In step 6 you "determine current and desired-state measures." How does referencing MITRE mitigation IDs (e.g. M1030, M1032) strengthen this step?
Listing concrete, catalogued mitigations — like network segmentation (M1030) or multi-factor authentication (M1032) — turns vague intentions into specific, traceable controls mapped to the threats they counter.
Example improvements from the worked exercise include segmenting the main protect-surfaces holding high-value assets (M1030), user access management with multi-factor authentication and single sign-on (M1032/M1036/M1015/M1018), deploying Extended Detection and Response (XDR) with active monitoring across cloud/OT/servers (M1042/M1049/M1050/M1053/M1056), and a cybersecurity incident-response plan. WHY use IDs: they tie each control back to the specific ATT&CK techniques it blocks, so you can show the board exactly which attacker behaviours each euro of investment defeats — defensible, gap-driven prioritization rather than a shopping list.