What’s my job again?

So what's my job again? As mentioned, I do lead cyber security architect work at Microsoft. I am security forum chair so at the open group. So I help guide and direct the standards and steward those moving forward. Um, and then I am also somehow finding time to co-author was meant to be one playbook. And then we did the math on how many roles there are and how many people needed guidance and how many chapters that was. And it was about six or 8,000 pages and we're like maybe we'll make it a series. So, um, the first one's out. If anyone has it, I'm happy to sign it. If you don't have it, there's a discount code

at the end for 20% off. So all of these things that I do are representative of really one sort of I don't want to say body of work because there's different intellectual property and ownership to it but it's really one view one way of thinking one comprehensive end to end of how um cyber security should be working from the board all the way down to the bits and the bites and the and the people that work with them and we do it from in the middle there open group perspective here's essentially the skeleton here is the the standard roles, the capabilities, the outcomes. We'll talk about those more in a moment. And that is the stuff that is just the simple

truth at the center of everything. The playbook is how to do this in a completely vendor neutral objective kind of way. And then on the left here, which is not showing up for whatever reason, is my Microsoft work where we say, "Okay, how do we translate that into an architecture and a strategy that helps you then use all of those Microsoft technologies that we put out 50 70 major products in a coherent way to help enable that and do the the technology part of the people process tech make sense?" So, I spend way too much thinking about way too many things and sometimes people pay me to be an adviser and if anyone's got a pile of money off

to the side and they want some help, I am happy to accommodate. All right, moving along. So, there are two very, very important and profound truths at the core of why cyber security is hard. We face creative intelligent determined and very practical attackers. They prefer the cheapest, easiest way to get in, right? They're not getting their fancy. I have a t-shirt which I saw someone have on the internet so I had one made which is um that's out of scope says no attacker ever. Attackers are practical. They're trying to make money. They're trying to do this in the cheapest easiest way they can so they can get back to their family their vacations on the Black Sea. I don't know whatever

they do. Um but they're not trying to do the fancy stuff per se. They're just trying to get a job done. Second thing that is very interesting, profound and deeply impactful to cyber is this stuff is hard. It is very very hard because anyone can click on a link, anyone can share their password, anyone can share their email or uh or they can or they can share data rather. And so everybody's job involves cyber security and everybody needs to know their job. And that is a very hard truth to swallow for people that never had to worry about cyber security and have had a very successful business career up to this point. And why do I want to listen to

these geeks that are talking to me in some sort of tech geek speak. So very important to remember that there is a that's one of the central problems. We'll talk about how we're trying to tackle that. So this is a story in three parts. First part is how we're trying to put the pieces the puzzle together all the pieces together at the open group. Second is some really burning intense insights, light bulb moments we've had as we go. I'll talk more about those. Um, and then some tips as a practitioner, as a practitioner aspiring to be a leader or as a security leader on how to take advantage of this. Sound good? Awesome. So, the first part,

none of my slide zooms are showing up. This is going to make it visually challenging, but we'll figure this out. We answer some big questions. We're building a secure and zero trust body of knowledge. I promise you the slides themselves will appear. And the these are meant to be thumbnails of the slides, by the way, if if if those are wondering. And there are about 73 or so roles that we've um discovered so far that have specific responsibilities and accountabilities. And there's a difference between those for security. Either I'm going to get blamed for it or I have jobs that I need to do to support somebody else who will be blamed if I don't do that right.

and then use cases and and how we imagine these to be used. So that's the first part. Let's go through that. So see there there there's slides there I swear. So the questions we set out to answer some of the basics. Why bother with cyber why do we bother with security and zero trust? What requirements do we have to meet? Those are very closely related questions. Half of our requirements come from the attackers because they do things we need to react. The other half comes from the business and the assets that they own because we're trying to protect that stuff against these attackers. So those two collectively create our requirements for security. We'll show how we're doing that. Zero

trust. What the heck is this thing? And then how do I plan and implement it and then execution coordination which is where we're going to spend a lot of time today. Who does what? And then guiding the architectures and teams. We put some stuff out for there. Risk. Um at the end of the day, this is a risk discipline. Risk is just bad things could happen. How do we stop it? And how do we deal with it when it comes through? That's risk. That's the whole thing in a nutshell. and how do I integrate that into like a a very large you know fortune 10 bank you know that has like a a mature risk department and how do I do

it if they're uh risk management is ah medium right so there's a big range of how you integrate into those and so we're working on standards to address that so mapping these out you got your attackers on the left red translates to blue the attackers have goals they have an operating model they have strategies they have tactics they have techniques MITER's done a great job with some of that. NIST cyberc framework OASP a whole bunch of great work that's been done but no one's ever connected and said this is an attacker from the top to the bottom and so we're doing that we're connecting all those together and saying what does this mean those implications of that are

