Mark Simos

I found myself using this career advice slide a lot lately and thought I would share it more broadly.

3.25 Inconceivable This word does not mean what you think it means

We were tempted to add this to the security glossary definitions, but we reluctantly decided to take it out
(see? standards people have a sense of humor as well 😀)

For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39

You can never have perfect security, but you can make them work harder, spend more, get less, and worry about whether their investments will work, and whether their attempts will get them caught.

It's the difference of attackers paying $5 for a good lobster dinner vs. $50k for a crappy shrimp.

Attackers want, cheap, easy, and reliable access to your assets. The job of defenders is to take those away from them.

Everything in security is about removing the cheap, easy, and reliable options from the threat actor menu.

Security and Zero Trust at The Open Group This article provides an overview of resources available from The Open Group you can use to: Improve or transform security at your organization Plan and accelerate your security career We have found t...

Links to the currently released draft of the reference model standard (and others) in this article www.linkedin.com/pulse/securi...
If your organization is a member of The Open Group, you can very likely join in on this fun work. See the list here - www.opengroup.org/our-members

end 🧵

Microsoft Cybersecurity Reference Architectures (MCRA) Detailed technical reference architectures for multicloud cybersecurity including Microsoft and third party platforms

Slides for the existing Security Operations (SecOps/SOC) and Identity and Adaptive Access Management (IAAM) capabilities and ABBs are included in the MCRA along with mappings to Microsoft technology. aka.ms/mcra

◼️ We had to get into organizational design approaches to ensure a coherent and integrated approach to security across all roles. It's been a long time since most organizations have integrated a new org-wide function that changes all roles (OT/IT tech in the 1960s+ was the last)

◼️ Security SIG is a challenging and complex discipline with many parts. SIG is a modernization of classic GRC focused on an _integrated_ support function of the organization's GRC (reducing focus on compliance as primary/only source of requirements in classic security)

Couple key insights:
◼️ Business critical assets are anything with a big business impact. It may be business critical because it's intrinsically important to the business (high value asset) or because its functionality (privileged access like IT admins) makes it high impact.

We focused on crafting the capabilities and enabling architecture building blocks (ABBs) for Security Strategy, Integration, and Governance (SIG), Security Posture Management, Privileged Access and High Value Assets (which we are starting to call PAHVA :-), and a few others.

We spent some time working on security capabilities for the next revision of the Zero Trust Reference Model standard at The Open Group conference

short 🧵 with some updates and insights

People Matter - Security Operations Roles This is proposed text I am working on for Security Operations (SecOps/SOC) roles and responsibilities for the upcoming security roles and glossary standard from The Open Group. See this webinar record...

This list of roles were contributed to the upcoming Security Roles and Glossary standard from The Open Group to make them broadly available to all. For more information , see this article - www.linkedin.com/pulse/people...

end 🧵

Zero Trust Overview and Playbook Introduction: Guidance for business, security, and technology leaders and practitioners Zero Trust Overview and Playbook Introduction: Guidance for business, security, and technology leaders and practitioners [Simos, Mark, Kumar, Nikhil, Johnson, Ann] on Amazon.com. *FREE* shipping on qualifying offers. Zero Trust Overview and Playbook Introduction: Guidance for business, security, and technology leaders and practitioners

This came up as I was writing some text for the SecOps playbook on the impact of Zero Trust, AI, post-quantum, etc.

The first book of the series is published and available at www.amazon.com/dp/1800568665

We must be thoughtful as we determine what to automate with AI and any other technology to ensure that our short term gains don't lead to a higher long-term cost.

2. institutional knowledge (e.g. someone that actually understands the system/history/etc. to add context to decisions)
3. human skills (which atrophy if not used).

A fully automated system can be very efficient and effective, but also very fragile.

Additionally, you may not want to automate all tasks fully. Automation dramatically increases efficiency and reduces cost in the short term, but does so at the cost of
1. human critical thinking (very important for SecOps analyst that deals with active human adversaries)

The _job tasks_ (or their subtasks) are what can actually be automated by AI, scripts, and other means. You can't automate the function unless all the tasks are automated and you can't automate a role unless all the role functions are fully automated.

The job function of 'Investigate and remediate higher complexity attacks' is accomplished by tasks like looking for the source of the attacks, identifying the scope of the attack, determining the identity and goals of the attacker, documenting learnings, etc.

For example, a SecOps Investigation (Tier 2) analyst role performs multiple job functions including 'Investigate and remediate higher complexity attacks',
'Analyze incident impact and root cause', and more.

◼️ Those job functions are actually composed of one or more (usually more) tasks that are specific, concrete, and repeatable (like buttons, cloth, dyes, etc.) - though they vary by organization on how they implement the job function.

◼️ A role is just a bag of related job functions, like a suitcase with clothes.
◼️ The job functions themselves (clothes) are what matter as they provide a clear outcome for an organization that is worth paying for.

One thing that has been bugging me about this whole "AI replacing jobs" topic is that the discussion is too sloppy to reach a meaningful understanding or conclusion.

This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵

Security and Zero Trust Body of Knowledge Composed of: Zero Trust Commandments Security Principles for Architecture Zero Trust Reference Model Security Roles and Glossary Security Matrix Open FAIR™ Zero Trust Implementation Guide Enterprise Risk Integration Purpose: Enable effective security in a modern organization: Modernize - Update security with Zero Trust approach: Security is part of everyone’s job  show how to integrate security into an organizations business and technical operating models, processes Assets must be protected wherever they are  show how to integrate asset-centric approaches across security Rationalize - Reconcile and relate existing industry guidance + fill in gaps Organize - connect and relate different aspects of security to each other (roles and responsibilities, principles, capabilities, architecture building blocks, governance, etc.) Availability: Some components published, some in development. Links at Security and Zero Trust at The Open Group

On Monday in Houston, I am presenting the Security and Zero Trust body of knowledge + first release of the new Security Roles and Glossary standard.

I will post slides afterward, but sharing this sneak peek of the session with the overarching goals of the standards in this body of knowledge

Some tools like Microsoft Defender for Endpoint provide alerts for SecOps/SOC to respond to, data protections, vulnerability information for security posture management, signals that inform conditional access decisions (Access and Identity), and more.

Thoughts? Feedback?

Additionally, some controls and tools support multiple technical strategies such as full disk encryption protecting credentials and OS binaries as well as data.

For example, data security discipline focuses on protecting data wherever it is & goes. Data controls aren't enough - you also need endpoint controls like full disk encryption and patching, application controls like RBAC models and encryption, network controls like DLP, and more.

The disciplines focus on a coherent strategy and supporting processes/architecture whereas the technical pillars focus on the assets and technical controls for those assets.

You may note that some technologies are both a technical discipline and a technology pillar. That is intentional because we found it was important to differentiate between the technical strategy disciplines vs. the technology pillars.

Main changes:
1. Split infrastructure & development security disciplines
2. Add Security Posture Management for left of bang to complement the right of bang SecOps/SOC discipline
3. Categorize each discipline - Planning and Oversight, Technical Strategy, or Operational Discipline