Threat-Informed Defense Is Hard, So We Are Still Not Doing It!
Medium, Thursday, August 31,2023
If you wake up an average security professional at 3AM and ask them 'hey, what is security about?', a large majority would say 'it is about the threats.' Ultimately, security (whether 'cyber' or 'information') is unthinkable without the threats. Security professionals are meant to defend against threats from criminals, insiders, and nation-states.
However, if you see the same security person at 9AM, you will likely find that this is not what they actually do most of their day. They configure tools, clean up user messes, write reports, deal with auditors, etc. Sure, some of the activities may be indirectly helpful and perhaps even implicitly informed by the threats, the majority really are not.
So why does everybody seem to support threat-centric security conceptually, but few practice it operationally?