Mark Simos
@markasimos.bsky.social
Simplify and clarify • Cybersecurity architecture and strategy • Business + Security Alignment • Make the world better
Every place an IT admin enters or stores their credentials is a potential place for them to be stolen and abused for ransomware, data theft, and more.
For guidance on how to secure privileged access, see aka.ms/SPA
For guidance on how to secure privileged access, see aka.ms/SPA
December 17, 2025 at 12:47 PM
Every place an IT admin enters or stores their credentials is a potential place for them to be stolen and abused for ransomware, data theft, and more.
For guidance on how to secure privileged access, see aka.ms/SPA
For guidance on how to secure privileged access, see aka.ms/SPA
Protecting people and society is why people _should_ care about cybersecurity, but fiduciary duty is why organizational leaders _must_ care about it.
(short 🧵 with download link for an open standard at the end)
(short 🧵 with download link for an open standard at the end)
December 16, 2025 at 1:32 PM
Protecting people and society is why people _should_ care about cybersecurity, but fiduciary duty is why organizational leaders _must_ care about it.
(short 🧵 with download link for an open standard at the end)
(short 🧵 with download link for an open standard at the end)
I just posted slides from my sessions at The Open Group conference last month.
This includes slides from two sessions:
◼️ Security and Zero Trust Body of Knowledge Introduction and Overview
◼️ Security Roles and Glossary Standard Overview and Vision
www.slideshare.net/slideshow/se...
🧵
This includes slides from two sessions:
◼️ Security and Zero Trust Body of Knowledge Introduction and Overview
◼️ Security Roles and Glossary Standard Overview and Vision
www.slideshare.net/slideshow/se...
🧵
December 15, 2025 at 1:29 PM
I just posted slides from my sessions at The Open Group conference last month.
This includes slides from two sessions:
◼️ Security and Zero Trust Body of Knowledge Introduction and Overview
◼️ Security Roles and Glossary Standard Overview and Vision
www.slideshare.net/slideshow/se...
🧵
This includes slides from two sessions:
◼️ Security and Zero Trust Body of Knowledge Introduction and Overview
◼️ Security Roles and Glossary Standard Overview and Vision
www.slideshare.net/slideshow/se...
🧵
Pursuing perfect security is a delusion
The greatest obstacle to security success is assuming and expecting that perfect security is possible (or worthwhile to pursue).
(1 of 2)
The greatest obstacle to security success is assuming and expecting that perfect security is possible (or worthwhile to pursue).
(1 of 2)
December 14, 2025 at 10:58 PM
Pursuing perfect security is a delusion
The greatest obstacle to security success is assuming and expecting that perfect security is possible (or worthwhile to pursue).
(1 of 2)
The greatest obstacle to security success is assuming and expecting that perfect security is possible (or worthwhile to pursue).
(1 of 2)
Security budget getting cut because you made progress?
Worried the problems will come back as soon as you stop investing in security?
You're probably right...
a 🧵
Worried the problems will come back as soon as you stop investing in security?
You're probably right...
a 🧵
December 13, 2025 at 7:00 PM
Security budget getting cut because you made progress?
Worried the problems will come back as soon as you stop investing in security?
You're probably right...
a 🧵
Worried the problems will come back as soon as you stop investing in security?
You're probably right...
a 🧵
If you reward technology teams to ignore cybersecurity, they will.
If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
December 10, 2025 at 2:52 PM
If you reward technology teams to ignore cybersecurity, they will.
If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
An organization can never be resilient until they stop rewarding "blame the scapegoat” behavior and start making people accountable for their actions and decisions.
🔷 If you reward business leaders to ignore cybersecurity, they will.
... a 🧵
🔷 If you reward business leaders to ignore cybersecurity, they will.
... a 🧵
December 8, 2025 at 6:36 PM
An organization can never be resilient until they stop rewarding "blame the scapegoat” behavior and start making people accountable for their actions and decisions.
🔷 If you reward business leaders to ignore cybersecurity, they will.
... a 🧵
🔷 If you reward business leaders to ignore cybersecurity, they will.
... a 🧵
This was one of my favorite slide sequences to create, partially because it allowed me to use one of my favorite games to illustrate important cybersecurity points.
(and yes, there are animations and morph transitions in the downloadable slides - aka.ms/mcra)
🧵
(and yes, there are animations and morph transitions in the downloadable slides - aka.ms/mcra)
🧵
December 7, 2025 at 3:06 PM
This was one of my favorite slide sequences to create, partially because it allowed me to use one of my favorite games to illustrate important cybersecurity points.
