Threat Model Business Alignment Checklist

Building a threat model specific to your organization requires collaboration and alignment with the business. This checklist helps ensure critical business stakeholders are involved from initial input to implementation.

Prepare to Engage Business Leaders 

• Get a preliminary Phase 1 Threat Model in place
  • Research the 3-6 significant cyber events most likely to harm your organization
• Identify your organization's top influencers who can make or break your plans
  • Include both business and functional leaders, and target them for sponsor leaders
  • Identify and include detractors, and work to convert them to sponsors
• Set up meetings with those business leaders 
  • Request a 30-to-60-minute slot on their calendar 
  • Explain the purpose is for their input in developing an organizational security threat model 
• Prior to meeting, research each leader’s business or function
  • Use annual/quarterly reports and websites to research their organization 
  • Determine the leader's mission, vision and targets for their organization
  • Define information security parameters for their particular set of assets 
  • Review internal reports
  • Find all internal organization reports on previous breaches or serious cybersecurity events. Include items from audit reports.
  • Research previous events that leaders discussed - even if rumors
• Create 1-2 introductory slides 
  • Define what a threat model is (i.e., security incidents leading to significant harm in their unit)
  • Define what constitutes a risk around their current information security framework
    

Meet with Key Business Leaders 

• Kick off the meetings 
  • Thank the leader and introduce your role
    • Detail the agenda and meeting format ground rules (to stay on topic)
    • Describe how you are working to align your security program with the actual organizational threats requiring a series of one-on-one meetings which include:
  • A few open-ended questions
  • A broad discussion of security related concerns
    • Detail follow-ups to review aggregated meeting results

• Ask the leader to describe their own functional area
  • If a business unit: Ask about revenue, profit margins, etc.
  • If a function: Ask about scale and scope of responsibility
  • If there is a mission and/or vision statement for the organizational unit 
    • What are the current targets? 

READ: The BISO Role: Where Business Meets Security

• Start the risk discussion using open-ended questions; examples include:
  • Outside of our company/organization, what serious security events are you aware of in our industry or sector?
  • Are you aware of any events that have harmed our customers?
  • How do you see these events relating to our own operation?
  • Putting these external events aside, what issues around our information security worry you most? What keeps you awake at night?
  • If there were a breach in information security here, what do you see causing the most damage?
  • How might we experience the harm of these events? What kind of harm?

READ: Key Components of an Effective Business Continuity Plan

• Be flexible, but stay on the agenda
  • If the leader wants to structure in another way, let it flow, but stay on topic (focus solely on circumstances leading to harm)
  • If the meeting gets derailed, get agreement for a follow-up to allow some structured questions for leadership feedback as a consensus discussion later
• Foster clarity on InfoSec's mission
  • Explain information security overlaps with physical security, IT, privacy, enterprise risk management and other functions in the enterprise
  • Help the leaders understand the distinctions, as a team player acknowledge that some boundaries do overlap and this is the purpose of collaboration 
• Aggregate your notes from the meetings with business leaders
  • Try to cross-check any financial information, targets and mission statements that emerged in the discussion
• Standardize and align concerns heard across all leaders and group them
• Do your own importance ranking of the concerns
  • Weigh the leaders' personal concerns by the dollar loss potential of the risk 
  • Try to rationalize personal concern with actual damage to the organization as best as possible
• Revisit your ranking according to likelihood
  • Use your external research to validate the relative ranking of likelihood
  • Because of the rarity of the security events, this part takes quite a bit of judgement, and the result is only the start of later group discussions
• Create your Phase 2 Threat Model
  • Assemble your Phase 2 Model using input from a credible sample of leaders you feel you could meaningfully lead a discussion of the threat model with other leaders
  • Create a single slide showing the threats in priority order
• Prepare for challenges
  • Organize backup material for each threat
  • Keep it in pocket or present it as an annex to your single slide
• Create a simple sources table
  • List all the sources included in your Threat Model Research Workflow and check off each source that contributed to each particular threat in your Phase 2 model
  • Cite each leader's contribution to each threat in your Phase 2 model
  • Cite contributions from internal reports or auditors to each particular threat in your Phase 2 model

Conduct a Threat Model Review Meeting 

• Create an advisory group of key business leaders
  • Choose a few of your interviewed leaders to act as advisors/sponsors to your threat model program
  • Have them co-own the program with you to ensure the program is well-accepted
  • Give the group a designation, such as:
    • Security Steering Committee 
    • Security Program Council
    • Security Risk Council
• Review the Phase 2 model with interviewed leaders who are not advisors/sponsors
  • Review your results and see how well your Phase 2 model plays
  • Use this discussion to verify and perhaps modify your Phase 2 model
• Conduct a threat model review meeting with the advisory group
  • Include a clear goal statement - to finalize the threat model
  • Present the “preliminary” threat model (Phase 2 result)
  • Discuss the model and facilitate that discussion by:
    • Reviewing the threats
    • Citing evidence
    • Recognizing the concerns of those who provided input
  • Drive for a consensus on the final ranked list
    • If finding a consensus is difficult, meet one-on-one to broker as close to a consensus as practical
• Plan for the future
  • As a group, determine how often the model will be revisited
  • Use the model to prioritize and align activities within information security (see checklist above points above)
  • Transition into a running operation with a key set of leaders who own and sponsor your activities based on a shared view of the threats posed to your organization
  • Treat these leaders as wise advisors and engage the most enthusiastic as evangelists for your work
    

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.