All 18 of the Microsoft Cybersecurity Reference Architectures (MCRA) videos are now up! We cover detailed technical information + context on security threats and business risk. Share and Enjoy! https://t.co/Q3twt7q4X0 Many thanks to my incredible co-presenters!

I found myself using this career advice slide a lot lately and thought I would share it more broadly.

We were tempted to add this to the security glossary definitions, but we reluctantly decided to take it out (see? standards people have a sense of humor as well 😀) For more on roles and glossary standard (and others in this body of knowledge), see https://t.co/v8W4lNrvii

You can never have perfect security, but you can make them work harder, spend more, get less, & worry if their investments will work, and whether their attempts will get them caught. It's the difference of attackers paying $5 for a good lobster dinner vs. $50k for a crappy shrimp

Attackers want, cheap, easy, and reliable access to your assets. The job of defenders is to take those away from them. Everything in security is about removing the cheap, easy, and reliable options from the threat actor menu.

Links to the currently released draft of the reference model standard (and others) in this article https://t.co/tEJsZADy59 If your organization is a member of The Open Group, you can very likely join in on this fun work. See the list here - https://t.co/Cr3H4c8lQM end 🧵

Slides for the existing Security Operations (SecOps/SOC) and Identity and Adaptive Access Management (IAAM) capabilities and ABBs are included in the MCRA along with mappings to Microsoft technology.

◼️ We had to get into organizational design approaches to ensure a coherent and integrated approach to security across all roles. It's been a long time since most organizations have integrated a new org-wide function that changes all roles (OT/IT tech in the 1960s+ was the last)

◼️ Security SIG is a challenging and complex discipline with many parts. SIG is a modernization of classic GRC focused on an _integrated_ support function of the organization's GRC (reducing focus on compliance as primary/only source of requirements in classic security)

Couple key insights: ◼️ Business critical assets are anything with a big business impact. It may be business critical because it's intrinsically important to the business (high value asset) or because its functionality (privileged access like IT admins) makes it high impact.

We focused on crafting the capabilities and enabling architecture building blocks (ABBs) for Security Strategy, Integration, and Governance (SIG), Security Posture Management, Privileged Access and High Value Assets (which we are starting to call PAHVA :-), and a few others.

We spent some time working on security capabilities for the next revision of the Zero Trust Reference Model standard at The Open Group conference short 🧵 with some updates and insights

This list of roles were contributed to the upcoming Security Roles and Glossary standard from The Open Group to make them broadly available to all. For more information , see this article - https://t.co/RFIwLBHqRO end 🧵

This came up as I was writing some text for the SecOps playbook on the impact of Zero Trust, AI, post-quantum, etc. The first book of the series is published and available at

We must be thoughtful as we determine what to automate with AI and any other technology to ensure that our short term gains don't lead to a higher long-term cost.

2. institutional knowledge (e.g. someone that actually understands the system/history/etc. to add context to decisions) 3. human skills (which atrophy if not used). A fully automated system can be very efficient and effective, but also very fragile.

Additionally, you may not want to automate all tasks fully. Automation dramatically increases efficiency and reduces cost in the short term, but does so at the cost of 1. human critical thinking (very important for SecOps analyst that deals with active human adversaries)

The _job tasks_ (or their subtasks) are what can actually be automated by AI, scripts, and other means. You can't automate the function unless all the tasks are automated and you can't automate a role unless all the role functions are fully automated.

The job function of 'Investigate and remediate higher complexity attacks' is accomplished by tasks like looking for the source of the attacks, identifying the scope of the attack, determining the identity and goals of the attacker, documenting learnings, etc.

For example, a SecOps Investigation (Tier 2) analyst role performs multiple job functions including 'Investigate and remediate higher complexity attacks', 'Analyze incident impact and root cause', and more.

◼️ Those job functions are actually composed of one or more (usually more) tasks that are specific, concrete, and repeatable (like buttons, cloth, dyes, etc.) - though they vary by organization on how they implement the job function.