The Security Table

The Return on Investment of Threat Modeling


Listen Later

The Security Table team dialogues about the importance of data and metrics in understanding and communicating risk. After Matt defines ROI, Izar emphasizes that while data is crucial, it doesn't always come in numerical form. Instead, risk can be expressed in various ways, such as trends, and doesn't necessarily need to be quantified in traditional terms. Chris stresses that executives need tangible metrics and data to make informed decisions, especially when communicating with legal teams and other stakeholders.

They then talk about visibility and understanding the attack surface. Izar explains that the attack surface represents an organization's exposure to potential threats. The goal is to provide a comprehensive picture of the organization's vulnerabilities and the measures taken to address them. Instead of inundating executives with technical reports, Izar suggests telling a story that conveys the essence of the risks and the steps taken to mitigate them. Chris, however, emphasizes the importance of concrete data and the challenges executives can face in understanding technical nuances.

Lastly, the dialogue touches upon the real-world implications of threat modeling and its ROI. Matt Coles highlights the potential legal and business repercussions if things go awry. The discussion underscores the evolutionary nature of threat modeling, with Izar noting that while one might start with limited expertise, continuous learning and adaptation lead to improvement over time. The overarching theme is the balance between technical details and business-oriented communication, ensuring that executives understand the value and impact of threat modeling initiatives.

Links referenced:

  • US Executive Order 14028 on cybersecurity - https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity
  • CISA, Secure by Design, Secure by Default - https://www.cisa.gov/securebydesign
  • Secure Software Development Framework (SSDF) from NIST - https://csrc.nist.gov/Projects/ssdf

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

...more
View all episodesView all episodes
Download on the App Store

The Security TableBy Izar Tarandach, Matt Coles, and Chris Romeo

  • 5
  • 5
  • 5
  • 5
  • 5

5

2 ratings


More shows like The Security Table

View all
Security Now (Audio) by TWiT

Security Now (Audio)

1,976 Listeners

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) by Johannes B. Ullrich

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

626 Listeners

Darknet Diaries by Jack Rhysider

Darknet Diaries

7,879 Listeners

Blueprint: Build the Best in Cyber Defense by SANS Institute

Blueprint: Build the Best in Cyber Defense

131 Listeners

Cyber Security Headlines by CISO Series

Cyber Security Headlines

127 Listeners