my requirements same thing on the business side these are the ways that a business runs they operate in terms of money and profit and loss they deal with risk in these ways they may have these things because of all that we have another set of requirements coming from the business because security is about keeping the attackers away from the assets And so it operates in that space. So first thing we answered all the green checks are released standards that are available. You can download them for free right now. Zero trust commandments um basically answer what does good look like? Because essentially zero trust security is hey the firewall isn't going to keep us safe and IDS and IPS and all

the other border stuff. How do we do security? And that's a very simple question with a very long complex answer which is basically zero trust because we have to take that bad assumption out because it you know fishing credential theft etc blows that out of the water right it doesn't work anymore. It's a bad assumption. And then we have to revisit how we do data security, how we do governance, how we do everything in security questions that were essentially put to the side because hey, the firewalls got us right. And so that's readressing that. Then you have to translate that so that all of your architects and solution architects, network architects can put this into the

way they design and put systems together. So we put security principles for architectures out um that essentially say this is what you copy paste into your documents for architecture and how you do the network design, how you do identity design, how you do enterprise architecture and then integrate those in and then execute on those. Right? So those are the first two things we put out. Roles and glossery we'll talk a lot more about today. Then there's also the uh zero trust reference model in business. They define business capabilities. I need to buy raw material. I need to make a product out of that raw material. I need to sell that product. I need to service that product. I need to ship

that product. How I ship the product may be a plane, a train, automobile, the people, the process, the tech all can change. But at the end of the day, product goes from my factory to customer, right? And how does that change? We have never defined that for security. We have never defined the outcomes and the things that we do regardless of whether it's a SIM or an XDR or a SOARE or anything like that. And so that's what we're setting out to do. Implementation of it, as I mentioned, is going to take about seven or eight books to actually do properly. We're going to capture some of that in terms of here's the approach, here's the thinking,

here's the things that should drive it, and a few examples to get you started, but we're not going to put out an 8,000 page standard to be blunt. Um, so that's where that's going to go. got to measure progress along the way, manage it at and so we need a handbook essentially for managers there, maturity models and the like. And then one of the big things that's already out is as part of the risk piece is open fair. You need to be able to manage risk in terms of is this a 2 to4 million, 20 to 40 million or is this a you know 20 to40 billion question for this company. And so you've got to

be able to quantify turn that cyber risk into a dollar range. And that's what uh the openf fair um methodology does very rigorous takes some time. You don't always have to use it um for everything, but it does answer that question. Make sense? Okay, so jumping into the roles and glossery, right now we're sitting at about 73 rolls. Um we may discover more, but these aren't all security jobs. All the blue ones you see, those are traditional security jobs. the ones that are halfway in between. Anyone ever hear from a CISO, I don't know whether the identity team should report to me or the CIO? Sound familiar? Anyone that's ever had those conversations? My 15-year-old son

says no. Apparently, I don't talk enough cyber at home. Um, so there's an interesting job when you're in the identity team or the networking team because you have both an enablement and a security job. It's like working in or or being part or constructing the front lobby of a building, right? It is the digital lobby of the business. However people get through to the front door, it's got to be pleasant. It's got to be friendly. It's got to be welcoming so that we have customers and our employees getting their jobs done, but it's also got to be secure so that the valuable equipment isn't walking out the front door. So, those folks have a very interesting job

where they have one foot on both ships and if either one sinks, it gets really bad really fast. So, they have an interesting halfway in between. All the green ones are traditionally nonsecurity jobs. But if I am a business line leader and I say, I want 100% uptime from this system, great. We're going to need redundant stuff so we can patch it. Now, we're not funding that. But if something goes wrong, I'm going to blame the security guy. I'm going to fire you because you're not good at protecting my system using impossible constraints, which quite frankly is BS. But so they have jobs that they need to do as well. Making sure that accountability is right. That's part of

the business leader's job executing on this. There's a lot of risk, cross cross functional, legal, finance, etc. And by the way, all of these are support functions except for this. Your information workers, your frontline workers, that is your business. That is the people that are sitting in the retail shop selling clothes. That is the truck drivers. That is the people at the factory making the products. That is your actual business. The rest of these are support functions for how you make money or how you accomplish your mission or soldiers in the field, etc. So kind of keep that in mind. All right. So as we mentioned before, anyone can create risk whether deliberate or uh

accidental. Anyone can click a link, share data, share a password. Leaders can set those impossible targets. The easiest way to think about this for those that work um in leadership positions, think of this like legal risk. Anyone can cause a legal risk for the organization. So people get basic training in that. Anyone can create financial risk. anyone could uh screw up and start a fire in a building. You have to be able to have that level of trust and that basic literacy for these things and assign those accountabilities. So this is an example of and so we're prioritizing two sets of things and this is the example of one of the first which is the uh organizational leadership

