Mark Simos
@markasimos.bsky.social
Simplify and clarify • Cybersecurity architecture and strategy • Business + Security Alignment • Make the world better
I found myself using this career advice slide a lot lately and thought I would share it more broadly.
November 10, 2025 at 11:00 AM
I found myself using this career advice slide a lot lately and thought I would share it more broadly.
We were tempted to add this to the security glossary definitions, but we reluctantly decided to take it out
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
November 8, 2025 at 4:02 PM
We were tempted to add this to the security glossary definitions, but we reluctantly decided to take it out
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
Attackers want, cheap, easy, and reliable access to your assets. The job of defenders is to take those away from them.
Everything in security is about removing the cheap, easy, and reliable options from the threat actor menu.
Everything in security is about removing the cheap, easy, and reliable options from the threat actor menu.
November 6, 2025 at 4:58 PM
Attackers want, cheap, easy, and reliable access to your assets. The job of defenders is to take those away from them.
Everything in security is about removing the cheap, easy, and reliable options from the threat actor menu.
Everything in security is about removing the cheap, easy, and reliable options from the threat actor menu.
We spent some time working on security capabilities for the next revision of the Zero Trust Reference Model standard at The Open Group conference
short 🧵 with some updates and insights
short 🧵 with some updates and insights
November 5, 2025 at 4:30 PM
We spent some time working on security capabilities for the next revision of the Zero Trust Reference Model standard at The Open Group conference
short 🧵 with some updates and insights
short 🧵 with some updates and insights
One thing that has been bugging me about this whole "AI replacing jobs" topic is that the discussion is too sloppy to reach a meaningful understanding or conclusion.
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵
November 2, 2025 at 1:46 PM
One thing that has been bugging me about this whole "AI replacing jobs" topic is that the discussion is too sloppy to reach a meaningful understanding or conclusion.
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵
On Monday in Houston, I am presenting the Security and Zero Trust body of knowledge + first release of the new Security Roles and Glossary standard.
I will post slides afterward, but sharing this sneak peek of the session with the overarching goals of the standards in this body of knowledge
I will post slides afterward, but sharing this sneak peek of the session with the overarching goals of the standards in this body of knowledge
November 1, 2025 at 12:39 PM
On Monday in Houston, I am presenting the Security and Zero Trust body of knowledge + first release of the new Security Roles and Glossary standard.
I will post slides afterward, but sharing this sneak peek of the session with the overarching goals of the standards in this body of knowledge
I will post slides afterward, but sharing this sneak peek of the session with the overarching goals of the standards in this body of knowledge
We’re working on updating the disciplines of the Microsoft Security Adoption Framework (SAF) and wanted to get your feedback
Current guidance is on aka.ms/SAF
a 🧵
Current guidance is on aka.ms/SAF
a 🧵
October 31, 2025 at 1:26 PM
We’re working on updating the disciplines of the Microsoft Security Adoption Framework (SAF) and wanted to get your feedback
Current guidance is on aka.ms/SAF
a 🧵
Current guidance is on aka.ms/SAF
a 🧵
I will be speaking in person in Houston at The Open Group Event in Houston next week!
We will be formally announcing some new security standards and hope to see you there!
meet.opengroup.org/event/Housto...
We will be formally announcing some new security standards and hope to see you there!
meet.opengroup.org/event/Housto...
October 31, 2025 at 12:06 AM
I will be speaking in person in Houston at The Open Group Event in Houston next week!
We will be formally announcing some new security standards and hope to see you there!
meet.opengroup.org/event/Housto...
We will be formally announcing some new security standards and hope to see you there!
meet.opengroup.org/event/Housto...
Security Posture Management is often the forgotten discipline in the cybersecurity profession.
a 🧵
a 🧵
October 28, 2025 at 10:38 AM
Security Posture Management is often the forgotten discipline in the cybersecurity profession.
a 🧵
a 🧵
Security success is attacker failure, but we can never guarantee that we can stop every attack.
