Mark Simos
@markasimos.bsky.social
Simplify and clarify • Cybersecurity architecture and strategy • Business + Security Alignment • Make the world better
You can never have perfect security, but you can make them work harder, spend more, get less, and worry about whether their investments will work, and whether their attempts will get them caught.
It's the difference of attackers paying $5 for a good lobster dinner vs. $50k for a crappy shrimp.
It's the difference of attackers paying $5 for a good lobster dinner vs. $50k for a crappy shrimp.
November 6, 2025 at 4:58 PM
You can never have perfect security, but you can make them work harder, spend more, get less, and worry about whether their investments will work, and whether their attempts will get them caught.
It's the difference of attackers paying $5 for a good lobster dinner vs. $50k for a crappy shrimp.
It's the difference of attackers paying $5 for a good lobster dinner vs. $50k for a crappy shrimp.
Links to the currently released draft of the reference model standard (and others) in this article www.linkedin.com/pulse/securi...
If your organization is a member of The Open Group, you can very likely join in on this fun work. See the list here - www.opengroup.org/our-members
end 🧵
If your organization is a member of The Open Group, you can very likely join in on this fun work. See the list here - www.opengroup.org/our-members
end 🧵
Security and Zero Trust at The Open Group
This article provides an overview of resources available from The Open Group you can use to: Improve or transform security at your organization Plan and accelerate your security career We have found t...
www.linkedin.com
November 5, 2025 at 4:30 PM
Links to the currently released draft of the reference model standard (and others) in this article www.linkedin.com/pulse/securi...
If your organization is a member of The Open Group, you can very likely join in on this fun work. See the list here - www.opengroup.org/our-members
end 🧵
If your organization is a member of The Open Group, you can very likely join in on this fun work. See the list here - www.opengroup.org/our-members
end 🧵
Slides for the existing Security Operations (SecOps/SOC) and Identity and Adaptive Access Management (IAAM) capabilities and ABBs are included in the MCRA along with mappings to Microsoft technology. aka.ms/mcra
Microsoft Cybersecurity Reference Architectures (MCRA)
Detailed technical reference architectures for multicloud cybersecurity including Microsoft and third party platforms
aka.ms
November 5, 2025 at 4:30 PM
Slides for the existing Security Operations (SecOps/SOC) and Identity and Adaptive Access Management (IAAM) capabilities and ABBs are included in the MCRA along with mappings to Microsoft technology. aka.ms/mcra
◼️ We had to get into organizational design approaches to ensure a coherent and integrated approach to security across all roles. It's been a long time since most organizations have integrated a new org-wide function that changes all roles (OT/IT tech in the 1960s+ was the last)
November 5, 2025 at 4:30 PM
◼️ We had to get into organizational design approaches to ensure a coherent and integrated approach to security across all roles. It's been a long time since most organizations have integrated a new org-wide function that changes all roles (OT/IT tech in the 1960s+ was the last)
◼️ Security SIG is a challenging and complex discipline with many parts. SIG is a modernization of classic GRC focused on an _integrated_ support function of the organization's GRC (reducing focus on compliance as primary/only source of requirements in classic security)
November 5, 2025 at 4:30 PM
◼️ Security SIG is a challenging and complex discipline with many parts. SIG is a modernization of classic GRC focused on an _integrated_ support function of the organization's GRC (reducing focus on compliance as primary/only source of requirements in classic security)
Couple key insights:
◼️ Business critical assets are anything with a big business impact. It may be business critical because it's intrinsically important to the business (high value asset) or because its functionality (privileged access like IT admins) makes it high impact.
◼️ Business critical assets are anything with a big business impact. It may be business critical because it's intrinsically important to the business (high value asset) or because its functionality (privileged access like IT admins) makes it high impact.
November 5, 2025 at 4:30 PM
Couple key insights:
◼️ Business critical assets are anything with a big business impact. It may be business critical because it's intrinsically important to the business (high value asset) or because its functionality (privileged access like IT admins) makes it high impact.
◼️ Business critical assets are anything with a big business impact. It may be business critical because it's intrinsically important to the business (high value asset) or because its functionality (privileged access like IT admins) makes it high impact.
We focused on crafting the capabilities and enabling architecture building blocks (ABBs) for Security Strategy, Integration, and Governance (SIG), Security Posture Management, Privileged Access and High Value Assets (which we are starting to call PAHVA :-), and a few others.
November 5, 2025 at 4:30 PM
We focused on crafting the capabilities and enabling architecture building blocks (ABBs) for Security Strategy, Integration, and Governance (SIG), Security Posture Management, Privileged Access and High Value Assets (which we are starting to call PAHVA :-), and a few others.
This list of roles were contributed to the upcoming Security Roles and Glossary standard from The Open Group to make them broadly available to all. For more information , see this article - www.linkedin.com/pulse/people...
end 🧵
end 🧵
People Matter - Security Operations Roles
This is proposed text I am working on for Security Operations (SecOps/SOC) roles and responsibilities for the upcoming security roles and glossary standard from The Open Group. See this webinar record...
www.linkedin.com
November 2, 2025 at 1:46 PM
This list of roles were contributed to the upcoming Security Roles and Glossary standard from The Open Group to make them broadly available to all. For more information , see this article - www.linkedin.com/pulse/people...
end 🧵
end 🧵
This came up as I was writing some text for the SecOps playbook on the impact of Zero Trust, AI, post-quantum, etc.