because for the most part if security leaders come in and talk tech anyone ever done this security leader talk tech to a to a technical to a business person ever seen this happen? happens a lot and what happens the business leader thinks that the technology right goes over your head so and I don't understand it therefore it's not my problem it's your technical problem as a as a technical person and if you don't solve it I'm going to fire you and get someone that actually knows how to solve this because they make a very reasonable assumption because if I can't understand it in plain language then you're obviously not competent at your job to either explain it to me or

to solve the problem that you should be able to solve So when we talk tech to business, we set ourselves up for failure. We set ourselves up to take the blame as security professionals. And so part of this standard is to help get people the structure and the language to have a productive conversation that I don't need you to know security, but I do do need you to know I do need you to fix the accountability structure. I do need you to understand everybody has a role in this and you need to make sure it's part of the culture and what you talk about in your culture talks. Right? So we're trying to give people the

structure to do that. So these are accountabilities. We structured both the accountabilities responsibilities the same way. Here's a list of duties. Some of them are common to everyone in business. Some of them are specific. Every single one has a risk of neglect. If this job isn't being done, this is how it goes wrong. Very very important on that question. I was just going to say um I've been seeing over time more CEOs being put on the hook for making bad business decisions and affect employees or customers suing and like personally suing the CEOs of are you seeing that as a like an upward trend or or CEOs being more cognizant of that and trying to the

whole >> I've definitely seen a lot security in the past 5 to 10 years has become a board and business level issue. People know they need to do something they don't know what to do. So the intent of this standard is to help them understand what to do and to put it in language they understand because if you say this is your fiduciary duty, this is your legal obligation to take care of the shareholders value and if you're intentionally creating risk on it because you're trying to, you know, politically set someone else up for failure, you are violating that duty just like you're telling an employee to break a law, right? And so we want to

help people frame it and understand in the terms that they work in. And so that's a big part of this is we're writing the language very differently for a CEO versus a sock analyst, right? And then what are the assets? This doesn't really matter that much for the CEO because they generally own the whole corporation. But when you start getting into like a CFO, they own accounts payable, accounts receivable, what we pay in, what we pay out. And y'all ever heard of business email compromise? Someone sends a fraud email. Hey, can you I'm the CEO. You should transfer this money. That's fraud, right? That's fraud over email. But they've had fraud over phone. They've had fraud by someone

walking in. They've had fraud forever. the CFO owns that and making sure that those monies don't go to the wrong people. That's their job. Now, a technology person, they own a different set of assets. They own um containers, they own servers, they own identities, they own endpoints. And so, they have to be a custodian as a technology engineer operations person for those. So, it's really important for people to understand that. And of course, hey, you just gave me all these job duties. What do I need to know? And so we're giving them knowledge, skills, and abilities as a list of the things you need to know because how many people think that organizations send a whole bunch of

fishing email tests and think that they've educated their their entire workforce all the way up to CEO. Yeah. Reality is is there's a lot of things that each role needs to know. Some of which is common, some of which is unique. We're trying to give people a blueprint so they can produce useful training as opposed to an illusion of training. One example of this, and it's kind of funny, we're working on these before this happened at Microsoft with the Secure Future Initiative. So, I finally got so we got a case study that jumped up and volunteered in a very unpleasant kind of way for those at Microsoft through Midnight Blizzard and whatnot, but Microsoft did do the right thing and

we are making security part of everyone's jobs. I did get my legal team's approval to show this. This is a screenshot of my actual performance review, the the form part, right? Not the actual fill out part. I'm not going to give you that. Um, it was actually pretty decent, but I'm still not gonna give it to you. Um, so the security core priority, everybody has this. Everybody has to work with their manager to negotiate what is my job in security. If I'm a marketing, if I'm a lawyer, doesn't matter. Um, what is my job in security? So, we talk about that and a few other things at the secure future initiative site. Great um, example there.

So flipping over to the other side, this is a this is more of a responsibility side of those security job functions. This is security operations or the sock. These are the jobs that have to be done. You got the manager at the top, your traditional tier 1, tier 2, three. Don't like that terminology, but everyone knows it. We think of it as triage, investigation, and threat hunter. You got the folks that manage the platform and the data engineering. you know, your Splunk, your Sentinel, Arcite, whatever it happens to be. Hopefully not Arcite, that's old. Um, sorry. Um, thread intelligence, incident coordination and management. And they have a role greater than the sock. They have to tell

everyone what happens because if you keep running into the same wall every time, and you don't actually try and change your behavior on it and work with the engineers and whatnot to redesign the system and you block an IP, which is pointless um, in today's day and age with the rotating IPs, that is not enough. You've got to have people work with the engineers and operations that know how these systems work to implement changes. And by the way, these are the latest attacks we're seeing all the time. Oh, let's integrate those into our changes, right? We cannot have that not connection, that connection not be there. Then attack, simulation, detection engineer, reverse engineer, some more familiar terms.