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
October 26, 2025 at 6:27 PM
Security success is attacker failure, but we can never guarantee that we can stop every attack.
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
I spend many of my working hours building workshops (MCRA, CISO Workshop, and others in the SAF) to help organizations guide their security modernization journey with learnings and best practices from Microsoft and our customers.
October 21, 2025 at 2:08 PM
I spend many of my working hours building workshops (MCRA, CISO Workshop, and others in the SAF) to help organizations guide their security modernization journey with learnings and best practices from Microsoft and our customers.
Should IT teams let security professionals patch and reboot your servers anytime they want?
Should security professionals be able to update your code and deploy it anytime they want?
Should security professionals be able to update your code and deploy it anytime they want?
October 20, 2025 at 11:28 PM
Should IT teams let security professionals patch and reboot your servers anytime they want?
Should security professionals be able to update your code and deploy it anytime they want?
Should security professionals be able to update your code and deploy it anytime they want?
One type of role really stood out from all of the others as we standardized security responsibilities and accountabilities across all roles in an organization.
The Information Worker/Frontline Worker (marked with a star) is the heart and core of the organization
rant/🧵
The Information Worker/Frontline Worker (marked with a star) is the heart and core of the organization
rant/🧵
October 19, 2025 at 6:17 PM
One type of role really stood out from all of the others as we standardized security responsibilities and accountabilities across all roles in an organization.
The Information Worker/Frontline Worker (marked with a star) is the heart and core of the organization
rant/🧵
The Information Worker/Frontline Worker (marked with a star) is the heart and core of the organization
rant/🧵
Security success is attacker failure, but we can never guarantee that we can stop every attack.
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
(1/2)
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
(1/2)
October 15, 2025 at 2:48 AM
Security success is attacker failure, but we can never guarantee that we can stop every attack.
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
(1/2)
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
(1/2)
I recently created this graphic on how securing AI is different from classic (deterministic) code.
Thoughts? Feedback?
Thoughts? Feedback?
October 8, 2025 at 6:31 PM
I recently created this graphic on how securing AI is different from classic (deterministic) code.
Thoughts? Feedback?
Thoughts? Feedback?
I recently created this slide to tell the story of the different eras of security as the world (and security/tech industry) woke up to the different dimensions of security
Thoughts? Feedback? Memories?
short 🧵
Thoughts? Feedback? Memories?
short 🧵
October 5, 2025 at 2:26 PM
I recently created this slide to tell the story of the different eras of security as the world (and security/tech industry) woke up to the different dimensions of security
Thoughts? Feedback? Memories?
short 🧵
Thoughts? Feedback? Memories?
short 🧵
I had a great time presenting the MCRA at BSides St. Pete!
Great conference, great community, really enjoyed it!
Great conference, great community, really enjoyed it!
October 4, 2025 at 9:37 PM
I had a great time presenting the MCRA at BSides St. Pete!
Great conference, great community, really enjoyed it!
Great conference, great community, really enjoyed it!
Just wrapped up my 4 hour training at BSides St. Pete. Great conversations with seasoned pros, career changers, new to industry, and students.
This is a new slide I created this morning for the class that really encapsulates what it takes to be a whole security professional.
This is a new slide I created this morning for the class that really encapsulates what it takes to be a whole security professional.
October 3, 2025 at 9:54 PM
Just wrapped up my 4 hour training at BSides St. Pete. Great conversations with seasoned pros, career changers, new to industry, and students.
This is a new slide I created this morning for the class that really encapsulates what it takes to be a whole security professional.
This is a new slide I created this morning for the class that really encapsulates what it takes to be a whole security professional.
