Mark Simos
@markasimos.bsky.social
Simplify and clarify • Cybersecurity architecture and strategy • Business + Security Alignment • Make the world better
An Agile Roadmap
One of the most critical elements of a strategy is a roadmap that lays out how to achieve that business vision. In today’s world of constant change, that roadmap must be agile so that it can be adapted and changed as you learn.
🧵
One of the most critical elements of a strategy is a roadmap that lays out how to achieve that business vision. In today’s world of constant change, that roadmap must be agile so that it can be adapted and changed as you learn.
🧵
January 21, 2026 at 11:42 AM
An Agile Roadmap
One of the most critical elements of a strategy is a roadmap that lays out how to achieve that business vision. In today’s world of constant change, that roadmap must be agile so that it can be adapted and changed as you learn.
🧵
One of the most critical elements of a strategy is a roadmap that lays out how to achieve that business vision. In today’s world of constant change, that roadmap must be agile so that it can be adapted and changed as you learn.
🧵
Design security policies to create a healthy level of friction
Policies should be designed to set a productive and helpful level of “security friction” in business and technology processes.
🧵
Policies should be designed to set a productive and helpful level of “security friction” in business and technology processes.
🧵
January 15, 2026 at 2:25 PM
Design security policies to create a healthy level of friction
Policies should be designed to set a productive and helpful level of “security friction” in business and technology processes.
🧵
Policies should be designed to set a productive and helpful level of “security friction” in business and technology processes.
🧵
Enable good security decisions by everyone in the organization
🧵
🧵
January 13, 2026 at 11:56 AM
Enable good security decisions by everyone in the organization
🧵
🧵
I am working on a new diagram for describing SecOps roles and how they fit into the operating model (aka teams/tier model) - thoughts? feedback?
January 10, 2026 at 5:42 PM
I am working on a new diagram for describing SecOps roles and how they fit into the operating model (aka teams/tier model) - thoughts? feedback?
What is agile security?
Agile security is simply acknowledging that the real world is messy and unpredictable, and adapting to that. Zero Trust enables an agile approach to security.
🧵
Agile security is simply acknowledging that the real world is messy and unpredictable, and adapting to that. Zero Trust enables an agile approach to security.
🧵
January 7, 2026 at 1:07 PM
What is agile security?
Agile security is simply acknowledging that the real world is messy and unpredictable, and adapting to that. Zero Trust enables an agile approach to security.
🧵
Agile security is simply acknowledging that the real world is messy and unpredictable, and adapting to that. Zero Trust enables an agile approach to security.
🧵
🔷 If you reward business leaders to ignore cybersecurity, they will.
🔷 If you reward technology teams to ignore cybersecurity, they will.
🔷 If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
🔷 If you reward technology teams to ignore cybersecurity, they will.
🔷 If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
January 6, 2026 at 10:28 PM
🔷 If you reward business leaders to ignore cybersecurity, they will.
🔷 If you reward technology teams to ignore cybersecurity, they will.
🔷 If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
🔷 If you reward technology teams to ignore cybersecurity, they will.
🔷 If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
Never confuse accountability with responsibility.
From the Security Roles and Glossary standard Part 2 : Section 4.4
🔷 Download the Standard - publications.opengroup.org/s252
🔷 Read the Article - www.linkedin.com/pulse/securi...
🧵
From the Security Roles and Glossary standard Part 2 : Section 4.4
🔷 Download the Standard - publications.opengroup.org/s252
🔷 Read the Article - www.linkedin.com/pulse/securi...
🧵
January 5, 2026 at 3:18 PM
Never confuse accountability with responsibility.
From the Security Roles and Glossary standard Part 2 : Section 4.4
🔷 Download the Standard - publications.opengroup.org/s252
🔷 Read the Article - www.linkedin.com/pulse/securi...
🧵
From the Security Roles and Glossary standard Part 2 : Section 4.4
🔷 Download the Standard - publications.opengroup.org/s252
🔷 Read the Article - www.linkedin.com/pulse/securi...
🧵
These may not be the droids... errr jobs that you are looking for.
A lot of people mistake manager or leadership jobs for "technical person in charge"
This slide is from a career talk I gave recently.
A lot of people mistake manager or leadership jobs for "technical person in charge"
This slide is from a career talk I gave recently.
January 5, 2026 at 12:41 AM
These may not be the droids... errr jobs that you are looking for.
A lot of people mistake manager or leadership jobs for "technical person in charge"
This slide is from a career talk I gave recently.
A lot of people mistake manager or leadership jobs for "technical person in charge"
This slide is from a career talk I gave recently.
Always ruthlessly prioritize
Regardless of the size of your Zero Trust efforts, you should always rigorously and intensely prioritize your effort, ensuring you are continually focused on driving quick wins and incremental progress.
