Threat Modelling: A CISO's Perspective Against the Status Quo
This blog discusses the importance of threat modelling in cybersecurity and emphasises the need to question traditional approaches to ensure they align with strategic objectives rather than compliance exercises.
In the realm of cybersecurity, threat modelling stands as an essential pillar of effective risk management. As Chief Information Security Officers (CISOs), we are inundated with frameworks, methodologies, and best practices that promise to fortify our organisations against an ever-evolving landscape of threats. Nevertheless, with over two decades of experience in cyber assurance, I am resolute in my belief that it is imperative to question the established norms of threat modelling. It is critical to rigorously assess whether traditional approaches to threat modelling truly align with our strategic objectives or if they have regressed into mere exercises in compliance and checkbox security.
The Challenges of Traditional Threat Modelling: Where It Can Improve
The current threat modelling process focuses on identifying assets, enumerating threats, and mapping them to vulnerabilities. Popular frameworks such as STRIDE, PASTA, or OWASP are commonly used. However, these models often overlook real-life cyber-attacks that keep CISOs up at night, mainly focusing on easily defendable known threats. They assume a static threat landscape, neglecting adversaries' constant innovation and the evolving cyber warfare landscape.
The Static Nature of Traditional Threat Models
Traditional threat modelling is typically static and created during early system development or periodic security assessments. This doesn't align with the dynamic nature of cyber threats. Attackers are adaptive and unpredictable, making static threat models obsolete. CISOs must use real-time threat intelligence to bridge the gap between assessments and real-time defences.
The Fallacy of Completeness
The idea that a threat model can cover all possible threats is a complete fallacy. No threat model can predict every potential threat, no matter how thorough it is. Believing in the completeness of these models can lead to a dangerous sense of complacency. To truly enhance security, we must acknowledge the limitations of threat modelling and be proactive in preparing for the unexpected, moving beyond the rigid frameworks dominating the field.
Technical threats should not be overemphasised
Conventional threat modelling often focuses too much on technical threats and overlooks other important types of risks. As CISOs, it's crucial to consider a broader range of threats, including strategic, operational, and geopolitical risks. Ignoring insider threats, supply chain vulnerabilities, and state-sponsored attacks in traditional models will be futile. A strong threat model should encompass the broader ecosystem in which our organisations operate.
Threat Modelling as a Compliance Exercise
Threat modelling has become a compliance exercise rather than a genuine effort to understand and mitigate risk. This leads to shallow threat models that provide little value and create a false sense of security. As CISOs, we must view threat modelling as a critical component of our risk management strategy, requiring ongoing attention and refinement rather than treating it as a checkbox exercise to satisfy regulatory requirements.
The Need for Dynamic Threat Modelling
If traditional threat modelling is flawed, what’s the alternative? The answer lies in embracing a more dynamic approach—one that is continuously updated and informed by real-time threat intelligence.
Dynamic threat modelling recognises that the threat landscape constantly changes and that our defences must evolve. It’s about moving away from static, one-time assessments and towards a more fluid and adaptive process. This requires integrating threat modelling into the organisation's broader security operations rather than treating it as a separate exercise.
This means leveraging automation and machine learning to continuously monitor and update threat models based on the latest threat intelligence. It also means fostering a culture of continuous improvement, where threat models are regularly reviewed and revised, considering new information.
Dynamic threat modelling is not about creating perfect models—it’s about creating models as resilient and adaptable as the threats they are designed to mitigate.
Strategic Threat Modelling: Elevating the Conversation
Beyond becoming more dynamic, threat modelling needs to move beyond the technical weeds and engage with the organization's broader strategic objectives. This requires a shift in mindset from focusing on individual vulnerabilities and attack vectors to considering the overall risk landscape in which the organisation operates.
As CISOs, we align cybersecurity with the business’s strategic goals. This means understanding the organisation’s risk tolerance, most critical assets, and position within the broader market and geopolitical environment. Strategic threat modelling should start with these high-level considerations and work downward rather than vice versa.
For instance, in industries like finance or healthcare, where data is a critical asset, the threat model should focus not just on how data breaches might occur but on the potential impacts of such breaches on the organisation’s reputation, regulatory compliance, and customer trust. Similarly, threat models should consider the risks posed by third-party vendors and geopolitical events that could disrupt operations in industries with significant supply chain dependencies.
This strategic approach requires collaboration across the organisation, bringing together stakeholders from different departments to ensure that all aspects of risk are considered. It also requires the CISO to sit in executive discussions, where cybersecurity is treated as a critical business issue rather than a technical one.
Challenging the Cult of Best Practices
The cybersecurity industry is full of "best practices" enshrined in standards and frameworks, but they can stifle innovation and lead to a one-size-fits-all approach. In threat modelling, this emphasis can result in rigid adherence to established frameworks, even when they're not the best fit for an organisation.
As CISOs, we need to be willing to challenge these norms, develop custom threat modelling approaches, reject elements of popular frameworks that don't align with our goals, and foster a culture of continuous learning focused on outcomes.
What is CISOs role in Transforming Threat Modelling?
As CISOs, we are uniquely positioned to drive the transformation of threat modelling within our organisations. It starts with recognising the limitations of traditional approaches and confidently challenging the status quo. We must advocate for a more dynamic, strategic, and business-aligned approach to threat modelling.
To do this effectively, we must build strong relationships with other leaders within the organisation and ensure that cybersecurity is seamlessly integrated into every aspect of the business. We must also invest decisively in the tools and technologies that enable real-time threat intelligence and dynamic threat modelling.
Most importantly, we must foster a culture of resilience and adaptability within our security teams. This means boldly encouraging creativity and unconventional thinking and rewarding those who confidently challenge established norms and push the boundaries of what is possible.
The Future of Threat Modelling: A Call to Action
The future of threat modelling depends on our willingness to embrace change and think beyond traditional frameworks. As CISOs, we must push for a dynamic, strategic, and business-aligned approach to threat modelling. It's not just about improving security posture; it's about thriving in a world of evolving cyber threats. Threat modelling should be a dynamic, strategic process that evolves to meet organisational needs.