Using simple analogies, Adam details the hows and whys of this process to help security professionals build relationships and get the buy-in they need from groups like leadership and engineering. If you're interested, you can view the full session here.

On the power of communicating with stories and analogies

Chris begins the conversation by asking Adam how the idea for his most recent book emerged. Adam’s response, which is evident throughout the entire discussion, is that stories are a fundamental way of communicating cause and effect and understanding, especially for complex topics where stakeholders may not have domain knowledge.

“Making things accessible, putting a little fun around it, helps people get into a state where they're gonna learn.”

– Adam Shostack, President, Shostack + Associates

Threats are the real “story” of security

With Adam having literally written the book on threat modeling, and with his recent book focusing on articulating threats to engineers, the conversation turns to the fundamental role threats play in security, and why it’s important to focus on them. For Adam, threats motivate the “why” behind security. Communicating threats isn’t about fear mongering but making explicit how threats inform the practices and standards that are designed to combat them. Knowing threats means being considerate about the measures being taken by an organization, and helps security professionals communicate the reason behind practices, to help stakeholders internalize security.

“The reason that I talk about threats is that I believe threats motivate our defenses. We manage vulnerabilities so people can’t use them to expand their authority or elevate privileges and break in. We engage in risk management because these threats exist, and so I think they’re actually quite fundamental.”

– Adam Shostack, President, Shostack + Associates

The importance of giving engineers context on threats

There are a lot of reasons why security can become a secondary concern for teams working in a modern software development environment. Adam argues for giving engineers specifics about threats relevant to their work in order to help them internalize security to the best of their ability. The goal of books like Threats: What Every Engineer Should Learn from Star Wars is to make the core aspects of security second nature for engineering teams.

“The reason the new book is subtitled “What every Engineer Should Learn from Star Wars” is because most of the problems we ship with are somewhat mundane. I think if we’re going to succeed at the speed of modern software we need to ask every engineer to think about security. If we want that to happen we need to give them sufficient specifics so that they can do an okay job.”

– Adam Shostack, President, Shostack + Associates

Staying grounded when doing threat modeling

Another core theme that emerged in Chris’ conversation with Adam was the importance of addressing baseline threats, and not getting lost in focusing on exciting, but more improbable risks to your organization. Just as threats are a fundamental part of security, some threats are more fundamental or likelier than others.

“When I read [in your book] “attackers will spend their budget as they want and not as you hope” I had an addition: “attackers will spend their budget as they want, not as you hope, but only if they need to.” This is to your point about low hanging fruit security is much more about fixing this.”

– Chris Hodson, CSO, Cyberhaven

Keeping the story alive

If you enjoyed this recap, be sure to check out the full session here. There is a lot that Chris and Adam cover, including what Adam considers the four key aspects of threat modeling, one of the most important lessons Adam learned early in his career, and an in depth discussion about how stories enable security.

Also make sure you join us for our next installment of the CISO series by registering here. We hope to see you there!