Threat modeling has huge benefits, says Infosec Skills author Geoffrey Hill
New Infosec Skills author Geoffrey Hill humbly considers himself a jack of all trades, but unlike the old adage, the “master of none” part does not apply.
In addition to designing the new Infosec Skills Threat Modeling Learning Path, Geoffrey is the director of a consulting company, runs a software company and regularly delivers onsite threat modeling courses in his home base of London. He wouldn’t have it any other way.
Get your free course catalog
What is threat modeling?
“I’ve had a passion for threat modeling since the early 2000s,” Geoffrey said. “Back in the early days there was little thought for including protective measures during a project’s construction. Problems were discovered late and people often had to scrap the whole thing, often right before it was supposed to go live.”
Threat modeling is similar to pentesting, but at a much higher level: before any code is written. Geoffrey said it usually involves just a handful of people, such as a threat modeling professional along with an architect or a couple designers.
“That's why it's so cheap and effective, because nothing has been created. All you're starting with is a piece of paper and a drawing. You pentest. You poke holes in it. When you're finished, you've found a bunch of potential issues. By the time the developers get it, it's more efficient for them to just build security in because they're not doing it as an afterthought.”
Infosec Skills threat modeling training
Geoffrey’s Threat Modeling Learning Path includes six courses and introduces you to threat modeling with Rapid Threat Model Prototyping (RTMP). Beginning with a top-level view of threat modeling, you'll look at core security frameworks, elements of a threat model, threat modeling basics, agile architecture and end with a lab to bring all the information together.
The courses are designed for security-focused developers, architects, testers and business analysts looking for a well-rounded, well-organized training.
“Early in the course, we study concepts such as the attack kill chain,” Geoffrey said. “Then we get into the layers of security and systems, adding two or three new elements in each course that build on the core ideas. You're learning threat modeling at the speed of light, I like to say.”
Benefits of learning threat modeling
Like other LX Labs experts, Geoffrey has a passion for training and sharing his expertise.
“I got the love for training while at university. A few of my teachers were excellent and inspiring, and I wanted to be like them,” said Geoffrey, who worked at Microsoft for nearly a decade before getting the chance to teach threat modeling to employees and clients. “I discovered I really liked it, especially engaging with learners. I got to watch the light bulb go off when they finally understood a concept.”
Threat modeling is especially exciting, Geoffrey said, because it has a “triple whammy” benefit for security professionals.
“It's easy to teach. It's easy for people to learn. And it's inexpensive to roll out.”
New cybersecurity professionals need humility
Geoffrey likes to advise those just entering the field to keep a little humility in their toolbox.
“I always think to myself, ‘I'm not the smartest person in the room and I might have missed something,’” Geoffrey said. “You need to plan for the anticipated and the unanticipated. Time and time again I've found that when I’m over-confident and make an assumption, it gets thrown back in my face.”
It’s a valuable lesson for those new to cybersecurity, he said.
“There's a saying, ‘old age and treachery always beats youth and skill.’ It's that way in cybersecurity. There are the older hackers and attackers out there, and they know a lot of tricks of the trade. Never go in with the assumption that because you're a smart person, you're the smartest person in the room.”
FREE role-guided training plans
About Geoffrey Hill
Geoffrey Hill has been in the IT industry since 1990, when he wrote and sold C++ based solutions to measure risk in the commodities markets in New York City. Since then he has worked around the world, specifically New York, Sydney, Tokyo, Emmerich-am-Rhein and London. In the mid 2000s, He was the main custodian of the Microsoft Security Development Lifecycle (SDL) initiative in the UK and then international services organization as part of the Microsoft Security Center of Excellence (SCOE). From 2013 – 2018, he worked as the sole application security architect for Visa Europe in London, where he started Tutamantic Ltd, a producer of software risk automation. Geoff is the inventor of the Rapid Threat Model Prototyping (RTMP) methodology. This threat model methodology allows for quick modelling in Agile and DevOps environments.
In this Series
- Threat modeling has huge benefits, says Infosec Skills author Geoffrey Hill
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity