Get Instant Access
to This Blueprint

Security icon

Optimize Security Mitigation Effectiveness Using STRIDE

Choose the right-sized security controls for your data value and risk exposure.

  • Organizations need to have an accurate view of security in order to function and grow without being exposed to too much risk.
  • However, the complexity of IT systems and the sophistication of threat actors makes it difficult for security leaders to have the best information about how secure the organization truly is. This blueprint enables security leaders to aggregate relevant information into one place and gain an informed and insightful view of information security.

Our Advice

Critical Insight

  • Simply meeting regulatory compliance is not enough for security.
  • Changes to the business are just as dangerous as malicious attackers. The business is changing every day and security measures need to evolve to keep up.
  • Your perception of security is only good as the information you collect.
  • Being able to show the business how well you are protected is critical to having support for security and being accepted as a business partner.

Impact and Result

  • Have a clear picture of:
    • Identified critical data and data flows
    • Organizational threat exposure
    • Security countermeasure deployment and coverage
  • Understand which threats are appropriately mitigated and which are not
  • Generate a list of initiatives to close security gaps
  • Create a quantified risk and security model to reassess program and track improvement
  • Develop measurable information to present to stakeholders

Optimize Security Mitigation Effectiveness Using STRIDE

Start here – read the Executive Brief

Read our concise Executive Brief to find out how Info-Tech’s mitigation effectiveness assessment can drive a successful and insightful security program that is right-sized to the business.

2. Data and element inventory

Identify valuable data and map where it flows.

3. Threat severity assessment

Appraise the organizational threat landscape.

4. Control maturity assessment

Catalog existing security controls and the threats they mitigate.

5. Outputs and interpretation

Interpret mitigation assessment results and identify security initiatives.


Onsite Workshop: Optimize Security Mitigation Effectiveness Using STRIDE

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Setup: Risk Tolerance, and Data and Element Inventory

The Purpose

  • Discuss the organizational risk tolerance / risk management strategy.
  • Establish a foundational frame for data and element categorization.

Key Benefits Achieved

  • A map is created of the valuable data and which assets it flows through

Activities

Outputs

1.1

Validate pre-work (data classification, IT systems element inventory, rough data mapping).

  • Data classification scheme
  • Categorized systems elements
  • Rough map of data flows (resting and transmission)
1.2

Review Info-Tech’s quantified risk model and STRIDE threat model.

1.3

Begin threat modeling activity.

Module 2: Threat Severity Assessment

The Purpose

  • Perform a detailed analysis of the organizational threat and risk exposure.

Key Benefits Achieved

  • Understand Info-Tech’s quantified threat severity model
  • A map of the systems threat landscape

Activities

Outputs

2.1

Complete threat modeling activity

  • Mitigation Effectiveness Tool, Threat Severity tab

Module 3: Control Maturity Assessment

The Purpose

  • Catalog all the existing security capabilities and map them to the threats that they mitigate.

Key Benefits Achieved

  • Security control capabilities and maturity mapped to the system threats

Activities

Outputs

3.1

Review the STRIDE security traits and threat – countermeasure relationships.

3.2

Perform a security control and maturity assessment.

  • Mitigation Effectiveness Tool, Control Maturity tab
3.3

Identify gap initiatives to address unacceptable risks.

  • Gap initiative list

Module 4: Gap Initiative Identification and Prioritization

The Purpose

  • Identify security gaps based on threat-control assessments.
  • Create a prioritized roadmap and plan to implement gap initiatives.

Key Benefits Achieved

  • Clearly identified and documented security gaps
  • Prioritized list of initiatives required to address security gaps to the organizational needs

Activities

Outputs

4.1

Prioritize gap initiatives.

  • Prioritized gap initiative list
4.2

Make a plan to incorporate the gap initiatives into a security roadmap, and discuss how to integrate risk model into overall risk management decisions.

  • Workshop results incorporated into risk management and security strategy

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Try Our Guided Implementations

Get the help you need in this 6-phase advisory process. You'll receive 14 touchpoints with our researchers, all included in your membership.

Guided Implementation #1 - Setup: Data and element classification
  • Call #1 - Understand how data classification affects the entire organization
  • Call #2 - Discuss the appropriate data and IT systems element classification for your organization

Guided Implementation #2 - Data and element inventory
  • Call #1 - Discuss the scope and methods of data discovery
  • Call #2 - Discuss how best to apply data classifications to existing data
  • Call #3 - Review list of data and element inventory

Guided Implementation #3 - Threat severity assessment
  • Call #1 - Discuss the STRIDE threat model and understand how it applies to your system
  • Call #2 - Discuss frequency and impact reporting

Guided Implementation #4 - Control maturity assessment
  • Call #1 - Review and discuss the STRIDE countermeasures model
  • Call #2 - Review and discuss security countermeasures and maturity

Guided Implementation #5 - Outputs and interpretation
  • Call #1 - Review and understand each of the mitigation effectiveness assessment outputs
  • Call #2 - Discuss interpretation and application of your mitigation effectiveness assessment

Guided Implementation #6 - Implementation and maintenance
  • Call #1 - Discuss the over-arching risk management implications of mitigation effectiveness results
  • Call #2 - Review your mitigation effectiveness assessment and discuss how it can shape your security strategy
  • Call #3 - Discuss what to include in your executive communication deck

Contributors

  • Thomas DeLaine, Director Information Security, Comprehensive Health Services
  • Vincent di Giambattista, Director - Information Security and IT Compliance, Walgreens Boots Alliance
  • Robert Banniza, Senior Director – IT Center Security, AMSURG
  • Chuck Lankford, Chief Information Security Officer, Dallas Area Rapid Transit
  • Diana Sharkey, Manager – IS Management Partnership Services, InfoPartners
  • Joey LaCour, VP & Chief Security Officer, Colonial Savings
  • Sky Sharma, Government Liason and Subcommittee Advisor, AFCEA International
  • Keith Grey, Director of Infrastructure / Information Security Officer, Des Moines University
  • Matthew Langford, Chief Information Security Officer, University of Northern Colorado
  • Jarred White, Product Security Architect, AirWatch
  • Guillermo Mateo, Manager – Information Security and Compliance, Worthington Industries
  • Dwayne Healey, VP – Group Security, PaySafe Group
  • Cecil Greene, Chief Information Security Officer, National Cooperative Bank
  • Salina Olmsted, Senior Compliance and Security Analyst, Hagerty
  • Robert Hawk, Information Security Expert, xMatters
  • Eric Andresen, IT Security Manager, SSAB
  • Ian Parker, Head of Information Security, Risk and Compliance, Fujitsu UK and Ireland
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019