Pursuing perfect solutions is a perfect waste

There is no such thing as a single “silver bullet” solution that solves everything in security (despite what any security vendors may claim ☺).

Classic security approaches often focus on a perfect end state of compliance, a perfect network configuration, or a “perfect new tool” that fixes everything as their ideal end state. Regulatory standards can’t keep up with attackers, network security perimeters aren’t enough, and no single tool or technology can stop determined human adversaries.

Building security resilience is a journey of many steps and learnings, not a single plane flight to a predetermined destination. While we all wish there was a simple shortcut for security, the businesses and technical estates we defend are complex. No single solution will ever keep business assets safe from every creative attacker and their learnings/evolution.

From Chapter 6 (How to Scope, Size, and Start Zero Trust) / Page 78 of https://www.amazon.com/Zero-Trust-Overview-Playbook-Introduction/dp/1800568665

Security is often incorrectly perceived as a 'technical problem' that can be 'solved' (it isn't!) by business leaders.

*Security is an ongoing risk that requires ongoing work.*

This misperception is often accidentally created or reinforced by the security team.

If security leaders describe security (metrics, choice of words, etc.) in technical terms, business leaders will naturally expect it's a technical 'problem (to be solved one time with installation of prevention measures) and not an ongoing business risk/force to be managed.

There are several techniques to correct this misperception:

▪️ Educating leaders with clear storytelling that describes cybersecurity as crime and espionage on computers (which it is) that clearly requires keeping up with human adversaries
▪️ Intentionally avoiding technical and 'one-time' language (problems and solutions, etc.) in the words and phrases you use to talk about security.
▪️ Relate security to something they already know:
a. Financial terms - Quantify cyber risk using Open FAIR™ or other methods to clearly frames security and its impact in familiar financial terms (but be careful not to devalue human life, safety, health, etc. impacts that go well beyond financial risk).
b. Fiduciary duty - Relate how security is part of the legal obligation that organizational leaders have to act in the best interest of the shareholders (owners) of the organization. Threat actors can damage the interests of those shareholders and business assets, so those leaders have an obligation to implement effective security management. Blaming/firing/punishing security experts for events out of their control (conducted by criminals who exploit risky decisions made by business teams) is NOT an effective approach.

We documented how to address the fiduciary duty and accountability aspect of this in the Security Roles and Glossary Standard Part 2 and Part 3.1 - https://publications.opengroup.org/s252 (draft standard, feedback is welcome). Some more description of this standard is at https://www.linkedin.com/pulse/security-roles-glossary-mark-simos-uctze/

The Open FAIR™ standards are at https://publications.opengroup.org/t230

I just posted my slides from my talk on Zero Trust and AI Security at The Official Cybersecurity Summit in Tampa.

This was a short 20 minute talk focused on a few key points and highlights:
◾ Securing AI requires understanding it and how it works (differences from classic software)
◾ What Zero Trust actually is (cybersecurity with changed assumptions/principles)
◾ How AI affects every part of security
◾ Top priorities for each security discipline (strategy/integration/governance, architecture, SecOps/SOC, Identity, Data, app/software development, posture management, and more)

Slides here - https://www.slideshare.net/slideshow/ai-and-zero-trust-what-it-takes-to-do-it-right/285730363

Some photos from the event here - https://www.linkedin.com/posts/jan-broucinek_mark-simos-bringing-it-in-tampa-at-the-official-activity-7423031780976373760-x6Md

Share and Enjoy!

@Naglafarn - good observation, I will add emphasis

thanks!

I have come to appreciate that expectations for GenAI models (language models and similar) are often wrong.

The technology is extremely powerful and impressive, but it is not like anything we have experienced or imagined as humans so we have to adjust our expectations

These models are trained on REPRESENTATIONS of things (language, photos, communications, etc.), not on the ACTUAL things themselves (ideas, emotions, logic, intent, and more). GenAI can infer emotions but they don't actually feel them, GenAI can communicate about logic but isn't naturally logical (without external logic modules / system prompts / etc.)

This causes issues with our expectations because GenAI isn't something we have known and expected before:
▪️ We cannot expect GenAI to be rigorously logical/deterministic because the human communications they are trained on isn't logical
▪️ We cannot expect GenAI to have an emotional core/identity/soul with overriding moral imperatives because they are trained on our _expression_ of emotion/identity/etc. and don't actually _feel emotions
▪️ We cannot expect GenAI to act like we have seen in Science Fiction (Commander Data from Star Trek, 'I, Robot', and many others) because most tell a story of a purely logical machine (that can talk) who are struggling to learn human social and emotional processing (morals, personal identity, jokes, etc.)

As we integrate these models, we need to recognize _what they actually are_ and what things they do well and don't do well.