Regardless of the size of your Zero Trust efforts, you should always rigorously and intensely prioritize your effort, ensuring you are continually focused on driving quick wins and incremental progress.
January 4, 2026 at 1:12 PM
Always ruthlessly prioritize
Regardless of the size of your Zero Trust efforts, you should always rigorously and intensely prioritize your effort, ensuring you are continually focused on driving quick wins and incremental progress.
Regardless of the size of your Zero Trust efforts, you should always rigorously and intensely prioritize your effort, ensuring you are continually focused on driving quick wins and incremental progress.
Every place an IT admin enters or stores their credentials is a potential place for them to be stolen and abused for ransomware, data theft, and more.
For guidance on how to secure privileged access, see aka.ms/SPA
For guidance on how to secure privileged access, see aka.ms/SPA
December 17, 2025 at 12:47 PM
Every place an IT admin enters or stores their credentials is a potential place for them to be stolen and abused for ransomware, data theft, and more.
For guidance on how to secure privileged access, see aka.ms/SPA
For guidance on how to secure privileged access, see aka.ms/SPA
Protecting people and society is why people _should_ care about cybersecurity, but fiduciary duty is why organizational leaders _must_ care about it.
(short 🧵 with download link for an open standard at the end)
(short 🧵 with download link for an open standard at the end)
December 16, 2025 at 1:32 PM
Protecting people and society is why people _should_ care about cybersecurity, but fiduciary duty is why organizational leaders _must_ care about it.
(short 🧵 with download link for an open standard at the end)
(short 🧵 with download link for an open standard at the end)
I just posted slides from my sessions at The Open Group conference last month.
This includes slides from two sessions:
◼️ Security and Zero Trust Body of Knowledge Introduction and Overview
◼️ Security Roles and Glossary Standard Overview and Vision
www.slideshare.net/slideshow/se...
🧵
This includes slides from two sessions:
◼️ Security and Zero Trust Body of Knowledge Introduction and Overview
◼️ Security Roles and Glossary Standard Overview and Vision
www.slideshare.net/slideshow/se...
🧵
December 15, 2025 at 1:29 PM
I just posted slides from my sessions at The Open Group conference last month.
This includes slides from two sessions:
◼️ Security and Zero Trust Body of Knowledge Introduction and Overview
◼️ Security Roles and Glossary Standard Overview and Vision
www.slideshare.net/slideshow/se...
🧵
This includes slides from two sessions:
◼️ Security and Zero Trust Body of Knowledge Introduction and Overview
◼️ Security Roles and Glossary Standard Overview and Vision
www.slideshare.net/slideshow/se...
🧵
Pursuing perfect security is a delusion
The greatest obstacle to security success is assuming and expecting that perfect security is possible (or worthwhile to pursue).
(1 of 2)
The greatest obstacle to security success is assuming and expecting that perfect security is possible (or worthwhile to pursue).
(1 of 2)
December 14, 2025 at 10:58 PM
Pursuing perfect security is a delusion
The greatest obstacle to security success is assuming and expecting that perfect security is possible (or worthwhile to pursue).
(1 of 2)
The greatest obstacle to security success is assuming and expecting that perfect security is possible (or worthwhile to pursue).
(1 of 2)
Security budget getting cut because you made progress?
Worried the problems will come back as soon as you stop investing in security?
You're probably right...
a 🧵
Worried the problems will come back as soon as you stop investing in security?
You're probably right...
a 🧵
December 13, 2025 at 7:00 PM
Security budget getting cut because you made progress?
Worried the problems will come back as soon as you stop investing in security?
You're probably right...
a 🧵
Worried the problems will come back as soon as you stop investing in security?
You're probably right...
a 🧵
If you reward technology teams to ignore cybersecurity, they will.
If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
December 10, 2025 at 2:52 PM
If you reward technology teams to ignore cybersecurity, they will.
If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.
An organization can never be resilient until they stop rewarding "blame the scapegoat” behavior and start making people accountable for their actions and decisions.
🔷 If you reward business leaders to ignore cybersecurity, they will.
... a 🧵
🔷 If you reward business leaders to ignore cybersecurity, they will.
... a 🧵
December 8, 2025 at 6:36 PM
An organization can never be resilient until they stop rewarding "blame the scapegoat” behavior and start making people accountable for their actions and decisions.
🔷 If you reward business leaders to ignore cybersecurity, they will.
... a 🧵
🔷 If you reward business leaders to ignore cybersecurity, they will.
... a 🧵
This was one of my favorite slide sequences to create, partially because it allowed me to use one of my favorite games to illustrate important cybersecurity points.
