| Mark's List | https://aka.ms/markslist |
What does a CEO need to know about cybersecurity?
See the (draft) Security Roles and Glossary standard for what knowledge, skills, & abilities are required of CEOs, board members, and other leaders (as well as accountabilities, fiduciary duty, & more).
If you break the Spider-Man rule, you don’t have governance... you have a scapegoat.
*With great (decision-making) power comes great accountability*
Many organizations get this completely wrong because they think that security is a technical problem to be fixed (a misperception that is reinforced by security people's behaviors). Most good CISOs have figured out how to detect and avoid those organizations.
The Security Roles and Glossary standard has a structured template to fix this problem.
It starts by mapping the security obligations for each fiduciary duty for Boards, then the resulting accountabilities for business leaders (and IT folks who manage the technology assets), and security responsibilities for CISO’s, security operations, etc.
It even includes a dedicated document (part 2) describing how both accountable parties (CEOs, etc.) responsible parties (CISOs, etc.) should work together effectively.
The first draft of the standard is published for free and available at https://publications.opengroup.org/s252
Cybersecurity is often incorrectly perceived as a 'technical problem' that can be 'solved' (it isn't!) by business leaders and others.
*Security is an ongoing risk that requires ongoing work.*
This misperception is often accidentally created or reinforced by the security team.
If CISOs and security leaders communicate security in technical terms (via metrics, choice of words, budget justification, etc.), then business leaders will naturally expect it's a technical 'problem (to be solved one time with installation of prevention measures) and not an ongoing business risk/force to be managed.
There are several techniques to correct this misperception:
- Educating leaders with clear storytelling that describes cybersecurity as crime and espionage on computers (which it is) that clearly requires keeping up with human adversaries
- Intentionally avoiding technical and 'one-time' language (problems and solutions, etc.) in the words and phrases you use to talk about security.
- Relate security to something they already know
a. Financial terms - Quantify cyber risk using Open FAIR™ or other methods to clearly frames security and its impact in familiar financial terms (but be careful not to devalue human life, safety, health, etc. impacts that go well beyond financial risk).
b. Fiduciary duty - Relate how security is part of the legal obligation that organizational leaders have to act in the best interest of the shareholders (owners) of the organization. Threat actors can damage the interests of those shareholders and business assets, so those leaders have an obligation to implement effective security management. Blaming/firing/punishing security experts for events out of their control (conducted by criminals who exploit risky decisions made by business teams) is NOT an effective approach.
The fiduciary duty and accountability obligations associated with security are documented in the Security Roles and Glossary Standard Parts 2 and 3.1 - https://publications.opengroup.org/s252 (draft standard, feedback is welcome). Some more description of this standard is at https://www.linkedin.com/pulse/security-roles-glossary-mark-simos-uctze/
The Open FAIR™ standards are at https://publications.opengroup.org/t230
Think security can do it all on our own?
WRONG!
We must recognize that we are part of a larger team and each of us has a different part to play in protecting the organization.
We must also recognize that each of us is paid differently - we have different incentive/reward structures that are required for our roles and our bosses. What motivates each of us is different, but we have a lot of common ground.
We also must recognize that we all bring different skills and specialized knowledge to the table. Cybersecurity is a complex discipline, but so is prescribing medicine, finding a vein to inject that medicine, choosing material for a bridge to withstand hurricane force winds, testing new chemical formulas for aircraft lubricants, and many others.
