When it comes to understanding threat modeling in cybersecurity, Ted Harrington offers a powerful comparison to NFL scouting reports. Just as football teams don't play every team simultaneously, organizations don't need to defend against all possible threats at once.
"We can think about threat modeling as the way NFL teams think about scouting reports," explains Harrington. "This week I'm playing this opponent, and this opponent has these strengths and weaknesses. Our team has these strengths and weaknesses. What's the best game plan I can deploy that will make my team beat this team this week?"
Many companies stumble with their security investments because they try to defend against everyone, all the time - an impossible task. Instead, Harrington emphasizes three critical questions that shape effective threat modeling:
- What do we want to protect?
- Who do we want to defend against?
- Where will we be attacked?
The answers to these questions reveal how an attacker might exploit your system and, most importantly, guide where you should invest your time, effort, money, and resources.
Think about how NFL teams prepare for game day. They don't create a generic strategy to defeat all teams - they develop specific game plans based on thorough scouting of their next opponent. While this targeted approach doesn't guarantee victory, it works better than having no game plan at all.
"An NFL team builds the game plan to defend against or attack against that team they're playing that week," Harrington notes. "It might not even work half the time, but it works better than if they didn't do that."
The key takeaway? Just as football teams focus their preparation on specific opponents rather than trying to defend against every possible play, organizations should prioritize their security efforts based on their most likely and relevant threats. This focused approach helps ensure that security investments are strategic and effective rather than scattered and inefficient.
Would you like to learn more? Join us at the upcoming e360 Executive Roundtable event on March 13th in Los Angeles, where Ted Harrington will share more insights on strategic security planning and AI security challenges. Register now to learn how to better protect your organization in today's evolving threat landscape.
