Mark Simos

Security Roles and Glossary | Mark Simos The Open Group just published a standard defining all of the security responsibilities and accountabilities for all roles in an organization - ranging from board members, CEOs, CFOs, security leaders ...

LinkedIn article with more details www.linkedin.com/posts/marksi...

end 🧵

Security risk is created by business and technology decisions like setting productivity goals that affect system uptime requirements & maintenance windows (preventing or allowing security patches/configurations/etc.), whether and how to interact with business partners, and more.

Security is part of the fiduciary duty of CEOs, Board of Directors, and other officers, it is part of the daily decisions everyone makes when clicking a link or sharing data/passwords/etc,

We found that _everyone_ in an organization can make security decisions that impact organizational risk, similar to the way everyone can impact legal, financial, and safety risks.

The Open Group just published a Security Roles and Glossary standard defining security responsibilities and accountabilities.

publications.opengroup.org/s252
publications.opengroup.org/s253
publications.opengroup.org/s254
publications.opengroup.org/s255

short 🧵with key points...

Big themes are around AI and agents (no surprise there) but well worth checking out the security and governance for the lifecycle as well as lots of increased visibility, defenses (prompt injection, etc.) throughout the Microsoft portfolio (not just in the security products).

The Microsoft Ignite Book of News is released.

I highly recommend taking a quick look through it as there is a lot of security news and releases (keyword search had 172 hits on the word security 🙂)

news.microsoft.com/ignite-2025-...

Does this mean that you should give up? No!

Most criminal threat actors are in it for the money and will move on if the ROI isn't good (or reliable/predictable). For persistent nation states you can still make them spend more, take longer, & get less for each attack

end🧵(rant)

Whether you face a determined adversary or just opportunistic criminals, threat actors are very unlikely to give up because a single technique didn't work. They will try something else if the first thing didn't work - threat actors are creative, intelligent, and adaptive humans.

Most attackers are attacking you for a reason or they have a bunch of different exploits/techniques/etc. in their kits.

I am working on a new antipattern that is a real pet peeve of mine.

I pretty much stop listening after I hear "This attack would have been stopped by..."

short 🧵(rant)

The whole point of a security team is to make the existing processes, technology, and people more secure - if you don't understand these, you can't protect them.

There are a few exceptions within the security teams of roles that primarily deal directly with attackers and/or regulators, but most security people should build relationships and people skills to influence, educate, and learn from other roles in the organization.

diagram showing that most security roles should be interacting with non-security roles.

Security teams cannot operate in isolation and CISOs should not be the only roles who talk to business leaders and other teams.

Most people in a security team should be interacting with non-security people across technology and business teams.

I found myself using this career advice slide a lot lately and thought I would share it more broadly.

3.25 Inconceivable This word does not mean what you think it means

We were tempted to add this to the security glossary definitions, but we reluctantly decided to take it out
(see? standards people have a sense of humor as well 😀)

For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39

You can never have perfect security, but you can make them work harder, spend more, get less, and worry about whether their investments will work, and whether their attempts will get them caught.

It's the difference of attackers paying $5 for a good lobster dinner vs. $50k for a crappy shrimp.

Attackers want, cheap, easy, and reliable access to your assets. The job of defenders is to take those away from them.

Everything in security is about removing the cheap, easy, and reliable options from the threat actor menu.

Security and Zero Trust at The Open Group This article provides an overview of resources available from The Open Group you can use to: Improve or transform security at your organization Plan and accelerate your security career We have found t...

Links to the currently released draft of the reference model standard (and others) in this article www.linkedin.com/pulse/securi...
If your organization is a member of The Open Group, you can very likely join in on this fun work. See the list here - www.opengroup.org/our-members

end 🧵

Microsoft Cybersecurity Reference Architectures (MCRA) Detailed technical reference architectures for multicloud cybersecurity including Microsoft and third party platforms

Slides for the existing Security Operations (SecOps/SOC) and Identity and Adaptive Access Management (IAAM) capabilities and ABBs are included in the MCRA along with mappings to Microsoft technology. aka.ms/mcra

◼️ We had to get into organizational design approaches to ensure a coherent and integrated approach to security across all roles. It's been a long time since most organizations have integrated a new org-wide function that changes all roles (OT/IT tech in the 1960s+ was the last)

◼️ Security SIG is a challenging and complex discipline with many parts. SIG is a modernization of classic GRC focused on an _integrated_ support function of the organization's GRC (reducing focus on compliance as primary/only source of requirements in classic security)

Couple key insights:
◼️ Business critical assets are anything with a big business impact. It may be business critical because it's intrinsically important to the business (high value asset) or because its functionality (privileged access like IT admins) makes it high impact.

We focused on crafting the capabilities and enabling architecture building blocks (ABBs) for Security Strategy, Integration, and Governance (SIG), Security Posture Management, Privileged Access and High Value Assets (which we are starting to call PAHVA :-), and a few others.

We spent some time working on security capabilities for the next revision of the Zero Trust Reference Model standard at The Open Group conference

short 🧵 with some updates and insights

People Matter - Security Operations Roles This is proposed text I am working on for Security Operations (SecOps/SOC) roles and responsibilities for the upcoming security roles and glossary standard from The Open Group. See this webinar record...

This list of roles were contributed to the upcoming Security Roles and Glossary standard from The Open Group to make them broadly available to all. For more information , see this article - www.linkedin.com/pulse/people...

end 🧵

Zero Trust Overview and Playbook Introduction: Guidance for business, security, and technology leaders and practitioners Zero Trust Overview and Playbook Introduction: Guidance for business, security, and technology leaders and practitioners [Simos, Mark, Kumar, Nikhil, Johnson, Ann] on Amazon.com. *FREE* shipping on qualifying offers. Zero Trust Overview and Playbook Introduction: Guidance for business, security, and technology leaders and practitioners

This came up as I was writing some text for the SecOps playbook on the impact of Zero Trust, AI, post-quantum, etc.

The first book of the series is published and available at www.amazon.com/dp/1800568665

We must be thoughtful as we determine what to automate with AI and any other technology to ensure that our short term gains don't lead to a higher long-term cost.

2. institutional knowledge (e.g. someone that actually understands the system/history/etc. to add context to decisions)
3. human skills (which atrophy if not used).

A fully automated system can be very efficient and effective, but also very fragile.