Security and compliance Insights - August 08

You probably think I'm going to tell all you security geeks to drop ISO 27001 and take up modeling. That might be a better career option if the have the right physical stats. But no - today, I want to talk about threat modeling not about Monica Belluci. (”I feel fine and comfortable with myself, but not because I’m beautiful”)

Many years ago, I developed airline reservation systems software on Digital VAX/VMS hardware. The owner and CEO of our customer (a rapidly growing charter airline) was a larger than life figure who kept chilled Finlandia vodka in a mini-freezer in his office and liked to tell stories. One day he told me a story. He said - “Danny, there are two kinds of consultants, good consultants and bad consultants. You ask them what time it is. The good consultant will look at your watch and say it's 9:30, take his fee and leave. The bad consultant will tell you it's 9:30, steal your watch and run with the money”.

End of year is coming up fast and with it - IT Security audits for Sarbanes-Oxley.

You probably use consultants for audits. A risk assessment project can eat up a big chunk of budget. The consultant is trying to help you satisfy compliance regulation. Asking a bunch of employees how risky their part of the business process is, whether they care about it or not. Compliance doesn't help your employees do their job better and the 500 page risk assessment doorstop in your office doesn't help you anticipate and mitigate the next threat to your company.

There is a better way.

Try threat modeling in your next risk assessment project. With threat modeling, you make future risk scenarios vivid, tangible, and measurable in dollar terms, countering the tendency to ignore threats and do nothing. Threat modeling gives you and your employees a practical language of assets, threats, vulnerabilities and countermeasures. 

Read more about effective risk assessments using threat modeling.

Inspired by Tom Peters.