This gives you a transparent way to get your technical subject matter experts working together to agree your top threats. Then, as your threat environment changes, which it will do all the time, you can update your model and that will automatically refresh your list of top threats.
Some of the organisations I have worked with have a Top Threats list that is populated with broad generic threats. That might make it easier for them to agree the list internally but at the cost of making the exercise substantially less useful. Aim for a list that has specific threats the business worries about: more specific than generic but not so specific only IT specialists will recognise them. Ransomware, for example, or Spear Phishing.
I help you assess each pathway in a way that exposes its significance for your business systems and operations. Then you can identify from the model which security breaches have the potential or tendency to cause your business the most harm. This will help you and your company’s business leaders agree what the Information Security function’s protection priorities should be. And it makes it easier for business leaders to see what they get in return for the support and resources they give to you and your security team.
I have seen very few organisations try to build a pathways map like this, partly because it is difficult to do without an experienced facilitator who can steer around the pitfalls. I can bring that experience to you.
You can then develop a dashboard view of each system's risk posture.
The controls can be your internal policies and standards or a recognised external standard such as ISO/IEC 27001 or the CSA’s CCM, or a combination of these. Each system’s risk posture can be positioned against your business’ stated risk appetites so all stakeholders can see immediately whether that system’s risk posture is acceptable or not. Action plans can be devised and the effect of each plan on the risk posture calculated in advance so you can show them on 'What-If' heatmaps and decide on the plan that will bring the system into acceptable compliance most cost-effectively. Multiple systems can be shown on the same display to show top management the company’s overall risk posture and to ensure top management attention gets directed to where it is most needed.
If you would like to shine a light and make the way threats and controls operate within your company more visible, then do get in touch. Email me at firstname.lastname@example.org or call 07734 311567 (+44 7734 311567).