The cybersecurity industry's focus on threat modelling and the mindset of an attacker is a counterproductive distraction, argues Abhishek Kushwaha, CISSP, CCSP. His view is that an actor-obsessed approach causes organizations to chase external threats which they cannot control, while neglecting their own internal, controllable vulnerabilities.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
In my opinion, the notion of "threat mitigation" is a misnomer for organizations; they can only perform "risk mitigation”. Redirecting focus to organizational risk mitigation helps organizations move from security theatre to real resilience.
Recent cybersecurity discourse has seen a single idea elevated to the status of panacea: "think like an attacker." The industry seems to be infatuated with the glamour of offensive security: we’re told to hunt threats, model attacker behavior and to anticipate zero-day vulnerabilities on "minus-one day." This romanticized vision of a proactive, actor-obsessed defense is compelling, but for the vast majority of organizations, it is in my opinion a dangerous and counter-productive distraction that undermines ‘real’ security.
The outcome of a hyper-focus on the external adversary, spurred by relentless industry marketing, is a profound disconnect from ground realities. While organizations chase cutting-edge, attacker-centric strategies, foundational security controls – those listed in the "recommended" sections of every best-practice guide – remain unimplemented; the hard, unglamorous work of basic security hygiene is perpetually deferred in favor of the "next big thing".
I fear that this gap between ambition and action reveals a fundamental misunderstanding, a confusion that lies at the heart of our collective security failures: we have forgotten the difference between threats, which we cannot control and risks, which we can. My view is that the most effective, mature and practical strategy for most organizations is not a futile chase, but a disciplined return to the principles of true risk management.
The Allure and Illusion of the Attacker Mindset
The idea of "thinking like an attacker" is seductive because it promises a shortcut to resilience. It suggests that if we can only divine the intent and methods of our adversaries, we can build a perfect, pre-emptive defense. But, in my experience, this notion crumbles under scrutiny. The first problem is one of hubris. With every new, sophisticated breach that hits the headlines, it becomes painfully clear that we are still learning the art and science of hacking. We are perpetually one step behind, reacting to techniques we had not previously conceived. The "attacker" is not a singular, knowable entity; it is a dynamic, evolving and often invisible force.
The second, more practical failure lies in corporate hypocrisy. Some leadership teams request cutting-edge ideas from their security departments while simultaneously fostering a culture that prioritizes mere compliance. Our efforts are channeled into ticking boxes for an audit rather than engineering robust defenses. This "compliance-first" mindset is the antithesis of "thinking like an attacker": attackers seek the gaps between controls; a compliance-driven organization might only verify that controls exist on paper.
This creates a security theatre in which our organization might profess an interest in advanced defense while continuously refusing to fund or implement the most basic security controls. The allure of the "attacker mindset" provides a convenient excuse for ignoring the mundane-yet-critical work of patch management, access control and network segmentation.
Why Threat-First Defense Fails 99% Of Us
To be clear: I believe that sophisticated, attacker-focused threat modelling has its place. But it is a vital practice only for the one per cent of organizations that build and manage global-scale platforms or are in the business of anti-malware and threat intelligence. Companies like Google and Microsoft must think like an attacker because their platforms are the global battlefield. They also possess the necessary ingredients: near-limitless telemetry from billions of endpoints, the resources to employ world-class reverse engineers and a core business motivation that justifies the immense expense.
For the rest of us — in banks, or retailers, or hospitals, or logistics companies — this approach is a fantasy. We simply don’t have access to the right data to model threats effectively. We cannot compete for the vanishingly small pool of elite talent required to do it well. Most importantly, we aren’t motivated "attackers"; we are IT administrators, developers and analysts, trying to keep business-critical systems online.
The final irony is that even if an organization hires the right talent, its own policies will limit them – blocking, in its wisdom, the very tools and tactics an attacker would use. Penetration testing tools are blacklisted, outbound scanning is blocked and internal reconnaissance is flagged as an anomaly. Such an organization, through its own internal policies, neuters its "supposed-to-be attackers" before they can even begin. It’s for these reasons that the "threat-modelling-first" approach fails somewhere in the very beginning of its implementation.
We Mitigate Risk, Not Threats
The industry speaks of "threat mitigation." But for most organizations, this is a profound misnomer. A threat is an external agent or event: say, a state-sponsored hacking group, or an organized crime syndicate, or a natural disaster.
No medium-sized or even large-sized enterprise can "mitigate" against these. What we can do is address our internal vulnerabilities and implement controls. By patching our servers, enforcing multi-factor authentication, or segmenting our network, we don’t affect the existence of any threat in the slightest. But what we have done is reduce the risk – the probability and impact – of that threat successfully materializing. Therefore, "risk mitigation" is the only precise, honest, and actionable term for what almost every private organization does.
To be fair, the term "threat mitigation" is still used in corporate parlance. But when it is, it is understood as a lazy shorthand. It describes the set of controls aimed at stopping a specific threat's techniques – mitigating the threat's impact, not its existence. But this linguistic shortcut is harmful. It constantly pulls the strategic focus back to the external, the unknowable and the uncontrollable.
The Dichotomy of Control
This is where we must take a lesson from the ancient Stoics. The philosopher Epictetus provided a framework that maps perfectly onto the cybersecurity dilemma: the Dichotomy of Control. He argued that we must learn to distinguish between what is within our control and what is not.
Applied to us as cybersecurity professionals: we cannot eliminate threats. I cannot control the emergence of a new zero-day exploit, the motivations of a criminal syndicate, or the geopolitical ambitions of a nation. These are external to me and my organization and to fixate on them is to invite anxiety and waste resources on an unwinnable battle.
I can, however, control my own internal environment. I can choose to take rational, deliberate actions to reduce the impact of a risk being realized. This is the very essence of true risk management. It keeps me internally focused, disciplined and leads to a continuous process of building resilience. I accept that, while the world is chaotic and threats are ever-present, my own response is entirely within my power.
The path to genuine, measurable security improvement is not found in the glamour of threat hunting. It is found in the disciplined and admittedly mundane work of mastering the fundamentals. For the vast majority of us, it’s time to abandon the security theatre of "thinking like an attacker" and re-embrace instead the practical wisdom of managing our own, controllable risk.
Abhishek Kushwaha, CISSP, CCSP, has 12 years of experience in security audits, risk management, governance and cloud security. He has held technical roles, with responsibility for internal and external audits, regulatory compliance and platform security. His cybersecurity work spans ISO 27001, PCI DSS, GDPR, and cloud security.
