Threat modeling is a key piece of this, but in the guide I don't call it threat modeling because I have found that the term can freak people out and make them less likely to engage. But yes - the process of understanding what you want to protect, and why, and making informed and prioritized decisions is key.
Intro blog post with Table of Contents available here: