Mark Simos

All 18 of the Microsoft Cybersecurity Reference Architectures (MCRA) videos are now up! We cover detailed technical information + context on security threats and business risk. Share and Enjoy! aka.ms/mcra-videos Many thanks to my incredible co-presenters!

The fiduciary duty and accountability obligations associated with security are documented in the Security Roles and Glossary Standard Parts 2 and 3.1 - publications.opengroup.org/s252 (draft standard, feedback is welcome). Open FAIR™ standards are at publications.opengroup.org/t230 end 🧵

Blaming/firing/punishing security experts for events out of their control (conducted by criminals who exploit risky decisions made by business teams) is NOT an effective approach.

Cybersecurity is often incorrectly seen as a 'technical problem' that can be 'solved' (it isn't!) by business leaders & others. *Security is an ongoing risk that requires ongoing work.* Security leaders often accidentally create or reinforce this misperception. a short 🧵

end 🧵

We also must recognize that we all bring different skills and knowledge to the table. Cybersecurity is complex , but so is prescribing medicine, finding a vein to inject it, choosing material for a bridge, testing new chemical formulas for aircraft lubricants, and many others.

Think security can do it all on our own? WRONG! We must recognize that we are part of a larger team and each of us has a different part to play in protecting the organization. short 🧵

Want to lead Zero Trust marketing at Microsoft? apply.careers.microsoft.com/careers/job/19…

This standard covers 72 roles across security, technology, and business teams), up to and including the jobs of CEOs and Board members.

This talk is based on the security roles (and glossary) standard from The Open Group defining security roles, security accountabilities on business & IT teams, and what happens if any of those 'jobs to be done' isn't being done.

The video for my 'What's my job again' talk from BSides Tampa has posted Video - youtube.com/watch?v=uVAAv-… Slides - slideshare.net/slideshow/what… Roles standard - publications.opengroup.org/s252

We must respect other professions and professionals the way we want to be respected as cybersecurity professionals. We are just people trying to do our jobs and so are they. end 🧵

We need to explain things by making analogies to similar common things they already know (fire prevention, kids safety, etc.) or professional things they already know (safety briefings in petroleum industry, liability in legal industry, etc.) so its clear and easy to them.

Ever been tempted to call people "stupid users" because they make a basic security or technology mistake? I would advise against saying this and encourage you to change your thinking patterns. A short 🧵