Before you should make security policy one is said to always make a threat model.
Basically it is a cost analysis, like if you make a measure system you put loss/benefits on both side of securing, not securing.
For instance, protecting .25$ non cumulative coupons with a 50$ protection per coupon is stupid if it applies to items costing 15$.
But the problem of a threat model analysis is it is centered around the one who pays, that may have interest in betraying the other stakeholders.
Take the case of Carlos Ghosn, the head of Renault. Since he his french most people think is loyalty is to his country thus Renault. However, his pride is Nissan recovery. And he led the merger of equals in disguise called the Renault Nissan Alliance. In Fusacq culture merge of equals often results either in split after culture clash or one company absorbing the other through strategic leverage.
If I was asked to secure the Renault infrastucture by Carlos Ghosn, I would take great care to firewall him. Because, there is the man and the function. He can sign as a person, but he is the head of Nissan and Renault and of the Renault Nissan Alliance, and according to the success of any of the 3 distinct entities he may have different financial incentives.
And which one of the 3 positions will be paying you?
He has an obvious win to make in a N-Turn betrayal game (Nash).
It seems kind of crazy, but your biggest threat might be the one asking for the audit. We all are incentivized and given ease of access to certain analysis according to who pays. And the one who pays can also turn down your analysis.
I know conforming to auditing best practices, if ever another audit company can argue your plan is biased, then you may loose your certification.
The problem in France is Renault has proven to be above the laws with a great power of lobbying (Usine Nouvelle, fr). Making an enemy of Renault's boss, is a sure way to have a lot of troubles, and eventually loose your precious audit certification.
However, what itches me is that he is mandated, as such, he should be seen as a less than permanent stake holder. Less permanent than all the workers having an incentive to trust the company and needing the company to work.
In fact the case can be made for every CTO mandated by a share holder. And also made about share holders when we live in a time of high turnover of shares.
A temporary major share holders can totally have interests in other companies because diversification in a sector you understand is a common financial strategy or fructifying costly expertise.
So you may also want to firewall share holders. But, then you have a big headache: share holders by ownership are having a legal liability on the action of the company also must ensure their droit de regard. Well in fact, when I see the DieselGate of VolksWagen I notice it is not the share holders that are being sued but the company itself. And that even though computer security is supposed to make sure to have an enforcement of responsibility, it has turned into a vast joke of deniability.
As you see my point, is computer security always at my opinion have a caricature of a vision of the organisation as a model. Hence the threat model does too.
At my opinion, a good threat model should always put on top of the threat the one who pays.
The one that will have the more of control (defined by the number of action he can make others do but others won't be able to do) is a systematic threat.
Power that is asymmetric lower the costs of treason systematically, hence someone wishing for a secure system should always be safe guarded from violating the system.
Most -if not all- the security model I experienced in my life are hierarchical as if centralized hierarchical system mimicking the Catholic Church (the origin of the word coming from this orginzation (hieros = holy, archein = ruling) is an obvious cultural bias in security corporation. And the idea that one stakeholder have the True right to dictate the direction of an organization.
Some idiots, think the peer 2 peer decentralized model is better. The decentralized anarcho libetarian model is prone to net split aka balkanisation with local decentralized networks spinning off.
Is there an alternative?
Well, of course there is: it is called pokemon.
Pokemon creators used the complex overlapping symmetries of particle physics to ensure a shifumi with strong types without guarantying any creatures a total advantages, just like a complex shi-fu-mi mexican stand off.
You could totally give balanced power to every stake holders with partial access of information necessitating for a total view the cooperation of the actors under a reciprocal scrutiny so that even the watchers are being watched.
The problem, I guess is cultural: I don't see a security company thinking that giving an underpaid worker that can be easily corrupted the power to fire a boss. But, if the worker was paid close to his boss wages it would ensure more loyalty and less risks of treason.
But, given most security consultants are way more paid than underpaid workers, by those with interests being overpaid, they have an incentive not not propose a pokemon kind of mexican standoff. And so does the industry as a whole submitted by regulations influenced by lobbies.
And finally we identify the priority 0 threat absent from any threat model: the whole incentivization of the security business that is biasing the security model towards a systemic positive bias given to the one who pays... whereas he may be the one with the most incentive to betray.