How to put threat modeling into practice: A guide for business leaders
Recognizing the value of threat modeling, a process that helps identify potential risks and threats to a business's applications, systems and other resources, is easy enough. By providing comprehensive insight into how cyberattacks might be planned out before they occur, threat modeling helps organizations prepare proactively and reduce the risk of experiencing a successful breach.
What tends to be much harder is actually building effective threat models. Even at organizations with extensive cybersecurity resources, investment in threat modeling tends to be limited. Usually, this happens not because business leaders don't see the point of threat modeling, but because closing the gap between goals and reality can prove deeply challenging when it comes to complex tasks like modeling threats.
But that doesn't mean organizations have to settle for limited insight into the threats and risks they face. On the contrary, by pushing past the hurdles that can make threat modeling challenging, business leaders can take full advantage of threat models to give their organizations a leg up in the battle against cyberattacks.
Here are tips on how executives can enable successful threat modeling initiatives for their businesses.
The Importance of Threat Modeling for Compliance and Beyond
In some cases, businesses associate threat modeling with compliance. This is unsurprising because some regulators – including NIST (U.S.), ECB (EU), FCA (UK), APRA (Australia), and MAS (Singapore) – mandate threat identification and modeling as part of their cybersecurity frameworks. Threat modeling requirements are particularly stringent in the financial sector, where compliance is non-negotiable. Approving a threat modeling program will ensure adherence to these regulations, reduce security risks, and protect the company from potential fines and reputational damage.
That said, the value of threat modeling extends far beyond meeting compliance mandates. As senior manager of an engineering team, I've seen firsthand how integrating threat modeling into the software development process can significantly directly impact the business through benefits like faster time to market, reduced defects that make it to production and long-term efficiency enhancements.
Improving time to market
Threat modeling enables organizations to identify potential security issues early in the development lifecycle, allowing the team to address these concerns before they escalate into costly problems. By proactively mitigating risks, companies can avoid the delays often caused by last-minute security fixes or post-deployment vulnerabilities. This streamlined approach accelerates our development process, allowing us to deliver secure, high-quality products to market faster.
Reducing defects in production
One of the primary benefits of threat modeling is its ability to reduce the number of defects that make it to production. By identifying potential threats and vulnerabilities during the design phase, companies can implement security measures that prevent these issues from ever reaching the production environment. This proactive approach not only improves the quality of products but also reduces the costs associated with post-production fixes and patches.
Creating reusable artifacts and reference patterns
Threat modeling helps us create reusable artifacts and reference patterns as code, which serve as blueprints for future projects. These patterns encapsulate best practices and lessons learned, ensuring that security considerations are consistently applied across all projects. By embedding these reference patterns into development processes, organizations reduce the need to waste a lot of time for no reason for each new product, saving time and resources.
Reducing errors through established patterns
The existence of well-defined reference patterns reduces the likelihood of errors during development. Developers can rely on these patterns as a guide, ensuring that they follow proven security practices without having to start from scratch. This consistency not only improves the quality of code but also fosters a culture of security awareness across the team.
Supporting AI/ML with patterns as code
As organizations continue to integrate AI and machine learning (ML) into their development processes, patterns as code become even more valuable. These patterns provide a structured framework that AI/ML algorithms can leverage to automate threat detection and risk assessment. By feeding AI/ML models with established patterns, companies enhance their ability to identify potential security issues, further reducing the need for manual intervention and accelerating the development process.
AI/ML-powered reductions in resource requirements
The integration of AI/ML into threat modeling and development processes can drive significant resource savings. By automating routine tasks such as threat detection, risk assessment, and even code review, AI/ML allows teams to focus on higher-value activities. This not only improves efficiency but also reduces the overall resources required to deliver secure, high-quality products to market.
Best Practices for Putting Threat Modeling into Practice
To leverage these benefits at their organizations, business leaders must have an actionable plan for gaining buy-in for threat modeling initiatives and making threat modeling a routine part of the software development process. The following practices can help.
Emphasize compliance mandates
Most compliance frameworks don't explicitly require the creation of threat models. However, threat modeling can help to meet compliance requirements, especially when dealing with frameworks that obligate businesses to assess risk in a systematic way.
By emphasizing the role of threat modeling in meeting compliance obligations, business leaders can help push colleagues and employees to think about threat modeling not as a nice-to-have practice, but as an essential requirement and a core component of their GRC strategies.
Highlight contractual obligations
Along similar lines, threat modeling can help meet obligations defined in contracts if those contracts include terms related to risk identification and management.
For example, if your company makes its software available to customers or partners, contractual commitments may be in place that require the business to mitigate risks within the software to prevent them from flowing "downstream" into users' organizations. Creating a threat model for the software helps to show that you're systematically managing risks.
Lean into IT security policies
Beyond obligations linked to compliance and contracts, many businesses also establish internal IT security goals. They might seek to configure access controls based on the principle of least privilege, for example, or enforce zero trust policies on their networks.
Threat modeling can help to put these policies into practice by allowing organizations to identify where their risks actually lie. Viewed from this perspective, threat modeling serves as a practice that the IT organization as a whole can embrace because it helps achieve larger goals – namely, those related to internal governance and security strategy.
Leverage chargebacks
Finding the budget to fund threat modeling can be challenging, especially because, again, the cost involves more than just purchasing a tool. You also must account for the staff time that goes into creating and maintaining threat models.
Chargebacks can help. Using chargebacks, business leaders can effectively give contributors "credit" for helping with threat modeling initiatives. This creates an incentive for departments from across the organization to contribute to threat modeling, even if it's not formally part of their jobs. It also helps provide visibility into the cost of threat modeling and makes it easier to budget adequately for threat modeling initiatives.
Conclusion: Making Threat Modeling More Than a Buzzword
Threat modeling has become an indispensable tool for businesses – and not only because of its role in meeting certain compliance requirements. By creating reusable artifacts and reference patterns, reducing errors, and leveraging AI/ML, engineering teams can optimize their development processes and reduce the resources necessary to achieve their goals. This will become all the truer as teams continue to innovate and expand their use of AI/ML, in which context threat modeling will remain a cornerstone of ensuring that security is built into everything businesses do.