Mostly, they seek out vulnerabilities, detect attacks, and eliminate compromises. Of course, the size of the attack surface and the sheer volume of vulnerabilities, attacks, and compromises means organizations must make tough choices; not everything gets fixed, stopped, recovered, and so forth. There will need to be some form of acceptable

It is important to clearly communicate to the target audience which items on the list are threats, assets and controls (however weak they may be). Executives must understand how the combination of these categories of things can be manipulated to cause harm to the enterprise.

I saw a few tweets about this article tongue in cheek saying "time to update your threat model" - but how many actually do that? Who is at work this week creating a document that illustrates how a data breach of their external council could lead to their own data loss event? I'd guess it is a very small number of folks. I'm making the case that