Is anyone using threat modeling as a means of continuous architecture? Meaning, you have a threat mode for the entire organization and you periodically review it to ensure your current architecture is capable of handling emerging and changing threats.
I suppose so, if you count playbooks and table top exercises.
Ideally threat modeling is happening primarily in the heads of a wide array of subject matter experts (most without security titles) all the time, and leaders and architects are listening to those S.M.E.s when they opine on new emerging threats.
Well that is a great point. I had a conversation with a Gartner analyst (I know I’m trying to remain unbiased) recently and he suggested doing threat modeling and reviewing periodically (at least annually) as a means of “keeping up with threats and changing landscape”. I thought that sounded great… on paper. Practicality this would be extremely time consuming to keep up to date ff or each system/control in my opinion.