What is the domain expertise needed for threat modeling?

An excellent security tester needs to understand various types of vulnerabilities and attack patterns. They need to build the structure between each attack vector, need to be able to read the source code or binary disassembled code to find the clues of vulnerabilities, and need to operate automated tools for scripting. To really excel at security testing, you might even require proficient reverse engineering skills to understand software under the hood. But some lack the background knowledge of software development and architects, especially those who have been immersed in the security field for many years. Many of them lack the follow-up and practical experience of the latest technical architecture, platforms and tools.

An expert who has only made achievements in security testing may struggle to establish a dialogue with software developers. Threat modeling is essentially a process of dialogue between security experts and the architects. The dialogue requires sufficient common language and mutual understanding. Therefore, new requirements are put forward for security testing, the requirement of a "common language between security expert and architects".

Throughout the modeling process, the threat modeling expert should play the role of an imaginary adversary, and interact with the software/hardware architect or developers, so as to clarify and explain the source of the threat and the possible impact.

"This position is so difficult to recruit. We haven't found a good match for almost a year." - Head of threat modeling in a global enterprise security lab. As they spent very long time to staff a suitable person

Threat modeling is not a new concept, but in the cybersecurity industry, you may find just one in 10 candidates have threat modeling experience written in their resumes, if you’re lucky. Candidates that can fill this position are even scarcer. Most of the threat modeling experts choose to stay in universities and institutions to engage in the role of researcher. There is no extensive technical experience in the enterprise, and this position is rarely seen in a product-driven enterprise or IT departments.

Why is it so hard to find a good candidate? The main reason is that threat modeling is not a capability that a traditional security testing position can easily develop.

The essential competence of threat modelers requires this role to not only accumulate a large amount of knowledge related to security vulnerabilities and risks, but also to understand a large amount of software architecture design principles, technical concepts, and even need to be very familiar with implementation details. This also leads to a very interesting phenomenon. Threat modelers are mostly developed from developers, not business analysts or security testers.

Thus we recommend some architects to start considering this niche career path.