The Security Table team dialogues about the importance of data and metrics in understanding and communicating risk. After Matt defines ROI, Izar emphasizes that while data is crucial, it doesn't always come in numerical form. Instead, risk can be expressed in various ways, such as trends, and doesn't necessarily need to be quantified in traditional terms. Chris stresses that executives need tangible metrics and data to make informed decisions, especially when communicating with legal teams and other stakeholders. They then talk about visibility and understanding the attack surface. Izar explains that the attack surface represents an organization's exposure to potential threats. The goal is to provide a comprehensive picture of the organization's vulnerabilities and the measures taken to address them. Instead of inundating executives with technical reports, Izar suggests telling a story that conveys the essence of the risks and the steps taken to mitigate them. Chris, however, emphasizes the importance of concrete data and the challenges executives can face in understanding technical nuances. Lastly, the dialogue touches upon the real-world implications of threat modeling and its ROI. Matt Coles highlights the potential legal and business repercussions if things go awry. The discussion underscores the evolutionary nature of threat modeling, with Izar noting that while one might start with limited expertise, continuous learning and adaptation lead to improvement over time. The overarching theme is the balance between technical details and business-oriented communication, ensuring that executives understand the value and impact of threat modeling initiatives. Links referenced: US Executive Order 14028 on cybersecurity - https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurityCISA, Secure by Design, Secure by Default - https://www.cisa.gov/securebydesignSecure Software Development Framework (SSDF) from NIST - https://csrc.nist.gov/Projects/ssdfFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @SecTablePodcast ➜LinkedIn: The Security Table Podcast ➜YouTube: The Security Table YouTube Channel Thanks for Listening!