(and yes, there are animations and morph transitions in the downloadable slides - aka.ms/mcra)
🧵
(and yes, there are animations and morph transitions in the downloadable slides - aka.ms/mcra)
🧵
Are you signing up for a 2 breach minimum?
That's what often happens when you don't logs for security:
a 🧵
That's what often happens when you don't logs for security:
a 🧵
December 6, 2025 at 2:22 PM
Are you signing up for a 2 breach minimum?
That's what often happens when you don't logs for security:
a 🧵
That's what often happens when you don't logs for security:
a 🧵
Cybersecurity is part of EVERYONE’S Job
Cybersecurity professionals are currently and always will be set up to fail (and blamed for those failures) UNLESS security accountability and responsibility are correctly assigned across business, technology, and security roles
a 🧵
Cybersecurity professionals are currently and always will be set up to fail (and blamed for those failures) UNLESS security accountability and responsibility are correctly assigned across business, technology, and security roles
a 🧵
December 4, 2025 at 11:29 AM
Cybersecurity is part of EVERYONE’S Job
Cybersecurity professionals are currently and always will be set up to fail (and blamed for those failures) UNLESS security accountability and responsibility are correctly assigned across business, technology, and security roles
a 🧵
Cybersecurity professionals are currently and always will be set up to fail (and blamed for those failures) UNLESS security accountability and responsibility are correctly assigned across business, technology, and security roles
a 🧵
How can CISOs move from "Chief Incident Scapegoat Officer" to "key business partner who keeps me out of jail and keeps our assets safe"?
How to become a trusted advisor instead of being sent to the kids table & ignored while waiting to be blamed/fired at the next incident?
a 🧵
How to become a trusted advisor instead of being sent to the kids table & ignored while waiting to be blamed/fired at the next incident?
a 🧵
December 1, 2025 at 1:32 PM
How can CISOs move from "Chief Incident Scapegoat Officer" to "key business partner who keeps me out of jail and keeps our assets safe"?
How to become a trusted advisor instead of being sent to the kids table & ignored while waiting to be blamed/fired at the next incident?
a 🧵
How to become a trusted advisor instead of being sent to the kids table & ignored while waiting to be blamed/fired at the next incident?
a 🧵
Is your access management strategy fragmented to the point where it only helps attackers and frustrates everyone in your organization?
a short 🧵
a short 🧵
November 30, 2025 at 2:19 PM
Is your access management strategy fragmented to the point where it only helps attackers and frustrates everyone in your organization?
a short 🧵
a short 🧵
AI is different.
Building and securing AI Agents is fundamentally different - they are the programs/applications/apps of the AI platform, but managing risk from them is fundamentally different than previous apps because they come with so much functionality.
Building and securing AI Agents is fundamentally different - they are the programs/applications/apps of the AI platform, but managing risk from them is fundamentally different than previous apps because they come with so much functionality.
November 29, 2025 at 3:13 PM
AI is different.
Building and securing AI Agents is fundamentally different - they are the programs/applications/apps of the AI platform, but managing risk from them is fundamentally different than previous apps because they come with so much functionality.
Building and securing AI Agents is fundamentally different - they are the programs/applications/apps of the AI platform, but managing risk from them is fundamentally different than previous apps because they come with so much functionality.
Looking for a list of cybersecurity roles and responsibilities?
Check out the Security Roles and Glossary Standard we just published.
www.linkedin.com/pulse/securi...
Check out the Security Roles and Glossary Standard we just published.
www.linkedin.com/pulse/securi...
November 25, 2025 at 4:20 PM
Looking for a list of cybersecurity roles and responsibilities?
Check out the Security Roles and Glossary Standard we just published.
www.linkedin.com/pulse/securi...
Check out the Security Roles and Glossary Standard we just published.
www.linkedin.com/pulse/securi...
Reposted by Mark Simos
Episode #121 is out! We turn the tables and speak to @markasimos.bsky.social about new material from The Open Group. It's a long episode but worth it! Also, the news!
November 24, 2025 at 2:32 AM
Episode #121 is out! We turn the tables and speak to @markasimos.bsky.social about new material from The Open Group. It's a long episode but worth it! Also, the news!
I recently put together this summary of how AI impacts different disciplines in security. Thoughts? Feedback? Anything I missed?
November 24, 2025 at 1:30 PM
I recently put together this summary of how AI impacts different disciplines in security. Thoughts? Feedback? Anything I missed?
