A woman wearing a red shirt smiling at the camera.
Judy Kelly. Image: Red Hat

What exactly does a threat modeller do?

28 Apr 2022

Red Hat’s Judy Kelly explains what a role in threat modelling entails and outlines the biggest challenges she faces working in cybersecurity.

There are many different areas of cybersecurity to work in and the growing attack surface means almost every company is looking for infosec talent right now.

To find out more about a role can entail, SiliconRepublic.com spoke to Judy Kelly, a member of the architecture validation team in Red Hat’s product security group.

Kelly has a degree in computer forensics and security from Waterford Institute of Technology and has worked at Red Hat in a variety of security-focused roles including threat modelling.

She explained that the threat modelling process is an approach engineering teams can adopt to help identify security weaknesses in the design phase of what they are working on. When adopted early, it allows for identification and mitigation of threats, increasing the security of a product in a cost-effective way.

“Formally, threat modelling, outlined by OWASP, is a process by which potential threats are identified and rated for severity and possible mitigations are discussed,” Kelly said.

“Less formally, threat modelling happens when you think about each decision that you make in the system you’re creating and extrapolate how these may affect its security either immediately or in the future.”

While there are many tools on the market that can help security teams be more efficient, Kelly said it’s important to stress that threat modelling is a process rather than a tool.

“Tools by themselves cannot currently take the place of humans reasoning about how other humans would attack a system,” she said.

“Our team views threat modelling as a team sport, as we believe it is most effective when multiple stakeholders come together to look at a system from different angles: developers, architects, quality engineers, along with security specialists.

“Security specialists, like myself, ask questions to get a better understanding of the security controls in place. The goal is that everyone leaves with a better understanding of the risks that affect the product.”

The challenges of working in security

While infosec roles can be extremely exciting, the evolving threat landscape can bring challenges to those working in the industry. As an open-source software specialist, Red Hat also faces its own set of specific security challenges.

“Red Hat invests significantly in the maintenance of open-source software throughout the life of every product. For supported software we ship, we take on the responsibility of not just supporting it but also addressing issues of significant concern, such as security,” said Kelly.

“The Threat Modeling Manifesto values are used by our team as our north star and as a foundation to overcome any challenges that we face.”

Another challenge Kelly has seen in the security space is one of diversity. While there has been a positive shift in the number of women working in cybersecurity in recent years and her own team has an equal split of men and women, she has not been immune to the challenges women in the tech industry can face.

“As a woman who pivoted my career in my early 40s into the technology industry, I can speak first-hand to the challenges that I faced. For instance, I was the only female and the only mature student who graduated from my course in 2019. Traditional hiring practices should be revisited by out-of-the-box thinking hiring managers,” she said.

“Hiring managers who put people before technology are willing to invest in people’s development by funding paid internships and considering returnships whereby people who are returning to the workforce can be given an opportunity to sharpen their skills and develop much needed skills and experience. Red Hat and its forward-thinking hiring managers did this for me.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Jenny Darmody
By Jenny Darmody

Jenny Darmody became the editor of Silicon Republic in 2023, having worked as the deputy editor since February 2020. When she’s not writing about the science and tech industry, she’s writing short stories and attempting novels. She continuously buys more books than she can read in a lifetime and pretty stationery is her kryptonite. She also believes seagulls to be the root of all evil and her baking is the stuff of legends.

Loading now, one moment please! Loading