So how can you use these roles and the role definitions? Organizational planning fairly obvious. education as I mentioned earlier planning and managing outsourcing like hey we can't do this we can't hire someone we can't afford to have someone do it but we can get a service in there to do at least something in that space building a job ro and job descriptions one of the biggest problems we have in cyber is god knows what the heck the recruiter or hiring manager was thinking or where they copied pasted from or what the prompt was in chat GPT when they actually created that job description. We're trying to get to the point where we have a standard set of things that

this is a normal role and you adjust off the default instead of just winging it and doing something really crazy. Um or asking John who is a great analyst but a terrible writer um to actually write it. Um not John specifically that was just a random name um John Doe. Um evaluating candidates and performance. Are they actually do they have the skills that we need? And then as a personal person have I built the skills that I need? And then evaluating the performance. Are they using the skills et etc and performing against it? So makes things a lot more rational, a lot more thoughtful, a lot more professional. Make sense? So couple of the light bulb moments we

had along the way. Most people make the same mistakes over and over again. Like the mistakes we see are very very common. We call them antiatterns. It's a pattern but not a good one. Um technology begins and ends with people. Strange statement. I'll explain it. Bad accountability model will break everything. So we'll talk through all of those quickly. So at the center of all of these anti-atterns, technology is not a solution. Can I have everybody say that technology is not a solution. A hammer is not a house. A hammer is not a remodel. But yet somehow a SIM is a sock. No, technology is not a solution. That is that bad assumption is the center of why

we have the silver bullet belief and why the vendors can come in and say this will solve your sock problems. No one want. It's a tool. You gave me a better hammer. It's definitely better than the old hammer that we have. But it's a hammer. It's not a house. Right? And so we have to be very very clear about that. We'll talk about how this instantiates to business leaders, security leaders, and security practitioners. So these are the mistakes. An anti- pattern is a common mistakes mistake people make over and over. I'm going very quickly through this. This is for business leaders. So think about this as if I'm a security leader, aspiring security leader. These are the kind of

things that I'm going to be dealing with on the business leader side that I then have to coach them through and fix. Blametorming. When something goes wrong, everybody wants someone to >> blame, right? Because it's easy. It's clean. I'm done. And then we moved on. We hired them, trained them, fixed them, coached them, whatever. Right? Easy solution. Problem with security is who causes attacks. Is it an employee or is it the attacker? The attackers cause the attack based on mistakes that were often made by the IT or the business people who often have no idea that they made that mistake or that it was actually a security problem. So there's a whole lot of ignorance,

there's a whole lot of accident, there's a whole lot of innocent ignorance is what I mean there. So it's really important now sometimes and this you know fiduciary duty is judged by like the legal system right not by you as a consultant or whatever but if someone is intentionally setting up and like we're hiring a CISO we're giving them no funds no teams anything like that just in case we have an instance we have some someone to blame that you're violating fiduciary duty because you're explicitly going through and making sure you're not taking care of your shareholders and their value that they've entrusted to you. So, um, just be careful. Don't ever don't ever cross the intentional line if

you're a business leader seeing this. One of the big mistakes we see that's much much more accidental or inadvertent typically, you ever anyone ever worked on a project? The project manager, they talk about risks, right? Think about project risks like, "Hey, we might miss our deadline. We might not have enough scope." And they manage risks. They're good at that. But that oftentimes people man uh mistake project risk for organizational risk because the project manager has not been empowered by the CEO to accept up to a $3 billion loss because their project decided not to patch. That is not their call. That is the call of whoever the CEO trusts, maybe themselves, maybe one of their

business leaders to accept that. That is not lateness of the delivery. Make sense? So that's a huge mistake that often happens. Some other symptoms that we see a lot, delaying security until it's at the end, isolating security because hey, it's not my job, it's their job, so I'm just going to separate them and my IT teams don't need to talk to them. And of course, the just this once fallacy. Oh, we'll just let this chemical fire, you know, burn out in the lab just this once, right? It's okay. Cyber security is not naturally contained. Cyber security spreads naturally, right? So, we have to make sure they understand that. And some best practices, which I don't have time to go

