Threat modeling is an intrinsic part of information security governance and needs to be done well. However, research finds that many organizations don't do it well, some are pretty haphazard or chaotic in their approach. In this episode, Marcos Lira, Lead Solutions Engineer at Halo Security, sheds light on how to do threat modeling the right way. The key questions driving the discussion were: a) what is the scope and purpose of threat modeling? b) what have people and organizations been getting wrong about threat modeling? c) what is the right way of doing threat modeling? and d) what is the future of threat modeling? Time Stamps 01:45 -- Please share with listeners some highlights of your professional journey. 03:52 -- Marcus, please provide listeners with an overview of Threat Modeling. What is it? What is its purpose? 08:13 -- Threat Modeling is such an intrinsic part of information security governance, and it is so important that it's done well. However, my research finds that many organizations don't do it well. Some are pretty haphazard or chaotic about it. Some want to focus on a few applications and are hasty about it. Your thoughts? 14:06 -- There's a lot of guidance out there. But that can be overwhelming and create confusion regarding the right way to do threat modeling. Can you provide some clarity? 22:19 -- As a practitioner, what are your thoughts about the future of threat modeling? 24:23 -- Please share your final thoughts and help us wrap up the episode for today. Memorable Marcos Lira Quotes/Statements "You can't make informed decisions about business without threat modeling." "What most organizations get wrong is that they believe threat modeling will slow the business down." "What most people get wrong about threat modeling is that it is time-consuming, cumbersome, and confusing because there are so many methodologies out there." "Threat modeling is a proactive approach. It's going to help the organization decrease costs over time." "The threat modeling manifesto said it best -- the right way of doing threat modeling is by answering four questions: a)what are we currently working on? b) What can go wrong? c) What are we going to do about it? d) And if we did a good enough job?" Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks. Connect with Dr. Chatterjee on these platforms: LinkedIn: https://www.linkedin.com/in/dchatte/ Website: https://dchatte.com/ Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338 https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712 Latest Publication: https://www.imd.org/ibyimd/magazine/preventing-security-breaches-must-start-at-the-top/