It's possible to approach security as a series of one-off technical problems to solve in series (from either the attacker or defender perspective). While this can often help you find and fix specific bugs, it's not particularly useful for either securing or attacking an organization at scale, and tends to fail badly when you attempt to interact with humans. Everyone who works in security finds patterns in their work, and scaling up and orchestrating interactions with those patterns is a large part of how we make progress.
We rarely talk about the larger structures of these patterns, though, and, being of a practical bent, often try to turn back to practice too quickly -- hence much of e.g. the lackluster discourse around threat modeling. In this talk, I'll look into some of the things I've noticed about how to think that may be useful for security practitioners of all stripes.