through to do that. That's why I wrote them down. Next, uh, business leaders. First one is extremely important. So, I'll cover that one. Naturally, you will be blamed if you're a security leader because that's the default assumption of the business leader. So, your first task, and this is basically getting you oxygen so you can breathe and do your next work, is you have to cover yourself. You have to cover your assets, cover your donkey, however you want to say it. You have to cover yourself and your team. And if someone does something that's risky, you have to write it down and say, "Are you accepting this risk?" That is the number one thing a security leader needs to do

to buy themselves time to survive and to operate. That's just how it is. You've got to set yourself up for that. So then you can work through and educate and partner with these business people. But if they're trying to pin you, you have to be a player. You have to step up and you have to give yourself space to make sure that you can operate and do your job. Otherwise, you are straight up scapegoat. talking tech to business. We talked about department of no is a is a bad habit. Um it's always about yes and how can I help you manage your risk. It's a great opportunity when someone says that is you can turn it around say

I'm here to help you genuinely I'm here to help you manage your risk not mine yours because I don't accept accountability because I'm not making the decisions you are and I want you to make the best decision. I am truly your friend and helper. Compliance trap. Compliance is very useful, but it's not enough, right? Compliance is very helpful. It's a great guide. It's a great minimum, but it does not and it might keep you out of jail, literally, but it's not going to keep you secure. We talked about the fishing thing. And then burnout. Burnout is on the security leaders. You cannot let yourself burn out and and and work yourself too hard and model that behavior with the

expectation all your team will do so often not communicating to the business in the process. You cannot do that. You have to take care of yourself. You have to manage your own burnout because you're not going to be t able to take care of your teams if you are burned out. It's not going to happen. You don't have empathy. You don't have the ability to see it if you're not taking care of yourself. So, you have to take care of yourself and take care of your team. It's just like the the airline thing. You put on your mask first, then you help the kids and the others. You've got to take care of that. And then some best

practices, which I'll let you read on your own. security career anti-atterns as and this is for anyone but he into the practitioner space. We make some of the same mistakes everyone else does. We just happen to be doing it in the cyber security industry versus the tech versus the sales versus the marketing versus whatever. Standing still is falling behind. If you're not learning, you're falling behind. Pooping bird. Everybody likes the bird that comes in, squawks and poops and poops all over something and then flies away, right? So we love people that do the work equivalent of that, right? No. That's a terrible extreme. But also thinking everything is fine and everything's going to be great and

trusting in the system and everything will be perfect. That's also not a good idea. So those extremes, avoid arrogance, imposttor syndrome. You want to be confident enough to get your job done, but you don't want to be so confident that you're arrogant and you're uh alienating people. So avoid those extremes. Certification trap, just like the compliance thing, it's a particular measure. It is not everything. Fanboy fang girl fallacy. I've been around quarter century at Microsoft. I've been around the industry long enough to see plenty of things go to the top of the magic quadrant and plenty of things fall off. You do not want to be completely tied to just one vendor. I don't want to be an X- vendor

person. I want to be a sock person. I want to be an identity person or whatever. Pick something durable to align yourself to. A lot of stuff in security is very expensive. Some of it's good, some of it's not. So do not just pretend that something is high price, so therefore it is good. Couple other extremes. There are no magical boot camps, right? Five days is not going to make you a qualified expert in anything. Nor does everyone have to go through 25 years starting with assembly code to get to the f their first job. Right? The truth is in the middle how it's always been done, chasing fads. Stay away from those extremes. Embrace the new

technology, understand it, play with it, but know its limits. Same thing with the old practices. Use them, learn from them, but recognize when they're out of date. And as the great philosopher Beyonce once said, "If you liked it, you should have put a ring on it." Nobody expects that from a bald white guy. If you do something once, you will do it again. You will have to do it again. Write it down as a process. Make it as a cycle. We'll talk about that more in a moment. And then the best practices you already talked about. So let's get to the technology begins and ends with people. someone is assigned a job. That person probably first does that manually and

figures it out. If they're smart, they turn into a process. They write it down. They train someone else to do it, etc. And then someone else comes along, applies a different type of smartness, and builds a technology, a script, an automation, a tool, a SAS product, whatever to automate it or part of it or as much that can be automated as possible. and then someone usually someone else runs it and then the rest of the parts of the process that aren't automated. Problem in the cyber industry is people buy a tool thinking it's a magic unicorn that will do everything for them and it will be a sock. It won't. So they get burned out because

their expectations and the reality never match. Can't ever match. A tool cannot replace a process. Can replace some parts of a process. A tool cannot replace people. AI is automating new things that we have not had automated before, but that doesn't mean it can do critical thinking. That doesn't mean it can do everything. It can do some of the things that we do. And we're learning a whole new language and taxonomy and structure and thinking of how to separate what the AI can do and do, what it can't. That's part of the learning process, but it's not a replacement for people, but it is a replacement for some of the things that people do. third piece. Talk about this very

quickly because I want to get to the tips and how much time do I have about 10 minutes. >> Thank you. Awesome. So, I'll let you read.

