Mark Simos

@[email protected]
369 Followers
28 Following
271 Posts
Simplify and clarify • Cybersecurity architecture and strategy • Business + Security Alignment • Make the world better
Mark's Listhttps://aka.ms/markslist
Mark Simos1d ago

What does a CEO need to know about cybersecurity?

See the (draft) Security Roles and Glossary standard for what knowledge, skills, & abilities are required of CEOs, board members, and other leaders (as well as accountabilities, fiduciary duty, & more).

https://publications.opengroup.org/s252

Mark Simos6d ago

If you break the Spider-Man rule, you don’t have governance... you have a scapegoat.

*With great (decision-making) power comes great accountability*

Many organizations get this completely wrong because they think that security is a technical problem to be fixed (a misperception that is reinforced by security people's behaviors). Most good CISOs have figured out how to detect and avoid those organizations.

The Security Roles and Glossary standard has a structured template to fix this problem.

It starts by mapping the security obligations for each fiduciary duty for Boards, then the resulting accountabilities for business leaders (and IT folks who manage the technology assets), and security responsibilities for CISO’s, security operations, etc.

It even includes a dedicated document (part 2) describing how both accountable parties (CEOs, etc.) responsible parties (CISOs, etc.) should work together effectively.

The first draft of the standard is published for free and available at https://publications.opengroup.org/s252

Mark SimosMar 16

Cybersecurity is often incorrectly perceived as a 'technical problem' that can be 'solved' (it isn't!) by business leaders and others.

*Security is an ongoing risk that requires ongoing work.*

This misperception is often accidentally created or reinforced by the security team.

If CISOs and security leaders communicate security in technical terms (via metrics, choice of words, budget justification, etc.), then business leaders will naturally expect it's a technical 'problem (to be solved one time with installation of prevention measures) and not an ongoing business risk/force to be managed.

There are several techniques to correct this misperception:
- Educating leaders with clear storytelling that describes cybersecurity as crime and espionage on computers (which it is) that clearly requires keeping up with human adversaries
- Intentionally avoiding technical and 'one-time' language (problems and solutions, etc.) in the words and phrases you use to talk about security.
- Relate security to something they already know
a. Financial terms - Quantify cyber risk using Open FAIR™ or other methods to clearly frames security and its impact in familiar financial terms (but be careful not to devalue human life, safety, health, etc. impacts that go well beyond financial risk).
b. Fiduciary duty - Relate how security is part of the legal obligation that organizational leaders have to act in the best interest of the shareholders (owners) of the organization. Threat actors can damage the interests of those shareholders and business assets, so those leaders have an obligation to implement effective security management. Blaming/firing/punishing security experts for events out of their control (conducted by criminals who exploit risky decisions made by business teams) is NOT an effective approach.

The fiduciary duty and accountability obligations associated with security are documented in the Security Roles and Glossary Standard Parts 2 and 3.1 - https://publications.opengroup.org/s252 (draft standard, feedback is welcome). Some more description of this standard is at https://www.linkedin.com/pulse/security-roles-glossary-mark-simos-uctze/

The Open FAIR™ standards are at https://publications.opengroup.org/t230

Mark SimosMar 14

Think security can do it all on our own?

WRONG!

We must recognize that we are part of a larger team and each of us has a different part to play in protecting the organization.

We must also recognize that each of us is paid differently - we have different incentive/reward structures that are required for our roles and our bosses. What motivates each of us is different, but we have a lot of common ground.

We also must recognize that we all bring different skills and specialized knowledge to the table. Cybersecurity is a complex discipline, but so is prescribing medicine, finding a vein to inject that medicine, choosing material for a bridge to withstand hurricane force winds, testing new chemical formulas for aircraft lubricants, and many others.

Mark SimosMar 13

The video for my 'What's my job again' talk from BSides Tampa has posted

I covered who does security work in an organization (and who should be doing it) - focused on direct hard-hitting advice across a bunch of topics including antipatterns (common mistakes) and tips for risk management, career management, accountability structure across business/technology/security teams, and much more.

This talk is based on the security roles (and glossary) standard from The Open Group that defines security roles, security accountabilities on business and technology teams, and what happens if any of those 'jobs to be done' isn't being done. This standard covers 72 roles across security, technology, and business teams), up to and including the jobs of CEOs and Board members.

Video - https://www.youtube.com/watch?v=uVAAv-mvPeM

Slides - https://www.slideshare.net/slideshow/what-s-my-job-again-slides-from-mark-simos-talk-at-2025-tampa-bsides/281214751

Roles standard - https://publications.opengroup.org/s252

Mark SimosMar 10

Ever been tempted to call people "stupid users" because they make a basic security or technology mistake?

I would advise against saying this and encourage you to change your thinking patterns. We need to respect the skills and knowledge of other professionals and remember that their basic skills and our basic skills are very different.

I know a lot about cybersecurity, but you don't want me to do 'basic' medical tasks like finding a vein in your arm to inject medicine, designing a 'simple' bridge for people to drive over, mixing a 'simple' chemical formula, or any number of other 'basic' tasks in a different profession.

If we think people should have basic cybersecurity knowledge (and we need them to!), we must take the time to talk to them in _their_ language.

We need to explain things by making analogies to similar common things they already know (fire prevention, kids safety, etc.) or professional things they already know (safety briefings in the petroleum industry, liability in the legal industry, etc.) so its clear and easy to them.