Want to lead Zero Trust marketing at Microsoft?
https://apply.careers.microsoft.com/careers/job/1970393556817884
Partner with Product Management and Engineering to shape the Zero Trust for AI product strategy, roadmap alignment, and customer-facing vision. * Lead cross-portfolio Zero Trust messaging and positioning, ensuring consistent storytelling across identity, endpoint, data, network, SecOps, and AI. * Own and evolve the Zero Trust Assessment Tool and workshop marketing, supporting coverage across additional pillars and ensuring narrative, technical, and experiential consistency. * Create compelling, customer-centric content across multiple formats, including blogs, demos, videos, FAQs, presentations, and field enablement assets. Minimum Qualifications Master's Degree in in Marketing, Computer Science, Business or related field AND 3+ years experience in business OR Bachelor's Degree in Marketing, Computer Science, Business or related field AND 5+ years experience in business OR equivalent experience. Preferred Qualifications * Bachelor's Degree AND 8+ years of business experience OR master's Degree AND 6+ years of business experience OR equivalent experience. * Experience with security solutions and/or adjacent enterprise SaaS platforms. * Strong understanding of Zero Trust architecture and modern security principles across identity, endpoint, network, data, and SecOps. * Working knowledge of AI security considerations, including agentic workflows, model governance, and secure-by-design practices. * Proven ability to translate complex technical concepts into clear, executive-ready customer content. * Demonstrated success collaborating across functions and solution areas, including deep partnership with other Product Marketing Managers. * Executive communication and storytelling skills, with comfort presenting to senior leaders, customers, and external audiences. Product Marketing IC4 - The typical base pay range for this role across the U.S. is USD $106,400 - $203,600 per year. There is a different range applicable to specific work locations, within the San Francisco Bay area and New York City metropolitan area, and the base pay range for this role in those locations is USD $137,600 - $222,600 per year. Certain roles may be eligible for benefits and other compensation.
The video for my 'What's my job again' talk from BSides Tampa has posted
I covered who does security work in an organization (and who should be doing it) - focused on direct hard-hitting advice across a bunch of topics including antipatterns (common mistakes) and tips for risk management, career management, accountability structure across business/technology/security teams, and much more.
This talk is based on the security roles (and glossary) standard from The Open Group that defines security roles, security accountabilities on business and technology teams, and what happens if any of those 'jobs to be done' isn't being done. This standard covers 72 roles across security, technology, and business teams), up to and including the jobs of CEOs and Board members.
Video - https://www.youtube.com/watch?v=uVAAv-mvPeM
Roles standard - https://publications.opengroup.org/s252
Ever been tempted to call people "stupid users" because they make a basic security or technology mistake?
I would advise against saying this and encourage you to change your thinking patterns. We need to respect the skills and knowledge of other professionals and remember that their basic skills and our basic skills are very different.
I know a lot about cybersecurity, but you don't want me to do 'basic' medical tasks like finding a vein in your arm to inject medicine, designing a 'simple' bridge for people to drive over, mixing a 'simple' chemical formula, or any number of other 'basic' tasks in a different profession.
If we think people should have basic cybersecurity knowledge (and we need them to!), we must take the time to talk to them in _their_ language.
We need to explain things by making analogies to similar common things they already know (fire prevention, kids safety, etc.) or professional things they already know (safety briefings in the petroleum industry, liability in the legal industry, etc.) so its clear and easy to them.
We must respect other professions and professionals the way we want to be respected as cybersecurity professionals. We are just people trying to do our jobs and so are they.
Pursuing perfect solutions is a perfect waste
There is no such thing as a single “silver bullet” solution that solves everything in security (despite what any security vendors may claim ☺).
Classic security approaches often focus on a perfect end state of compliance, a perfect network configuration, or a “perfect new tool” that fixes everything as their ideal end state. Regulatory standards can’t keep up with attackers, network security perimeters aren’t enough, and no single tool or technology can stop determined human adversaries.
Building security resilience is a journey of many steps and learnings, not a single plane flight to a predetermined destination. While we all wish there was a simple shortcut for security, the businesses and technical estates we defend are complex. No single solution will ever keep business assets safe from every creative attacker and their learnings/evolution.
From Chapter 6 (How to Scope, Size, and Start Zero Trust) / Page 78 of https://www.amazon.com/Zero-Trust-Overview-Playbook-Introduction/dp/1800568665