I think of GenAI as a genuinely 'new' entity which remixes a bunch of 'old' things we already know about in a very different way and try to keep in mind how they process (diagram) and their:
🔹 Machine-like Execution - LLMs and similar tools are like any other machine (execute at scale/speed/etc whether its done well or badly), but its always based on the data they are trained on - human communications and our publications (or AI mimicry of it nowadays).
🔹 Overconfidence - They are trained on our confident final results, not our internal thought processes that led to the conclusions (whether these are correct, wrong, or a mix).
🔹 Movie magic dynamic - They can mimic many aspects of human experience, but it's like a movie or TV show - it looks real and is often useful, but it isn't actually 'real'

I have been tinkering with to try and capture this simply - I would love your thoughts and feedback.

I am finalizing this new data security diagram for the next version of the MCRA (https://aka.ms/MCRA)

What do you all think?

FYI, we first developed this for the Data Security workshop from Microsoft Unified (https://aka.ms/SAF)

Building and securing AI apps/agents is VERY different than classic apps.

Instead of just asking "What did we BUILD into the app" -- we must also ask "How well did we CONSTRAIN the model?"

In classic application development, we used to build every bit and byte of functionality into the application (including reused components, code snippets, etc.)

Language models (aka Generative AI) takes this further to the other end of the spectrum by including a model that ALWAYS has 'too much functionality.' AI models can do a lot of things based on its training data, giving them much more functionality than you will need or want for any app or agent (quote Shakespeare, compose a song, describe how to build a bomb, recommend tourist spots in a foreign city, etc.)

This makes developing an app/agent that does what you want easy and fast, but it also introduces risk if you aren't framing your thinking correctly.

AI development can be safe, but you have to apply critical thinking and good/secure design and implementation practices (threat modelling, least privilege, etc.) as you do it.

This visual is from an AI workshop I am developing for the Microsoft Security Adoption Framework (SAF).

For more information on other SAF workshops that are currently available, you can see https://aka.ms/SAF

An Agile Roadmap

One of the most critical elements of a strategy is a roadmap that lays out how to achieve that business vision. In today’s world of constant change, that roadmap must be agile so that it can be adapted and changed as you learn.

Figure 8.4 illustrates how this agile roadmap helps guide your organization in the short-, medium-, and long-term phases of a project:

What is an agile roadmap? An agile roadmap is very clear in the short term and is more vague or fuzzy over time. An agile roadmap is designed to evolve with the continuously changing external environment (triggered by regular processes and significant external events).

From Chapter 8 - Adoption with the Three-Pillar Model (Page 130) of https://www.amazon.com/Zero-Trust-Overview-Playbook-Introduction/dp/1800568665

Design security policies to create a healthy level of friction

Policies should be designed to set a productive and helpful level of “security friction” in business and technology processes. Policies that are overly restrictive will be ignored; policies that are too permissive will increase organizational risk from security.

The number and type of interruptions in the process must create enough friction to trigger critical thinking so that serious risks aren’t missed or ignored, but this friction should not block or slow business processes needlessly. You will need to tailor this level of friction to be healthy for your organization based on the organization’s risk appetite and business needs

From Chapter 7 - What Zero Trust Success Looks Like (Page 104) of the Zero Trust Overview and Playbook Introduction

From Chapter 7 - What Zero Trust Success Looks Like (Page 103) of https://www.amazon.com/Zero-Trust-Overview-Playbook-Introduction/dp/1800568665

I am working on a new diagram for describing SecOps roles and how they fit into the operating model (aka teams/tier model) - thoughts? feedback?

What is agile security?

Agile security is simply acknowledging that the real world is messy and unpredictable, and adapting to that. Zero Trust enables an agile approach to security.

Zero Trust enables security to be agile and keep up with continuously changing requirements (business requirements, technology platforms, security threats, and more).

While this is simple, it isn’t easy to adopt this way of thinking if you have been used to classic security for a long time. The playbooks will guide all the roles in your organization through the process of building an agile security approach

From Chapter 6 (How to Scope, Size, and Start Zero Trust) / Page 76 of https://www.amazon.com/Zero-Trust-Overview-Playbook-Introduction/dp/1800568665

🔷 If you reward business leaders to ignore cybersecurity, they will.
🔷 If you reward technology teams to ignore cybersecurity, they will.
🔷 If you think security teams can magically stop criminals and spies while this is happening, you are fooling yourself.

We documented how to fix this broken accountability model in the Security Roles and Glossary Standard - https://publications.opengroup.org/s252

Never confuse accountability with responsibility:

An accountable role owns communication of a situation (from their perspective) and the final decisions and ultimate outcomes of those decisions. Responsible parties must provide clear and sound advice to the accountable decision-maker and execute any specialized tasks required by the final decision.

