Is anyone using threat modeling as a means of continuous architecture? Meaning, you have a threat mode for the entire organization and you periodically review it to ensure your current architecture is capable of handling emerging and changing threats.
Well that is a great point. I had a conversation with a Gartner analyst (I know I’m trying to remain unbiased) recently and he suggested doing threat modeling and reviewing periodically (at least annually) as a means of “keeping up with threats and changing landscape”. I thought that sounded great… on paper. Practicality this would be extremely time consuming to keep up to date ff or each system/control in my opinion.