We must respect other professions and professionals the way we want to be respected as cybersecurity professionals. We are just people trying to do our jobs and so are they.

Mark SimosMar 7
I recently realized that the 'autonomous SOC' idea is the same old snake oil packaged up with a new name. It's just a fancier and more intellectual-sounding version of the 'technology can prevent attacks / stop breaches' claim that has been disproven over and over (a close cousin of claims that compliance can do the same).

(The term has bothered me since I first heard it, but I hadn't thought about it deep enough to see this until I was writing up this antipattern for the Zero Trust SecOps playbook).

If a security team believes this, they have to believe that attackers are cardboard cutouts that do exactly the same attacks every time and will miraculously give up (and open a fruit stand?) if defenders just buy and implement the right tool(s). People that believe this are also effectively saying that leaders can replace security people/salaries with a one-time purchase of tooling (a common misperception many already have).

I understand that people are excited by AI technology because it is very powerful and has a lot more ongoing potential to automate wasted repetitive human effort (just like SOAR and previous generations of automation tech did).

It will change how people do their job, but it won't replace a human or automate the whole job. SecOps/SOC jobs are some of the least likely to be fully automated because they face the full brunt of creative intelligent human attackers finding ways to get around any defense. No matter how well we automate what we do today, the attackers are paid to find some way around it by finding biases, oversights, seams, etc. in our preventions, detections, and response/recovery automation.

I have been trying to think about why people may believe this (and why it took me so long to see it myself).
So far, my best guesses are:
▪️ It appeals to the hope that we may finally 'win' the security battle against the attackers
▪️ The 'autonomous' sounds intellectual or technical, like it's been thought through or validated
▪️ We technologists have seen tech replace some legacy jobs over time, seen how repetitive some SOC work is, and wonder 'could it really happen?'

What are your thoughts here?
Mark SimosFeb 26
I am excited to talk about one of my favorite topics at BSides Tampa on May 16!

*Security is a team sport (and we are NOT playing like a team)*

Security is like a sports team where very few players actually know they are on the team, only a few of them actually show up for games, and half of those are fighting with each other or playing like they are on the opposing team.

Security will never be fully effective until everyone does their security job including boards of directors and CEOs, CISOs and CIOs, SOC analysts, everyday users, architects, IT engineers and operations, and more.

Unfortunately, most of those players don't know their positions, roles, or goals - very few people know what they are supposed to do for security, why it's important, or how to do it.

This leads to ineffective defenses and internal conflict that threat actors regularly exploit. This session will talk about how we got here and how to get the whole team playing together.

This will show you how to use the Security Roles and Glossary standards from The Open Group to overcome these challenges and get some wins on the board!
Mark SimosFeb 9

Pursuing perfect solutions is a perfect waste

There is no such thing as a single “silver bullet” solution that solves everything in security (despite what any security vendors may claim ☺).

Classic security approaches often focus on a perfect end state of compliance, a perfect network configuration, or a “perfect new tool” that fixes everything as their ideal end state. Regulatory standards can’t keep up with attackers, network security perimeters aren’t enough, and no single tool or technology can stop determined human adversaries.

Building security resilience is a journey of many steps and learnings, not a single plane flight to a predetermined destination. While we all wish there was a simple shortcut for security, the businesses and technical estates we defend are complex. No single solution will ever keep business assets safe from every creative attacker and their learnings/evolution.

From Chapter 6 (How to Scope, Size, and Start Zero Trust) / Page 78 of https://www.amazon.com/Zero-Trust-Overview-Playbook-Introduction/dp/1800568665

Mark SimosFeb 8

Security is often incorrectly perceived as a 'technical problem' that can be 'solved' (it isn't!) by business leaders.

*Security is an ongoing risk that requires ongoing work.*

This misperception is often accidentally created or reinforced by the security team.

If security leaders describe security (metrics, choice of words, etc.) in technical terms, business leaders will naturally expect it's a technical 'problem (to be solved one time with installation of prevention measures) and not an ongoing business risk/force to be managed.

There are several techniques to correct this misperception:

▪️ Educating leaders with clear storytelling that describes cybersecurity as crime and espionage on computers (which it is) that clearly requires keeping up with human adversaries
▪️ Intentionally avoiding technical and 'one-time' language (problems and solutions, etc.) in the words and phrases you use to talk about security.
▪️ Relate security to something they already know:
a. Financial terms - Quantify cyber risk using Open FAIR™ or other methods to clearly frames security and its impact in familiar financial terms (but be careful not to devalue human life, safety, health, etc. impacts that go well beyond financial risk).
b. Fiduciary duty - Relate how security is part of the legal obligation that organizational leaders have to act in the best interest of the shareholders (owners) of the organization. Threat actors can damage the interests of those shareholders and business assets, so those leaders have an obligation to implement effective security management. Blaming/firing/punishing security experts for events out of their control (conducted by criminals who exploit risky decisions made by business teams) is NOT an effective approach.

We documented how to address the fiduciary duty and accountability aspect of this in the Security Roles and Glossary Standard Part 2 and Part 3.1 - https://publications.opengroup.org/s252 (draft standard, feedback is welcome). Some more description of this standard is at https://www.linkedin.com/pulse/security-roles-glossary-mark-simos-uctze/

The Open FAIR™ standards are at https://publications.opengroup.org/t230