(and yes, there are animations and morph transitions in the downloadable slides - aka.ms/mcra)
🧵
(and yes, there are animations and morph transitions in the downloadable slides - aka.ms/mcra)
🧵
December 7, 2025 at 3:06 PM
This was one of my favorite slide sequences to create, partially because it allowed me to use one of my favorite games to illustrate important cybersecurity points.
(and yes, there are animations and morph transitions in the downloadable slides - aka.ms/mcra)
🧵
(and yes, there are animations and morph transitions in the downloadable slides - aka.ms/mcra)
🧵
Are you signing up for a 2 breach minimum?
That's what often happens when you don't logs for security:
a 🧵
That's what often happens when you don't logs for security:
a 🧵
December 6, 2025 at 2:22 PM
Are you signing up for a 2 breach minimum?
That's what often happens when you don't logs for security:
a 🧵
That's what often happens when you don't logs for security:
a 🧵
Cybersecurity is part of EVERYONE’S Job
Cybersecurity professionals are currently and always will be set up to fail (and blamed for those failures) UNLESS security accountability and responsibility are correctly assigned across business, technology, and security roles
a 🧵
Cybersecurity professionals are currently and always will be set up to fail (and blamed for those failures) UNLESS security accountability and responsibility are correctly assigned across business, technology, and security roles
a 🧵
December 4, 2025 at 11:29 AM
Cybersecurity is part of EVERYONE’S Job
Cybersecurity professionals are currently and always will be set up to fail (and blamed for those failures) UNLESS security accountability and responsibility are correctly assigned across business, technology, and security roles
a 🧵
Cybersecurity professionals are currently and always will be set up to fail (and blamed for those failures) UNLESS security accountability and responsibility are correctly assigned across business, technology, and security roles
a 🧵
How can CISOs move from "Chief Incident Scapegoat Officer" to "key business partner who keeps me out of jail and keeps our assets safe"?
How to become a trusted advisor instead of being sent to the kids table & ignored while waiting to be blamed/fired at the next incident?
a 🧵
How to become a trusted advisor instead of being sent to the kids table & ignored while waiting to be blamed/fired at the next incident?
a 🧵
December 1, 2025 at 1:32 PM
How can CISOs move from "Chief Incident Scapegoat Officer" to "key business partner who keeps me out of jail and keeps our assets safe"?
How to become a trusted advisor instead of being sent to the kids table & ignored while waiting to be blamed/fired at the next incident?
a 🧵
How to become a trusted advisor instead of being sent to the kids table & ignored while waiting to be blamed/fired at the next incident?
a 🧵
Is your access management strategy fragmented to the point where it only helps attackers and frustrates everyone in your organization?
a short 🧵
a short 🧵
November 30, 2025 at 2:19 PM
Is your access management strategy fragmented to the point where it only helps attackers and frustrates everyone in your organization?
a short 🧵
a short 🧵
AI is different.
Building and securing AI Agents is fundamentally different - they are the programs/applications/apps of the AI platform, but managing risk from them is fundamentally different than previous apps because they come with so much functionality.
Building and securing AI Agents is fundamentally different - they are the programs/applications/apps of the AI platform, but managing risk from them is fundamentally different than previous apps because they come with so much functionality.
November 29, 2025 at 3:13 PM
AI is different.
Building and securing AI Agents is fundamentally different - they are the programs/applications/apps of the AI platform, but managing risk from them is fundamentally different than previous apps because they come with so much functionality.
Building and securing AI Agents is fundamentally different - they are the programs/applications/apps of the AI platform, but managing risk from them is fundamentally different than previous apps because they come with so much functionality.
Looking for a list of cybersecurity roles and responsibilities?
Check out the Security Roles and Glossary Standard we just published.
www.linkedin.com/pulse/securi...
Check out the Security Roles and Glossary Standard we just published.
www.linkedin.com/pulse/securi...
November 25, 2025 at 4:20 PM
Looking for a list of cybersecurity roles and responsibilities?
Check out the Security Roles and Glossary Standard we just published.
www.linkedin.com/pulse/securi...
Check out the Security Roles and Glossary Standard we just published.
www.linkedin.com/pulse/securi...
Reposted by Mark Simos
Episode #121 is out! We turn the tables and speak to @markasimos.bsky.social about new material from The Open Group. It's a long episode but worth it! Also, the news!
November 24, 2025 at 2:32 AM
Episode #121 is out! We turn the tables and speak to @markasimos.bsky.social about new material from The Open Group. It's a long episode but worth it! Also, the news!
I recently put together this summary of how AI impacts different disciplines in security. Thoughts? Feedback? Anything I missed?
November 24, 2025 at 1:30 PM
I recently put together this summary of how AI impacts different disciplines in security. Thoughts? Feedback? Anything I missed?