The Forbes Magazine has been around since 1917 and we’re guessing this is the first article they’ve ever done on threat modeling.
According to its bio, it Forbes magazine features “original articles on finance, industry, investing, and marketing topics.” And while it certainly includes related subjects like technology, communication and science, these are generally intended for a broader audience. They’re generally not intended for the engineering community, which make sense since that isn’t really their primary audience.
But every now and then, an article appears which seems at first out of place. One intended almost exclusively for the engineering community. And such is the case with an article that appeared last week titled Why Threat Modeling Is Now A Critical Business Skill. It must be important if it made its way to Forbes.
A Little History
The article’s author correctly points out that threat modeling is not new. It has been around since the early days of the software industry. He also points out that “Many of our modern software threat modeling approaches, in fact, have their roots back where our systems and threat actors were well understood.” And that’s the key point he’s trying to make in the article. Yes, threat modeling is important, but we can’t do it the way we used to do it. Because the way we do business has changed.
What are some of those impactful changes? “[M]onolithic systems and architectures have given way to distributed systems and microservices. Siloed development, operations and security teams have given way to cross-functional teams with a shared knowledge base. Longer software development life cycles have given way to shorter ones.”
The message is clear: software development has changed and so too must threat modeling. And it’s now a critical business skill, not just a critical software skill.
The Evolution of Threat Modeling
The are several factors driving the evolution of threat modeling. Today, threat actors aren’t always immediately apparent, software is more complex and development times are shorter. Consequently, “it is difficult even for a modest-sized team to understand how all components integrate together.”
The good news? Threat modeling tools have also evolved. Particularly in three areas: cross-functionality, automation and knowledge base.
As the article points out, “It is no longer possible for a single threat modeler, or even a modestly sized group of threat modelers, to anticipate all threats to a system. New attacks emerge regularly. The threat modeling landscape is too complex with old assumptions being regularly challenged.”
That’s why the best threat modeling tools today focus on cross-functionality and collaboration. The more diverse skills that are brought to bear, the more successful the treat modeling effort is likely to be.
It’s easy to imagine that automation “improves consistency and increases speed.” But, even the most advanced threat modeling tools today are not fully automated, so there’s still some work to be done there. One area of potential improvement going forward is incorporating AI into the threat modeling process.
Finally, threat modeling needs to get smarter over time and one way to help that along is by growing a knowledge base. As the article explains, “Over time, a repeating set of threats and remediation patterns will begin to emerge. Capturing this type of recurring information in a knowledge base and propagating it across similar architectures can save time and allow us to scale our threat modeling.”
What Next?
Threat modeling is now a critical business skill. It requires collaboration, automating processes and increasing institutional knowledge. And it also requires a tool which includes all those capabilities, like ThreatModeler.
ThreatModeler is a modern threat modeling platform that facilitates collaboration, automates many processes and includes a knowledge base. And that knowledge base is populated by the company, which accelerates any company’s institutional knowledge. If you’d like to see a live demo of ThreatModeler, click here.