One of the interesting things we learned as we defined standard jobs/roles for the Zero Trust Playbook series and The Open Group standard for the Security Roles and Glossary is the nature of _what a role really is_.
a short 🧵
a short 🧵
September 27, 2025 at 1:03 PM
One of the interesting things we learned as we defined standard jobs/roles for the Zero Trust Playbook series and The Open Group standard for the Security Roles and Glossary is the nature of _what a role really is_.
a short 🧵
a short 🧵
Security doesn’t get better until we correct our underlying broken assumptions
short 🧵
short 🧵
September 24, 2025 at 8:43 PM
Security doesn’t get better until we correct our underlying broken assumptions
short 🧵
short 🧵
Want 4 hours of training on security roles and careers for a buck!?!?
Join me for a half day training session at BSides St. Pete (near Tampa FL) on Friday October 3
bsides-st-pete.sessionize.com/schedule
Join me for a half day training session at BSides St. Pete (near Tampa FL) on Friday October 3
bsides-st-pete.sessionize.com/schedule
September 21, 2025 at 10:19 PM
Want 4 hours of training on security roles and careers for a buck!?!?
Join me for a half day training session at BSides St. Pete (near Tampa FL) on Friday October 3
bsides-st-pete.sessionize.com/schedule
Join me for a half day training session at BSides St. Pete (near Tampa FL) on Friday October 3
bsides-st-pete.sessionize.com/schedule
Security isn't just the security team's job.
This became extremely clear to me during work on the security matrix standard when we broke attacks down to these two fundamental types of attack techniques:
a 🧵
This became extremely clear to me during work on the security matrix standard when we broke attacks down to these two fundamental types of attack techniques:
a 🧵
September 20, 2025 at 12:02 PM
Security isn't just the security team's job.
This became extremely clear to me during work on the security matrix standard when we broke attacks down to these two fundamental types of attack techniques:
a 🧵
This became extremely clear to me during work on the security matrix standard when we broke attacks down to these two fundamental types of attack techniques:
a 🧵
Wanna see MCRA live?
Saturday 4 October at BSides St. Pete (near Tampa)
bsides-st-pete.sessionize.com/session/968974
Looking forward to seeing you there!
Saturday 4 October at BSides St. Pete (near Tampa)
bsides-st-pete.sessionize.com/session/968974
Looking forward to seeing you there!
September 18, 2025 at 10:48 PM
Wanna see MCRA live?
Saturday 4 October at BSides St. Pete (near Tampa)
bsides-st-pete.sessionize.com/session/968974
Looking forward to seeing you there!
Saturday 4 October at BSides St. Pete (near Tampa)
bsides-st-pete.sessionize.com/session/968974
Looking forward to seeing you there!
If a CISO says “I accept the risk”, your security has already failed (but not necessarily for the reason you think)
www.linkedin.com/pulse/securi...
a short 🧵
www.linkedin.com/pulse/securi...
a short 🧵
September 16, 2025 at 5:40 PM
If a CISO says “I accept the risk”, your security has already failed (but not necessarily for the reason you think)
www.linkedin.com/pulse/securi...
a short 🧵
www.linkedin.com/pulse/securi...
a short 🧵
I recently created a slide on cybersecurity industry maturity.
It shows the aim of The Open Group work to drive clarity with definitions of durable outcomes, common roles, accountability/responsibility, glossary, etc.)
This article has more information - www.linkedin.com/pulse/securi...
It shows the aim of The Open Group work to drive clarity with definitions of durable outcomes, common roles, accountability/responsibility, glossary, etc.)
This article has more information - www.linkedin.com/pulse/securi...
September 14, 2025 at 4:09 PM
I recently created a slide on cybersecurity industry maturity.
It shows the aim of The Open Group work to drive clarity with definitions of durable outcomes, common roles, accountability/responsibility, glossary, etc.)
This article has more information - www.linkedin.com/pulse/securi...
It shows the aim of The Open Group work to drive clarity with definitions of durable outcomes, common roles, accountability/responsibility, glossary, etc.)
This article has more information - www.linkedin.com/pulse/securi...