Implementing a cross-functional threat analysis modeling solution
Snapshot
A major credit union in the Pacific Northwest came to Kalles Group looking for a new threat analysis and modelling plan to help the company anticipate and manage cybersecurity risks. We quickly realized that this financial firm had been through this whole process before, and with less-than-stellar results. Doing it right meant engaging every aspect of the credit union’s operations. So we took the firm through a process that made it clear why threat analysis and modelling is important to their business, and what the consequences could be if this aspect of their operations isn’t taken seriously. We built a plan for them that is comprehensive, accessible to all relevant employees, and one which – crucially – employees are engaged with.
Challenge
As we began to work with this credit union, we discovered that they had attempted threat analysis and modelling in the past, and that, from a practical standpoint, the efforts had failed. As a result, key stakeholders in the organization had pulled back and become disengaged on this topic. We quickly realized what the problem was: The past approach to cybersecurity was that this was a technological problem, to be solved by technology. To create a threat analysis and modelling plan that would actually work, we had to show this enterprise that syber threats are also about people, and the solution has to do with behavior
Approach
Because previous attempts at threat analysis and modelling were focused solely on technology, many stakeholders at the credit union felt that this was an area that they didn’t need to be engaged with. Of course, that’s incorrect – more than 80% of recent security breaches have been the result of individual people’s behaviors, and not faulty technology in and of itself. To change this mindset, we communicated with people at the company engaged in numerous different functions, including cyber risk, design and architecture, solutions delivery and enterprise risk management. We ensured that the modelling and analysis the company engaged in would include know-how from the business, engineering, infrastructure and security teams – in other words, it would be truly be useful and comprehensive, showing how everyone in the organization is responsible in some way for proper security practices, and for vigilance against potential threats.
Results
The ensure that our solution worked, we tailored our approach to the company’s culture, by surveying participants and gathering feedback and recommendations. We identified a core team with whom we would work and made sure we were working within their available resources. We built comprehensive, understandable data flow diagrams that showed how cyber threats can come from and affect any business process, from beginning to end. We ran workshops where team members brainstormed and rated practical threat scenarios. Particpants described the process as “eye-opening” and assessed that they had “learned a lot.”