It is important that security program objectives and controls are supported by the company’s leadership, business units, peer groups, partners and personnel from the top down. Business processes exist to drive revenue-generating activities. Applications are used to reduce the level of effort and mistakes associated with repeatable tasks, and these applications and supporting infrastructure must be protected. However, protecting processes and applications at the same level is not feasible. We must assess cybersecurity risk to determine the best countermeasures as defined by the risk level.
What is threat profiling?
Threat profiling is the process of defining how enterprise and system threats are related to business processes and company assets. Threats are potential methods a threat actor may use to misuse or access a valued company asset. A threat profile must define the assets’ value to the business and any compliance or regulatory restriction of that asset. The business context gives operators a clear understanding of how vital that asset is to the company.
What it is not
Threat profiling does not include defining countermeasures necessary to protect assets or the current vulnerabilities associated with the system. However, threat profiles are essential to ensure proper definition and development of countermeasures. Threat profiles take into consideration the ability and motivation of threat actors based on business factors. When vulnerabilities are discovered, a threat profile will ensure vulnerabilities are addressed based on threat scenarios developed after executing a system threat profile.
Enterprise threat profiling
An enterprise threat profile (ETP) determines threats based on business characteristics such as industry, essential data, compliance, global presence and critical business applications. Business, like systems, may be characterized in many ways. I use the BRF-IT method to develop enterprise threat profiles and form meaningful business communication.
B — Understand revenue-generating functions:
- What are the critical business processes?
- What data is critical and sensitive?
R — Define regional footprint:
- Where are business, front / back office and IT assets located?
F — Understand the needs of supporting functions:
- What are the critical front and back-office tasks required to support the business?
- What are their key processes?
IT — Define a high-level understanding of the critical and sensitive applications and infrastructure:
- What are the applications and infrastructure required to support business and supporting functions?
Threats — Develop relevant threats based on the business, region, back office and support systems:
- What are the risks in (and across) each of these categories?
Create your 360-degree plan
Cybersecurity strategy is more than going through a checklist. Threat modeling provides guidance and checklists to help protect your organization from threats. Often, it is best to combine elements of different models to craft an individualized security strategy. My biggest piece of advice? Don’t think of cybersecurity as something to focus on when it’s convenient. Start building a right-sized security strategy before it’s a problem.
Don’t wait any longer — get started on your cybersecurity plan today!