Is anyone using threat modeling as a means of continuous architecture? Meaning, you have a threat mode for the entire organization and you periodically review it to ensure your current architecture is capable of handling emerging and changing threats.
I’m an IT risk manager of a small bank. I have a risk log which is in part based on threats for most of the security risks. It’s updated yearly through a risk and control self assessment (although I do more work on the “self” assessment than IT does) or when major changes happen.
I think this is what most people do but as I mentioned on another comment, it was suggested to me to do threat models instead or as an addition (I forgot which way the person pitched it to me). So naturally, I was curious to see if anyone else actually did that as it seems like this would be a significant effort.
I suppose so, if you count playbooks and table top exercises.
Ideally threat modeling is happening primarily in the heads of a wide array of subject matter experts (most without security titles) all the time, and leaders and architects are listening to those S.M.E.s when they opine on new emerging threats.
Well that is a great point. I had a conversation with a Gartner analyst (I know I’m trying to remain unbiased) recently and he suggested doing threat modeling and reviewing periodically (at least annually) as a means of “keeping up with threats and changing landscape”. I thought that sounded great… on paper. Practicality this would be extremely time consuming to keep up to date ff or each system/control in my opinion.