The first book of the series is published and available at www.amazon.com/dp/1800568665
The first book of the series is published and available at www.amazon.com/dp/1800568665
Zero Trust Overview and Playbook Introduction: Guidance for business, security, and technology leaders and practitioners
Zero Trust Overview and Playbook Introduction: Guidance for business, security, and technology leaders and practitioners [Simos, Mark, Kumar, Nikhil, Johnson, Ann] on Amazon.com. *FREE* shipping on qualifying offers. Zero Trust Overview and Playbook Introduction: Guidance for business, security, and technology leaders and practitioners
www.amazon.com
November 2, 2025 at 1:46 PM
This came up as I was writing some text for the SecOps playbook on the impact of Zero Trust, AI, post-quantum, etc.
The first book of the series is published and available at www.amazon.com/dp/1800568665
The first book of the series is published and available at www.amazon.com/dp/1800568665
We must be thoughtful as we determine what to automate with AI and any other technology to ensure that our short term gains don't lead to a higher long-term cost.
November 2, 2025 at 1:46 PM
We must be thoughtful as we determine what to automate with AI and any other technology to ensure that our short term gains don't lead to a higher long-term cost.
2. institutional knowledge (e.g. someone that actually understands the system/history/etc. to add context to decisions)
3. human skills (which atrophy if not used).
A fully automated system can be very efficient and effective, but also very fragile.
3. human skills (which atrophy if not used).
A fully automated system can be very efficient and effective, but also very fragile.
November 2, 2025 at 1:46 PM
2. institutional knowledge (e.g. someone that actually understands the system/history/etc. to add context to decisions)
3. human skills (which atrophy if not used).
A fully automated system can be very efficient and effective, but also very fragile.
3. human skills (which atrophy if not used).
A fully automated system can be very efficient and effective, but also very fragile.
Additionally, you may not want to automate all tasks fully. Automation dramatically increases efficiency and reduces cost in the short term, but does so at the cost of
1. human critical thinking (very important for SecOps analyst that deals with active human adversaries)
1. human critical thinking (very important for SecOps analyst that deals with active human adversaries)
November 2, 2025 at 1:46 PM
Additionally, you may not want to automate all tasks fully. Automation dramatically increases efficiency and reduces cost in the short term, but does so at the cost of
1. human critical thinking (very important for SecOps analyst that deals with active human adversaries)
1. human critical thinking (very important for SecOps analyst that deals with active human adversaries)
The _job tasks_ (or their subtasks) are what can actually be automated by AI, scripts, and other means. You can't automate the function unless all the tasks are automated and you can't automate a role unless all the role functions are fully automated.
November 2, 2025 at 1:46 PM
The _job tasks_ (or their subtasks) are what can actually be automated by AI, scripts, and other means. You can't automate the function unless all the tasks are automated and you can't automate a role unless all the role functions are fully automated.
The job function of 'Investigate and remediate higher complexity attacks' is accomplished by tasks like looking for the source of the attacks, identifying the scope of the attack, determining the identity and goals of the attacker, documenting learnings, etc.
November 2, 2025 at 1:46 PM
The job function of 'Investigate and remediate higher complexity attacks' is accomplished by tasks like looking for the source of the attacks, identifying the scope of the attack, determining the identity and goals of the attacker, documenting learnings, etc.
For example, a SecOps Investigation (Tier 2) analyst role performs multiple job functions including 'Investigate and remediate higher complexity attacks',
'Analyze incident impact and root cause', and more.
'Analyze incident impact and root cause', and more.
November 2, 2025 at 1:46 PM
For example, a SecOps Investigation (Tier 2) analyst role performs multiple job functions including 'Investigate and remediate higher complexity attacks',
'Analyze incident impact and root cause', and more.
'Analyze incident impact and root cause', and more.
◼️ Those job functions are actually composed of one or more (usually more) tasks that are specific, concrete, and repeatable (like buttons, cloth, dyes, etc.) - though they vary by organization on how they implement the job function.
November 2, 2025 at 1:46 PM
◼️ Those job functions are actually composed of one or more (usually more) tasks that are specific, concrete, and repeatable (like buttons, cloth, dyes, etc.) - though they vary by organization on how they implement the job function.
◼️ A role is just a bag of related job functions, like a suitcase with clothes.
◼️ The job functions themselves (clothes) are what matter as they provide a clear outcome for an organization that is worth paying for.
◼️ The job functions themselves (clothes) are what matter as they provide a clear outcome for an organization that is worth paying for.
November 2, 2025 at 1:46 PM
◼️ A role is just a bag of related job functions, like a suitcase with clothes.
◼️ The job functions themselves (clothes) are what matter as they provide a clear outcome for an organization that is worth paying for.
◼️ The job functions themselves (clothes) are what matter as they provide a clear outcome for an organization that is worth paying for.
Some tools like Microsoft Defender for Endpoint provide alerts for SecOps/SOC to respond to, data protections, vulnerability information for security posture management, signals that inform conditional access decisions (Access and Identity), and more.
Thoughts? Feedback?
Thoughts? Feedback?
October 31, 2025 at 1:26 PM
Some tools like Microsoft Defender for Endpoint provide alerts for SecOps/SOC to respond to, data protections, vulnerability information for security posture management, signals that inform conditional access decisions (Access and Identity), and more.
Thoughts? Feedback?
Thoughts? Feedback?