The Open Group just published a Security Roles and Glossary standard defining security responsibilities and accountabilities.
publications.opengroup.org/s252
publications.opengroup.org/s253
publications.opengroup.org/s254
publications.opengroup.org/s255
short 🧵with key points...
publications.opengroup.org/s252
publications.opengroup.org/s253
publications.opengroup.org/s254
publications.opengroup.org/s255
short 🧵with key points...
November 20, 2025 at 10:22 AM
The Open Group just published a Security Roles and Glossary standard defining security responsibilities and accountabilities.
publications.opengroup.org/s252
publications.opengroup.org/s253
publications.opengroup.org/s254
publications.opengroup.org/s255
short 🧵with key points...
publications.opengroup.org/s252
publications.opengroup.org/s253
publications.opengroup.org/s254
publications.opengroup.org/s255
short 🧵with key points...
The Microsoft Ignite Book of News is released.
I highly recommend taking a quick look through it as there is a lot of security news and releases (keyword search had 172 hits on the word security 🙂)
news.microsoft.com/ignite-2025-...
I highly recommend taking a quick look through it as there is a lot of security news and releases (keyword search had 172 hits on the word security 🙂)
news.microsoft.com/ignite-2025-...
November 18, 2025 at 6:20 PM
The Microsoft Ignite Book of News is released.
I highly recommend taking a quick look through it as there is a lot of security news and releases (keyword search had 172 hits on the word security 🙂)
news.microsoft.com/ignite-2025-...
I highly recommend taking a quick look through it as there is a lot of security news and releases (keyword search had 172 hits on the word security 🙂)
news.microsoft.com/ignite-2025-...
I am working on a new antipattern that is a real pet peeve of mine.
I pretty much stop listening after I hear "This attack would have been stopped by..."
short 🧵(rant)
I pretty much stop listening after I hear "This attack would have been stopped by..."
short 🧵(rant)
November 17, 2025 at 11:47 PM
I am working on a new antipattern that is a real pet peeve of mine.
I pretty much stop listening after I hear "This attack would have been stopped by..."
short 🧵(rant)
I pretty much stop listening after I hear "This attack would have been stopped by..."
short 🧵(rant)
Security teams cannot operate in isolation and CISOs should not be the only roles who talk to business leaders and other teams.
Most people in a security team should be interacting with non-security people across technology and business teams.
Most people in a security team should be interacting with non-security people across technology and business teams.
November 16, 2025 at 11:57 PM
Security teams cannot operate in isolation and CISOs should not be the only roles who talk to business leaders and other teams.
Most people in a security team should be interacting with non-security people across technology and business teams.
Most people in a security team should be interacting with non-security people across technology and business teams.
I found myself using this career advice slide a lot lately and thought I would share it more broadly.
November 10, 2025 at 11:00 AM
I found myself using this career advice slide a lot lately and thought I would share it more broadly.
We were tempted to add this to the security glossary definitions, but we reluctantly decided to take it out
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
November 8, 2025 at 4:02 PM
We were tempted to add this to the security glossary definitions, but we reluctantly decided to take it out
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
(see? standards people have a sense of humor as well 😀)
For more on roles and glossary standard (and others in this body of knowledge), see lnkd.in/gyd-3T39
Attackers want, cheap, easy, and reliable access to your assets. The job of defenders is to take those away from them.
Everything in security is about removing the cheap, easy, and reliable options from the threat actor menu.
Everything in security is about removing the cheap, easy, and reliable options from the threat actor menu.
November 6, 2025 at 4:58 PM
Attackers want, cheap, easy, and reliable access to your assets. The job of defenders is to take those away from them.
Everything in security is about removing the cheap, easy, and reliable options from the threat actor menu.
Everything in security is about removing the cheap, easy, and reliable options from the threat actor menu.
We spent some time working on security capabilities for the next revision of the Zero Trust Reference Model standard at The Open Group conference
short 🧵 with some updates and insights
short 🧵 with some updates and insights
November 5, 2025 at 4:30 PM
We spent some time working on security capabilities for the next revision of the Zero Trust Reference Model standard at The Open Group conference
short 🧵 with some updates and insights
short 🧵 with some updates and insights
One thing that has been bugging me about this whole "AI replacing jobs" topic is that the discussion is too sloppy to reach a meaningful understanding or conclusion.
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵
November 2, 2025 at 1:46 PM
One thing that has been bugging me about this whole "AI replacing jobs" topic is that the discussion is too sloppy to reach a meaningful understanding or conclusion.
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵
This post is a bit pedantic, but I have a reason for the details so bear with me :-)
a 🧵