>> The last 10 to give away. Who's actually experienced this? Yeah. Talk about shoot the messenger. Not just the messenger. The person that warned you and tried to keep you out of that pain. Now that person probably talked in a language you didn't understand. So there's a little bit of like, you know, cling on to English kind of problems here. But at the end of the day, you have to keep in mind that blame creates fear. And when people are afraid, they get in a cover your assets mode and they go to ground. They go to what's familiar, what they know, what's factual, what's correct. And I did my job. I did it right. that may protect

you, may not, but it does not protect the business. If I don't have the sock saying, "Hey, listen. This is what went wrong." Um, we really need some help getting some of these identities protected better and the engineers going, "Oh, that's a really good input. We want to put that into our schedule." People do not do those kinds of collaboration when they're afraid to be blamed. They're going to say, "Nope, you screwed up. That's your job. That's a sock thing. We don't have to change anything. We're fine." Right? You've got to have a trusting environment. You cannot do that in a blame environment. So, we want to crumple that up and throw it away. >> I have never been able to use that

animation before, by the way. That was the first time I've ever been able to throw something away in a slide. And I'm like "Yes I do a lot of PowerPoint." So, the model that we really need to learn is very, very classic. This is what Rey was supposed to be a responsible accountable consulted informed REI, RACI. This is what REI should have been. Most of the time it's used to figure out who am I going to blame for something. And shared responsibility is a recognition that there's more than one R always. Um if you've heard of shared responsibility model just happens to usually be used for cloud versus um a customer of a cloud. But this is how it's supposed to

work. And this is not a one-time transaction. We're going to show it in that way. But it's a relationship and a continuous process. Accountable party. The one that has to make the decision. The one that is in charge the boss has to say this is what we're trying to achieve and this is the constraints and this is what we know. responsible experts, could be legal, could be security, could be technical, have to say, "Here's your choices and here's our recommendation. Never do it with just one of those. If you give them a bunch of choices they don't understand, they're going to be pissed because they don't know which one to pick if they don't know any better.

If you do it with just a recommendation, you have just owned the solution and it's on you because you only gave one option and no alternates. Always choices, alternates, and always a recommendation. and then any reasoning as required by the situation informed decision is then made by the accountable party who has to be taking the blame of it and feel the weight of that decision and they sometimes have context that the experts don't have. They get the context of multiple experts that all the experts don't necessarily know and then the responsible parties often do the execution. This is a healthy interaction. This is where people are able to collaborate and if you're smart, you're going to capture

that in a policy or education because this decision is going to come up over and over again and you want to identify and share the assumptions because everybody comes from a different world. You're going to learn stuff from lawyers, they're going to learn stuff from you. You're going to learn stuff from the tech team, they're going to learn stuff from you. That's how this works. The more that people share, this is how I'm thinking about it. Oh, awesome. I don't have to ask you a question next time and I can then advise the boss better. Right? So, this is the collaborative approach that should replace that crappy comic. And I made the comic, so I'll take

credit for the crappiness. So, essentially bringing us up to the big picture really quick to wrap this up. You got your business functions that own everything about a production line, a factory, uh a fleet of trucks, whatever it is they own in the business. And then you have your responsible folks, your HR, your finance, your legal, and security should be there and treated the same way. Five minutes. Thank you. That's five minutes till question time, right? Thank you. Awesome. So, quick case study. Old way, crappy way. A, security is a security team's problem. B, security is everyone's job. The right way to do it. You're buying a very expensive MRI machine or factory equipment. You're spending millions of

dollars on something you need for your business, which is why you're spending millions, which you wouldn't normally spend. Say you skip security, which is the norm, innocently, intentionally, doesn't matter. Sooner or later, you're not going to have a long enough support contract. You're not going to be getting patches. So, you're starting to operate at risk. Sooner or later, that product will go end of life. It may be a year, maybe 5 years, maybe 10, 20. It's going to end of life or the company will go end of life with a bankruptcy. But that whole time, you're running at risk. And this risk, when you look at the the ransomware of the world, this is a risk

to the business. This is not a security risk. This is a risk that I can't scan patients and save their lives. This is a risk. I can't put products out of my assembly line. That's a business risk. Whereas, if security is everyone's job and you go and work with the acquisition people and they're required to work with security people to evaluate this, you're going to look and see is this is this vendor going to be in business for the 20 years or they a fly by night startup in the MRI space? I don't know. Do they follow the security development life cycle? We're going to be getting patches every 3 days, right? Are they providing security updates? Do

