Shostack + Friends Blog


How Executives Can Use Threat Modeling

You don’t have to be technical, but you can’t make informed decisions about your business without threat modeling. Focused colleagues brainstorming in boardroom; Photo by Anna Shvets from Pexels

My threat modeling trainings usually have a good mix of technical people, like developers, network architects, and engineers. These technical folks need to use threat modeling, and they learn where it fits into their daily functions. Every so often, though, I get business executives - like CISOs, VPs engineering, and even a CEO, or CFO. It’s a general misunderstanding in cybersecurity - and the rest of the technology world - that business leadership can’t do threat modeling. In fact, most executives use threat modeling everyday without realizing it. The good news? Executives can learn to apply specific threat modeling techniques to help make more informed decisions across all areas of the business, especially cybersecurity.

What is threat modeling?

We threat model everyday. First, let’s set out a definition of threat modeling that makes sense to everyone - no matter what their job function is. Threat modeling is a structured process that helps you understand what can go wrong so that you can decide whether it’s something that you want to spend time fixing. In the end, threat modeling is basically a way to identify potential threats and decide what to do about them — sometimes adding a control, sometimes accepting the risk.

What is the threat modeling process?

I like to use my Four Question Framework:

Let’s put threat modeling into an everyday hypothetical.

You just got the notification on your smartphone that you need to install the most recent software update. You’re also on your way to go run errands. You don’t know how long it’s going to take for the update to download and install, and you don’t want to head out without your phone. You decide that you’ll wait until you get home and do it before you go to sleep. You run the errands, Netflix and chill, then install the update without any data being stolen.

This is an example of threat modeling. Even though you might not realize it, your brain went through the following process:

  • What are we working on: Installing a smartphone update and running errands
  • What could go wrong: Someone could steal the personal information that your store on your phone. Your phone could be out of commission while you’re running errands.
  • What are we going to do about it: Compare the time it takes to install versus getting errands done. Decide on the trade-off between getting to Netflix and chill or protecting data sooner.
  • Did we do a good job: Your data was ok - this time! So you did a good job.

4 Reasons Threat Modeling Is Valuable for Executives

We talk about creating a culture of security all the time. To do this, it really does have to start at the top, with executive leadership and even the board. You don’t have to be technical, but you can’t make informed decisions about your business without threat modeling. If you can’t express what can go wrong with your technical systems, how are you making choices about if or how to defend them?

Being a Leader

The best leaders lead by doing. To be an effective senior leadership team member, you need to set an example. You can’t create a culture of security if you’re not actively engaged in the process yourself.

Participating in Conversations

You can’t be actively engaged in conversations that you don’t fully understand. You don’t need to be able to do the work. You need to be able to lead the work.

If data is the new oil, then as a CEO or CFO, you should know where your data is. I don’t mean you need to know this database field-by-database-field, but you should understand the way data flows through your systems and networks.

Building Business Strategies

A fundamental part of your job is to build and communicate about strategic business goals - what we’re working on. Today, those will almost always involve technology or data.

As you’re trying to grow revenue, your marketing and sales teams want to adopt a new Software-as-a-Service (SaaS) customer relationship management (CRM) platform. This makes sense from a business perspective. They can share data to accelerate the sales cycle. Also, the CRM will collect, store, transmit, or process sensitive personally identifiable information.

When you’re making these strategic decisions, you have to understand the potential threats so you can determine whether it’s the tool you should add to your business.

Meeting Compliance Requirements

The first thing to explain here: threat modeling is not risk management. They should be integrated, but they’re not the same.

Threats are things that can go wrong. You need to understand how things can go wrong so that you can prove governance over your security program. Threat modeling provides input into risk management. You make decisions about risk, using strategies like:

  • Accept: it’s low enough that you don’t think it will have a high impact to the business, relative to the reward
  • Transfer: when you find someone else, like an insurer, to manage it
  • Eliminate: Decide not to go there, because other strategies aren’t easily applied, cost effective, or otherwise won’t mitigate a threat.

Let’s return to the SaaS CRM example. You’ve decided to onboard this new SaaS CRM platform, but a lot of personally identifiable information (PII) is involved. The CRM might integrate with the following:

  • Email servers
  • Calendars
  • Social media accounts
  • Communication tools
  • Form or survey tools
  • Conference call software
  • Ticketing systems

Applying Threat Threat Modeling to Compliance

Now, let’s take a look at where threat modeling fits in.

  • What are we working on: Setting up a CRM platform that connects to your networks and other applications
  • What can go wrong: Insecure APIs connecting all these technologies can lead to a data breach
  • What are we going to do about it: Put security controls in place to protect the data, like encryption

Most executives understand the idea of insecure APIs. It’s a point where data goes from one application to another. Understanding the real threat to your company is a bit different. You don’t need to know how to secure an API. You do need to understand how data moves between the applications. If you don’t understand the way data flows across your networks and applications, you can’t understand the threat.

Threat Modeling and Risk Management

This is where you quantify the threats that you can’t simply mitigate. You assess likelihood and impact, or other factors which help you make risk tradeoffs. Once you’ve discovered the threats, you can understand the real risk.

If you have all your sensitive information on one fully trusted network, the impact of any threat is higher and you might want to segment and isolate or even apply zero-trust strategies to limit the impact of an attack. This means you need to understand the way that data flows so that you can adequately assess risk and make sure that you’re mitigating risks.

This is where the fourth question comes in. Now that you’ve managed risk, you need to ask:
Did we do a good job?
You can’t meet compliance requirements without reviewing things from a strategic perspective. Did we cover all the threats to a reasonable level?

Threat Modeling and Governance

Since you understood the potential threats to data security, you were able to make an informed decision about what network to use and what controls to put in place. You’re also able to understand how the control failed and why the steps the security team took helped you secure the data better.

Threat Modeling is for Everyone

Making good trade-offs is a part of being an executive. Every day, we make conscious or subconscious trade-offs when making decisions. When you start to threat model, you’re creating a structured process for consistent outcomes. When you have consistency, you have repeatable processes for strategic decision-making that helps you achieve business objectives, like protecting your customer’s data the way you promise.

For more information about the courses I currently have available, please see the listings here.