This must be a collaborative process to blend different perspectives and expertise and to reach the best decision in complex situation. These interactions should be regular and frequent to enable agility while handling complex and continuously changing risks. The exact cadence will depend on many factors in the organization and the individuals involved, and a minimum interaction frequence may be defined by policy. This collaborative process should be defined in the governance framework and operating model of the organization

From the Security Roles and Glossary standard Part 2 : Section 4.4

🔷 Download the Standard - https://publications.opengroup.org/s252
🔷 Read the Article - https://www.linkedin.com/pulse/security-roles-glossary-mark-simos-uctze/

@kkarhan, its not that managers of technical teams shouldn't have technical knowledge and understanding, it's that they do a different job.

An employee doesn't need their boss to be smarter technically, they need to help with career planning, political obstacles, etc.

They definitely need to be technical enough to understand the work of their people and represent the value of that to the organization (and teach their people how to explain it themselves).

These may not be the droids... errr jobs that you are looking for.

A lot of people mistake manager or leadership jobs for "technical person in charge"

Being a manager or a leader is a completely different career path - your job and your accomplishments come from supporting and enabling your people to be successful (unblocking obstacles, guiding them, opening their minds to possibilities, giving them a friendly 'check' when they are off course, translating things from technical reality to leadership language, etc.)

This slide is from a career talk I gave recently.

Always ruthlessly prioritize

Regardless of the size of your Zero Trust efforts, you should always rigorously and intensely prioritize your effort, ensuring you are continually focused on driving quick wins and incremental progress.

Focus on what is important to the organization regardless of the size of the budget and team that are assigned to Zero Trust. Align Zero Trust efforts to the current pain points and business priorities.

From Chapter 6 - How to Scope, Size, and Start Zero Trust (Page 76) of https://www.amazon.com/Zero-Trust-Overview-Playbook-Introduction/dp/1800568665

Every place an IT admin enters or stores their credentials is a potential place for them to be stolen and abused for ransomware, data theft, and more.

Threat actors can do a lot of damage with IT admin credentials, including shutting down business operations (or threatening to disclose sensitive data) to extort a payment.

It's critical to understand where your sysadmins are logging on, where they are storing passwords (for themselves or for service/management accounts), and how well all those devices and services are secured.

For guidance on how to secure privileged access, see https://aka.ms/SPA

Protecting people and society is why people _should_ care about cybersecurity, but fiduciary duty is why organizational leaders _must_ care about it.

Fiduciary duty is the legal and ethical obligation to manage assets (a company) well on behalf of the owners (shareholders), which is often overseen by a board of directors.

Fiduciary duties ensure that the management team is act in their beneficiaries' interests (rather than serving their own interests at the expense of the owners). This is why the organization must manage cyber risk (or any risk) to those assets effectively.

The management team (and board) must be a trustworthy steward of the owner's assets, which means they must fulfill these 5 fiduciary duties:
◾ Duty of care: requires directors and officers of a corporation to make decisions that pursue the corporation’s interests with reasonable diligence and prudence.
◾ Duty of loyalty: all directors and officers of a corporation working in their capacities as corporate fiduciaries must act without personal economic conflict.
◾ Duty of Confidentiality: a corporation's directors and officers must keep corporate information confidential and not disclose it for their own benefit.
◾ Duty of Prudence: a trustee (board member) must administer a trust (board duties) with the degree of care, skill, and caution that a prudent trustee would exercise.
◾ Duty of Disclosure: the board of directors must act with “complete candor.” The board must disclose information to authorized entities as required by the law.

Part 2 of the Security Roles and Glossary standard describes the security-related obligations of each of these fiduciary duties. You can download it here for free - https://publications.opengroup.org/s252

Note: Because legal systems and laws vary around the globe, consult with your legal counsel to interpret fiduciary duty correctly in the context of your organization and the jurisdictions you operate in.

I just posted the slides from my sessions at The Open Group conference last month.

This includes slides from two sessions:
◼️ Security and Zero Trust Body of Knowledge Introduction and Overview
◼️ Security Roles and Glossary Standard Overview and Vision

The first session covered all the standards that we have published and are working on for the Security and Zero Trust body of knowledge. This provides an integrated and coherent reference on how to do security using a Zero Trust approach including requirements, commandments (rules), principles, roles, capabilities (durable outcomes), processes and technologies, and more.

The second session announced the first release of the security roles and glossary standard focused on organizational leadership and governance roles (boards, CEOs, etc.) and security operations (SecOps/SOC roles) like (T1/T2 analysts, threat hunter, TI, etc.)

Share and Enjoy!

https://www.slideshare.net/slideshow/security-forum-sessions-from-houston-2025-event/284655901