It’s tempting to look for your cybersecurity solutions at a cybersecurity tradeshow. After all, that’s where all the latest and greatest cybersecurity products are on display. You just walk around, listen to the marketing pitches and choose the best products.

There are two reasons why that may not be the best course of action. Let’s call them product conundrums #1 & #2.

Product Conundrum #1

The first conundrum, when selecting a cybersecurity product, is that some vendors are better at product marketing than they are at product development. This is best detailed in a recent Security Week article entitled Are Cybersecurity Vendors Pushing Snake Oil?

The content of the article is based on research done by Egress. What did the research find? Among other things, that “91% of decision makers have difficulty in selecting cybersecurity vendors due to unclear marketing about their specific offerings.”

This unclear marketing is a direct result of an increasingly crowded marketplace. The crowded marketplace means that whenever a new product appears, “that marketing must compete against existing, established vendors–so it tends to be louder, more aggressive, and replete with hyperbole.”

What is the primary finding of the research? There is a “lack of correlation between increasing cybersecurity spend and any clear increase in cybersecurity effectiveness.” And that shouldn’t be surprising, given product conundrum #2.

Product Conundrum #2

The second conundrum occurs when a company chooses a product before they fully understand why they chose the product. You simply cannot choose the correct cybersecurity product until you understand what threats you are defending yourself against. And as things turn out, you don’t need any products for that. You need threat modeling.

Yes, there are some excellent threat modeling tools on the market, but threat modeling doesn’t start by selecting a threat modeling tool. It starts with thinking about threats to assets which needed to be protected.

Threat modeling must be a human-lead endeavor because the core of threat modeling is understanding adversary intentions. And that human-lead endeavor must be collaborative. Development must work side-by-side with security to understand adversaries, assets and threats. Likewise, business people and technical people must work together to do the same. And none of this requires a product to start. It requires brainstorming.

There is no cybersecurity product that’s going to know what regulations you are bound by. And there’s no product that will help you prioritize asset protection. These “inputs” to a threat model must come from people knowledgeable about your organization, working together. The best threat modeling tool around doesn’t work without these inputs.

The bottom line? When it comes to cyber defense, you should be thinking threats first, products second. And the best way to think about threats is with threat modeling. There is just no way to fully protect your assets without it.

A Product to Help With Threat Modeling

Once you’re committed to collaboratively identifying inputs to your threat model, you may want a simple way to organize and leverage all those inputs, and one excellent way to do that is with ThreatModeler.

ThreatModeler can take those inputs and generate flow diagrams and process diagrams. It can analyze infrastructure-as-code (IaC) and live cloud environments. And it can visualize attack surfaces and recommend mitigations. If you’d like to learn more about how ThreatModeler can help you take advantage of the inputs to your threat model, you can reach out to us here.