Can threat modeling keep security a step ahead of the risks?
CSOs need to more precisely understand the actual threats facing their organization. The fix? Threat modeling
February 05, 2014 — CSO — With significant breaches becoming a near daily occurrence, it's clear that attackers are managing to stay one step ahead of many organizations. It's clear that security professionals and CIOs aren't focusing closely enough on the threats and the data that matter.
Consider the findings of our most recent annual Global Information Security Survey, conducted by PricewaterhouseCoopers and CSO. According to the more than 9,600 execs surveyed saying that their organizations have increased IT security spending: the number of attacks they're enduring and the costs of those attacks are rising.
So it's not so surprising to learn that only 17% of those respondents bother to classify their business use of data, roughly 20% have procedures dedicated to protecting intellectual property, and a surprisingly low 26% inventory assets or conduct asset management.
If enterprises are to improve, they need to more precisely understand the actual threats poised against their organization and the vulnerabilities in their IT enterprise. The fix? Threat modeling.
It's not a new concept, we innately conduct risk assessments and threat models for ourselves. "We all conduct risk assessments and threat models in our daily lives, whether we think about it or not. We think about who might want to break into our car and the neighborhood we're in. So we do it all the time that way," says Wendy Nather, research director, enterprise security practice at 451 Research.
We're not always good at this, fearing shark attacks more than accidents around the house, for instance. People tend to get more jittery when boarding an airplane than when getting behind the wheel of their car. Emotions take over, and they often to for enterprises as well.
To improve their decision-making, organizations need to quantify their risks the best that they can.
Move away from emotion-based decision making
"From an organizational perspective, it's important because a business needs to understand who and what the threats are, just as you want to know who your competitors are and who might pose a threat to you in that way," says Eric Cowperthwaite, vice president, advanced security and strategy at Core Security Inc., and former CISO at Renton, WA-based Providence Health and Services. "Otherwise the CEO is just awash in all of the fantasy in news all of the time," he says.
Threat modeling is not a new concept to some vertical markets, such as banks, financial services, and those in the critical infrastructure or delivery of critical services. "Banks have done threat modeling for fraud forever," says Nather. "I think that as time goes on though, that industry has learned that they have threat model for more than just fraud," she says.