we have a contract that's going to say and they're obligated to provide those security updates? And if some of those things aren't true, you still may need that one-of-a-kind product. And well, if they go out of business, we have a copy of their source and we can have our developers patch it. You can make up contingency plans and figure that out if you're asking for this because the salesperson and their VP and their boss and everybody up to the CEO that wants that 10 or 100 or 150 or $500 million contract before that sale, they are willing to say yes to anything. Oh yeah, 10 years of support, 15, 20. Happy to do it. We'd love to do it. Please sign the

check. After you sign that check, who use that moment? If it's not in the acquisition process, you all know cyber security sellers, right? If it's not in the acquisition process, you're not going to get it. It's got to be part of that initial negotiation. So talk about takeaways, tips for practitioners, for aspiring leaders and for existing leaders. As we established earlier, there are no CEOs of large organizations in this room. So we're going to put it on the security leaders to work with those parties and give you some advice there. I figured it was fairly safe to assume that Tampa Bides doesn't attract like Fortune 500 CEOs. Just a an assumption on my part, but

there are good people here. Um, so security practitioners, number one rule, get stuff done. Focus on the outcomes. There's a thousand distractions. There was that joke that I I appreciate a lot during uh during the opening this morning. There's a lot of like neurodiversity is like iron filings to the magnet of cyber security, right? It's a very precise discipline. It's a very detailed discipline. So nerdiverse people rush to cyber security because it really fits the way our minds work, right? So all the the the problem is is that's distracting. So you've got to focus on outcomes because everybody cares about outcomes. Everybody cares about what you've done and what have you done for the business, what have you done for the

boss, etc. You've got to focus on that and make sure all of this stuff is leading to that. You got to be part of a team. None of us is smarter. All of us got to work together with the team and that team is within security, within IT and as you progress in your career with business stakeholders. Everything is always changing. So you've got to continuously learn and continuously adapt to what is happening in the world. We didn't have AI a couple years ago. We didn't have cloud 101 15 years ago. We didn't even have enterprise security when I started this thing. Right? And very very important, you have to tell your story because nobody else will. You may have people

that open up your mind and and into whole new ways like mentors and bosses that do an amazing job with your career and help you, but it's always yours. You have got to tell your story, especially the silent ones, especially the ones that, hey, we did this automation that save 30 hours a month. It's saving it every month. Remind people of that as you go. Make sure that they don't forget the things you've done in the past as well as what have you done for me lately. Very important to tell your story. Don't brag about it. Maybe humble brag about it, but you got to make sure that people know that. Otherwise, they will automatically assume you have done

nothing. People project their own expectations into a vacuum. So, aspiring leaders, the first question you ask, are these the droids you're looking for? Is this the career you're looking for? I have seen far too many technical people decide they want to be a manager because they think it's the head technologist job. It is not. It is the beginning bottom rung of a new career. It is a very different career path. So you're not doing stuff, you're enabling others to do it. You're not using technology, but you're leading the strategy and the teams that are doing so. It's a very different thing. Sometimes you can dabble, right, and do some of the tech stuff and help your

team out, but that is not your primary job because that can come at the expense of taking care of your team. And if your team doesn't have their boss supporting them, bad times. So very important if you looking to be leaders. If you do want to be a leader, you got to start by changing your frame. Learn the language, culture of business, watch different YouTube videos, read different articles, use different language when you speak, meet different people locally, LinkedIn, get mentors, and more. This is a career shift and you need to research and learn that career and learn about it. You need to build your people skills up and you do need to go beyond the the technology

and security details but you cannot lose the love of it. If you start to decide you hate technology your team will sense that and they will hate you. You have to recognize that shift. Final uh a couple more and then we'll do the final tip slide. So career paths, this is a generalization, right? This is not a prescriptive thing. This is a generalization. Most folks start in some sort of operations support, whether it's help desk or tier one in a socket, etc. Then there's a whole bunch of different technical specializations of being a security engineer, an appseac engineer, secops analyst, red team, pen testing. There's a bunch of different careers. And then sort of the over the top of all

that is the architecture, right? Which is how do all these different things fit together, right? Because that's what architects do. and they're getting deeper into the people skills. Want to empathize emphasize here, not just empathize. Um, technology skills don't go away, but they often change in nature. So, instead of knowing every single registry or Linux file setting or configuration, you know where to look it up, you know who to ask how this particular thing works. Those technical skills change and you're always, always, always adding people skills. You have to be able to influence people and as much as you know stuff on the technology and security side if you don't then you're not effective. Think about it this way. If technology

