Mark Simos
@markasimos.bsky.social
Simplify and clarify • Cybersecurity architecture and strategy • Business + Security Alignment • Make the world better
I found myself using this career advice slide a lot lately and thought I would share it more broadly.
November 10, 2025 at 11:00 AM
I found myself using this career advice slide a lot lately and thought I would share it more broadly.
We were tempted to add this to the security glossary definitions, but we reluctantly decided to take it out
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
November 8, 2025 at 4:02 PM
We were tempted to add this to the security glossary definitions, but we reluctantly decided to take it out
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
One thing that has been bugging me about this whole "AI replacing jobs" topic is that the discussion is too sloppy to reach a meaningful understanding or conclusion.
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵
November 2, 2025 at 1:46 PM
One thing that has been bugging me about this whole "AI replacing jobs" topic is that the discussion is too sloppy to reach a meaningful understanding or conclusion.
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵
On Monday in Houston, I am presenting the Security and Zero Trust body of knowledge + first release of the new Security Roles and Glossary standard.
I will post slides afterward, but sharing this sneak peek of the session with the overarching goals of the standards in this body of knowledge
I will post slides afterward, but sharing this sneak peek of the session with the overarching goals of the standards in this body of knowledge
November 1, 2025 at 12:39 PM
On Monday in Houston, I am presenting the Security and Zero Trust body of knowledge + first release of the new Security Roles and Glossary standard.
I will post slides afterward, but sharing this sneak peek of the session with the overarching goals of the standards in this body of knowledge
I will post slides afterward, but sharing this sneak peek of the session with the overarching goals of the standards in this body of knowledge
We’re working on updating the disciplines of the Microsoft Security Adoption Framework (SAF) and wanted to get your feedback
Current guidance is on aka.ms/SAF
a 🧵
Current guidance is on aka.ms/SAF
a 🧵
October 31, 2025 at 1:26 PM
We’re working on updating the disciplines of the Microsoft Security Adoption Framework (SAF) and wanted to get your feedback
Current guidance is on aka.ms/SAF
a 🧵
Current guidance is on aka.ms/SAF
a 🧵
I will be speaking in person in Houston at The Open Group Event in Houston next week!
We will be formally announcing some new security standards and hope to see you there!
meet.opengroup.org/event/Housto...
We will be formally announcing some new security standards and hope to see you there!
meet.opengroup.org/event/Housto...
October 31, 2025 at 12:06 AM
I will be speaking in person in Houston at The Open Group Event in Houston next week!
We will be formally announcing some new security standards and hope to see you there!
meet.opengroup.org/event/Housto...
We will be formally announcing some new security standards and hope to see you there!
meet.opengroup.org/event/Housto...
Security success is attacker failure, but we can never guarantee that we can stop every attack.
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
October 26, 2025 at 6:27 PM
Security success is attacker failure, but we can never guarantee that we can stop every attack.
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
I spend many of my working hours building workshops (MCRA, CISO Workshop, and others in the SAF) to help organizations guide their security modernization journey with learnings and best practices from Microsoft and our customers.
October 21, 2025 at 2:08 PM
I spend many of my working hours building workshops (MCRA, CISO Workshop, and others in the SAF) to help organizations guide their security modernization journey with learnings and best practices from Microsoft and our customers.
One type of role really stood out from all of the others as we standardized security responsibilities and accountabilities across all roles in an organization.
The Information Worker/Frontline Worker (marked with a star) is the heart and core of the organization
rant/🧵
The Information Worker/Frontline Worker (marked with a star) is the heart and core of the organization
rant/🧵
October 19, 2025 at 6:17 PM
One type of role really stood out from all of the others as we standardized security responsibilities and accountabilities across all roles in an organization.
The Information Worker/Frontline Worker (marked with a star) is the heart and core of the organization
rant/🧵
The Information Worker/Frontline Worker (marked with a star) is the heart and core of the organization
rant/🧵
Security success is attacker failure, but we can never guarantee that we can stop every attack.
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
(1/2)
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
(1/2)
October 15, 2025 at 2:48 AM
Security success is attacker failure, but we can never guarantee that we can stop every attack.
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
(1/2)
Because you will inevitably experience damage from successful cybersecurity attacks, its critical to focus on building resilience by ensuring that you can:
(1/2)
I recently created this graphic on how securing AI is different from classic (deterministic) code.
Thoughts? Feedback?
Thoughts? Feedback?
October 8, 2025 at 6:31 PM
I recently created this graphic on how securing AI is different from classic (deterministic) code.
Thoughts? Feedback?
Thoughts? Feedback?
I recently created this slide to tell the story of the different eras of security as the world (and security/tech industry) woke up to the different dimensions of security
Thoughts? Feedback? Memories?
short 🧵
Thoughts? Feedback? Memories?
short 🧵
October 5, 2025 at 2:26 PM
I recently created this slide to tell the story of the different eras of security as the world (and security/tech industry) woke up to the different dimensions of security
Thoughts? Feedback? Memories?
short 🧵
Thoughts? Feedback? Memories?
short 🧵
I had a great time presenting the MCRA at BSides St. Pete!
Great conference, great community, really enjoyed it!
Great conference, great community, really enjoyed it!
October 4, 2025 at 9:37 PM
I had a great time presenting the MCRA at BSides St. Pete!
Great conference, great community, really enjoyed it!
Great conference, great community, really enjoyed it!
Just wrapped up my 4 hour training at BSides St. Pete. Great conversations with seasoned pros, career changers, new to industry, and students.
This is a new slide I created this morning for the class that really encapsulates what it takes to be a whole security professional.
