Do you know what your organization’s attack surface is? Attack surface is everything that a bad person (aka “attacker”) can interact with or touch. Your organization’s attack surface consists of PIA: People, Infrastructure and Applications. By considering the security of your own PIA, you will save yourself time, money, and and prevent security headaches in the future.


People are often the weakest link in cybersecurity. Attackers know it can be easier to trick a user into clicking a malicious link or giving up sensitive data, such as login credentials, than it is to “hack” a system. 


Attackers will poke, probe, and attack your Internet connected infrastructure 24/7/365. This includes your data centers (if you still have them), your cloud infrastructure, and applications that support administration of your infrastructure. 


Applications are all the bits of software running on your infrastructure, and they are notoriously difficult to secure. This includes the software you know about, such as email/messaging, third-party products like Salesforce and ServiceNow, and your flagship software products (if your company develops software). This also includes the software you don’t know about, such as ancillary services, APIs, and legacy applications that are forgotten but still operational.

Using PIA

For every technology deployment, whether a large Enterprise Network or an individual business system, the PIA model can help a non-technical executive ask the right questions of their team. 

Instead of asking are we secure? you can ask: 

“What threats against our People, Infrastructure, and Applications have we considered? And what controls have we considered, implemented, and tested?” 

The quality of the response you receive will help you determine next steps to take. However, this is where emotion and quality of communication can come into play. Does your team’s response make you feel confident? 

Or not confident?

If you’re confident in your team’s plan to control threats facing your PIA, that’s awesome, carry on with your day. 

If you’re not confident, here’s what you can do:

  • Reach out to your security team or CISO for help
  • If you don’t have access to a CISO or security team, you can hire consultants to perform a threat-driven security assessment that covers PIA
  • Make sure your controls are thoroughly tested
  • Train your team on threat modeling basics so you can have more informed conversations about security going forward

A good security assessment will test the quality and strength of a given security control, not just check-the-box that something resembling a control exists. Attackers will not stop because they come across a control. In fact, once they find a control, they will specifically target that controls and try to break it!