As a business leader, you are likely familiar with SWOT analysis. SWOT is a strategic planning exercise to help identify a business’s Strengths, Weaknesses, and Opportunities, as well as Threats jeopardizing it’s growth and existence.

You are probably less familiar with Threat Modeling: a strategic or tactical exercise that identifies Threats to systems and software, and appropriate countermeasures. At the board and executive level, Threat Modeling complements SWOT to improve cybersecurity leadership throughout the organization, and helps prepare leaders for the unfortunate but inevitable incident or breach.

Before we go any further, let’s quickly define what a “threat” is and look at some examples. The one from Google that I like the best: a threat is a person or thing likely to cause damage or danger. 

Threats don’t go away. For example, you can put a fence and gate around your house, but the threat of a burglar trying to break in will never completely go away.

In a typical executive level SWOT analysis, you may identify something vague like “cyber attack” as a threat, alongside other better defined business threats like “increased competition in the digital space” and “increasing regulatory compliance requirements”. Where SWOT ends with “cyber attack,” Threat Modeling can provide additional detail and important context at a level appropriate for executive teams.

Here’s an easy example of a cybersecurity threat that won’t go away, and that executives need to be aware of: attackers will attempt to gain access to corporate systems via phishing attacks targeting our employees and customers. 

The business can perform phishing simulations, train users, and implement technical controls, but the threat of phishing attacks will never go away

Leaders need to know that threats do not go away, because information security controls do not work 100% of the time in 100% of security incidents. If a significant incident or breach occurs after investment in controls, no one will be happy, but no one should be surprised.

In my next post, I’ll discuss my “People/Applications/Infrastructure” framework that makes Threat Modeling easier for executive teams.