This is a new slide I created this morning for the class that really encapsulates what it takes to be a whole security professional.
October 3, 2025 at 9:54 PM
Just wrapped up my 4 hour training at BSides St. Pete. Great conversations with seasoned pros, career changers, new to industry, and students.
This is a new slide I created this morning for the class that really encapsulates what it takes to be a whole security professional.
This is a new slide I created this morning for the class that really encapsulates what it takes to be a whole security professional.
What a person does for their role varies a lot (more as generalist vs. fewer as a specialist). This specialization varies depending on the team size, what the organization can afford to invest in, talent available in local market, etc.
As these change the job will also evolve.
As these change the job will also evolve.
September 27, 2025 at 1:03 PM
What a person does for their role varies a lot (more as generalist vs. fewer as a specialist). This specialization varies depending on the team size, what the organization can afford to invest in, talent available in local market, etc.
As these change the job will also evolve.
As these change the job will also evolve.
A role is really a bundle of similar/related job functions that you would logically assign to one person (or many people doing the same job).
September 27, 2025 at 1:03 PM
A role is really a bundle of similar/related job functions that you would logically assign to one person (or many people doing the same job).
One of the interesting things we learned as we defined standard jobs/roles for the Zero Trust Playbook series and The Open Group standard for the Security Roles and Glossary is the nature of _what a role really is_.
a short 🧵
a short 🧵
September 27, 2025 at 1:03 PM
One of the interesting things we learned as we defined standard jobs/roles for the Zero Trust Playbook series and The Open Group standard for the Security Roles and Glossary is the nature of _what a role really is_.
a short 🧵
a short 🧵
Security doesn’t get better until we correct our underlying broken assumptions
short 🧵
short 🧵
September 24, 2025 at 8:43 PM
Security doesn’t get better until we correct our underlying broken assumptions
short 🧵
short 🧵
Want 4 hours of training on security roles and careers for a buck!?!?
Join me for a half day training session at BSides St. Pete (near Tampa FL) on Friday October 3
bsides-st-pete.sessionize.com/schedule
Join me for a half day training session at BSides St. Pete (near Tampa FL) on Friday October 3
bsides-st-pete.sessionize.com/schedule
September 21, 2025 at 10:19 PM
Want 4 hours of training on security roles and careers for a buck!?!?
Join me for a half day training session at BSides St. Pete (near Tampa FL) on Friday October 3
bsides-st-pete.sessionize.com/schedule
Join me for a half day training session at BSides St. Pete (near Tampa FL) on Friday October 3
bsides-st-pete.sessionize.com/schedule
Security isn't just the security team's job.
This became extremely clear to me during work on the security matrix standard when we broke attacks down to these two fundamental types of attack techniques:
a 🧵
This became extremely clear to me during work on the security matrix standard when we broke attacks down to these two fundamental types of attack techniques:
a 🧵
September 20, 2025 at 12:02 PM
Security isn't just the security team's job.
This became extremely clear to me during work on the security matrix standard when we broke attacks down to these two fundamental types of attack techniques:
a 🧵
This became extremely clear to me during work on the security matrix standard when we broke attacks down to these two fundamental types of attack techniques:
a 🧵
Wanna see MCRA live?
Saturday 4 October at BSides St. Pete (near Tampa)
bsides-st-pete.sessionize.com/session/968974
Looking forward to seeing you there!
Saturday 4 October at BSides St. Pete (near Tampa)
bsides-st-pete.sessionize.com/session/968974
Looking forward to seeing you there!
September 18, 2025 at 10:48 PM
Wanna see MCRA live?
Saturday 4 October at BSides St. Pete (near Tampa)
bsides-st-pete.sessionize.com/session/968974
Looking forward to seeing you there!
Saturday 4 October at BSides St. Pete (near Tampa)
bsides-st-pete.sessionize.com/session/968974
Looking forward to seeing you there!
We also included a part in this standard describing an effective relationship between accountable and responsible parties as this is often misunderstood or misinterpreted.
www.linkedin.com/pulse/securi...
www.linkedin.com/pulse/securi...
September 16, 2025 at 5:40 PM
We also included a part in this standard describing an effective relationship between accountable and responsible parties as this is often misunderstood or misinterpreted.
www.linkedin.com/pulse/securi...
www.linkedin.com/pulse/securi...
If a CISO says “I accept the risk”, your security has already failed (but not necessarily for the reason you think)
www.linkedin.com/pulse/securi...
a short 🧵
www.linkedin.com/pulse/securi...
a short 🧵
September 16, 2025 at 5:40 PM
If a CISO says “I accept the risk”, your security has already failed (but not necessarily for the reason you think)
www.linkedin.com/pulse/securi...
a short 🧵
www.linkedin.com/pulse/securi...
a short 🧵
I recently created a slide on cybersecurity industry maturity.
It shows the aim of The Open Group work to drive clarity with definitions of durable outcomes, common roles, accountability/responsibility, glossary, etc.)
This article has more information - www.linkedin.com/pulse/securi...
It shows the aim of The Open Group work to drive clarity with definitions of durable outcomes, common roles, accountability/responsibility, glossary, etc.)
This article has more information - www.linkedin.com/pulse/securi...
September 14, 2025 at 4:09 PM
I recently created a slide on cybersecurity industry maturity.
It shows the aim of The Open Group work to drive clarity with definitions of durable outcomes, common roles, accountability/responsibility, glossary, etc.)
This article has more information - www.linkedin.com/pulse/securi...
It shows the aim of The Open Group work to drive clarity with definitions of durable outcomes, common roles, accountability/responsibility, glossary, etc.)
This article has more information - www.linkedin.com/pulse/securi...