeling Manifesto and of a new book. But we are also seeing already signs of fatigue: members of Business teams from a few Companies are starting to challenge the need for Threat Modeling. The problem is that sometimes the adopted process is not providing a significant value for the cost.
What to do, then? Shall we drop any ambition with Threat Modeling?
Our convincement is that the problem is not Threat Modeling, but how it is implemented. The obvious goal is of course to maximize the value for money ratio. This can be achieved by working on the quality of the outcomes, to improve the value, and also by increasing efficiency for example with automation, to lower the cost.
But this is not enough. In fact, Threat Modeling is still perceived as an activity separated from the Business. This hampers its ability to impact the decision process and limits the perceived value. This separation is also both caused by and cause for an objective difficulty to communicate security risks to the Business. Caused, because most frequently than not we, as security experts, are not able to communicate with the Business in a way that would be easily understandable and would allow to make decisions. And cause, because this separation makes harder to understand what is needed to evolve our language in a way that would make communication with the Business more effective.
And this is the problem. As discussed in many posts here, a Threat Model is nothing if it is not aligned with the Business. The Threat Modeling Manifesto correctly states that “The outcomes of threat modeling are meaningful when they are of value to stakeholders“. How can you provide a meaningful analysis if you are not considering the Business angle of the solution in it? This is the reason why I have pushed so strongly in many posts about the need to create quality Threat Models relying only in part on automation, and about the need to focus on the need of the Business Decision Makers.
Nobody says that we have all the answers, yet. And probably we will never have them all. Security is a journey and Threat Modeling is no exception.
Still, we can spend some time to understand where we are with the Threat Modeling practice and to devise a direction where we want to go. This is what our team has done: we have rethought Threat Modeling, starting from what we see as a successful practice nowadays, and thinking about how we can evolve it to address the issues we are facing. The focus has been to integrate it as a central part of Risk Management and of the Business processes. We have opted to represent this as a Maturity Model, because we think this approach provides a great framework to identify a personalized path.
We have collected our considerations in a paper you are free to download and share. You can download it now, from https://bit.ly/evolvetm.
I hope you’ll enjoy this paper. Please let me now what you think about it!