and I introduced I'm a technology team and nothing has changed in the organization over the past year I haven't been successful because technology is about change making the business processes better. Same thing with security making it more secure. If nothing has changed in the technology landscape that I'm helping to try and secure over the past year, I have not been successful in that year. I have to drive change as a technology and security person. It's the nature of my job. So those people skills have to be growing from the very beginning and continuing especially if you decide on taking that management track and especially if you go all the way up to senior leadership because some CESOs do

go beyond there. So um senior leaders, I'm going to go through this very quickly. educate and align with those non-security roles, guide, coach, and clear obstacles for their teams. And then the the interesting thing is they're not the only ones doing this. They should not be the solo bridge. There's a bunch of roles. Everybody has to talk with non-security people, but there's a bunch of roles where you should be doing it a lot and regularly. So, I do want to have time for questions. So, I will wrap it up very quickly here. Security practitioners, get stuff done. Be part of the team. Continuously learn, adapt, and tell your story. Aspiring leaders, learn that business side. Get your mind in that

space. Get your language in that space. Build your people skills. By the way, people hire someone that is already doing the job or part of the job. Those are the best people that they want to hire as a someone that's not just aspiring to do it, but they're already growing beyond their current role and they're starting to do it. I'm going to pick that candidate over someone else in a heartbeat because I know they care about enough to do it and stretch beyond their current job. Um, I just got lost. Okay. language, culture of business, build your people skills, get beyond the tech without losing the love. And then security leaders, you've got to educate those

business leaders and align to the business and take care of your team. So, couple resources for you. I did promise um the discount code, but the open group standards got some links there. I'll be sharing this deck out. The security option framework at Microsoft is what I work on to bring all this stuff to life with Microsoft tech. The uh zero trust playbook there is the first of that series. um take a picture of that uh discount code. That's good till sometime in June, I believe. Um so, print an ebook. You do have to go to the PCT site, not Amazon, to get that uh discount. And um Mark's list, I post a whole bunch of stuff there on my

LinkedIn. So, I and there's some useful standards as well that I included too. So, questions. >> Sir, >> I was curious on why the CISO role was absent from your executive slide. Ah, that was uh it was actually there. Uh it was the top of that bridging role. Oops, wrong direction. Let's try this one more time. Yes. Chief information security officer. >> Well, it was a little bit it was a slide earlier in the back. >> Oh. Oh, you mean the progression one? >> Yeah. Had all the um >> this one >> the C CIO slide. It's like fifth or sixth slide. >> Oh, okay. With the full list. >> Yeah, it's on there. It's just buried in

technical leadership because it is one of several. You got your CIO that handles the tech you have. CTO is introducing new tech. CISO is securing over all of it. >> Question in the back. >> As a leader yourself, um have you ever had experience where you have a member on your team who you see is maybe not up to par, but would you better in a different area? Have you ever coached them or redirect them to something that's more suited for their skill set? >> I've definitely coached and mentored people into different uh places. That is not my gift. Um I'm not uh a manager, a very senior IC that works with a lot of

these leaders and managers. Um but yeah, I've actually coached and mentored people into those directions and I know a lot of people that do that. And it's the best thing you can do for an employee is take care of them. if they're in the wrong job, you don't want to let them sit there, flounder, fail, and then fire them out. That's no good. Um, you want to take care of them and if you can find the right role for them in your company, Microsoft is big and diverse. Um, that's usually the best option. And then if you know, guess what? This person would be ideally suited for, you know, a different organization or competitor, customer,

whatever. You know, help them on the way. That's what the best managers do. Great question. Cool. I think we probably have time for like one more question. Anyone else got a question? >> Sure. >> I was just This is a little bit personal, but I'm curious like how much do you spend your time working on what you would consider Microsoft things versus like things. >> So, I've tied those two together. So, all the stuff that was blocking people from fully taking advantage of our products and technologies, either seeing the value before sale or using it after the sale. um we kind of addressed a lot of the technical blockers, the architecture blockers and all that kind

of stuff with my early work and then we realized some of the stuff that was broken was just endemic to the system and it didn't make sense to publish this under a Microsoft name and so what we're doing is we're publishing and this and the open group has its own processes right this is a Microsoft just dumping stuff on them um and so the idea there is as I develop stuff in there then when I bring it back and it becomes part of the CISO workshop part of for the MCA, the recent release of the MCR has about probably about a dozen uh open group slides which we credit um including that RO slide and a few others uh just to you

know yeah because we because we want the world to have it and to sort of straighten out the industry but we also want to then take advantage map our products to it show how that works so it's it's it's hard to draw a line if that makes sense. >> Awesome. With that I will close out. Thank you all very much for coming. I really appreciate you spending your time uh here listening to me blab on. Thank you.