Money. Or the lack thereof. Without resources no security program can even begin to mitigate the many threats we all face. I have often heard this complaint at professional meetings, but it was really made clear in Michael Oberlaender’s worthwhile book "C(I)SO—And Now What?: How to Successfully Build Security by Design."
He lists the top risks faced by CISOs…and puts budget shortfall at the top - right above management and users. This may not be news to you, but solutions have always been hard to come by. Last month I attended the semi-annual meeting of the Nashville SABSA group at Vanderbilt Medical Center, and one solution did become much clearer.
SABSA is probably the best business oriented security methodology that we have. This includes all of the usual suspects, PCI, NIST, COBIT, ISO 27001, etc. If you are looking for support for your security program, business orientation is step one and that is where SABSA comes in. SABSA is not a prescriptive security framework for your company, but a methodology and skill set you can use with any required framework. Its strength is aligning security with business goals. In this post I will summarize the SABSA principles and pros and cons, which will hopefully motivate you to learn more.
SABSA has been around since 1995 and stands for Sherwood Applied Business Security Architecture, after John Sherwood, the original creator. Its real strength is that it is top-down security, starting from the business needs. Business considerations are going to increase in importance now that basic compliance frameworks have been established and security technology adopted. The big question is how to put these frameworks and technology into a security architecture that does not have holes. In the SABSA context, security architecture refers to the sum total of people, process, technology and partners, not just security “technology architecture”, the way most professionals use the term today.
I picked up more insight on related trends at a Secure World Atlanta keynote last week. Ben Desjardins of Radware spoke of the growing importance of security automation; and also pointed out that this trend would eliminate or at least change some of the jobs that keep security operations people busy today. Time to up your game and find out what the business really needs.
SABSA’s security model embraces the notion of risk as opportunity and threat. This is always done in financial analysis, but not security, where practitioners often are focused only on threats. A security initiative is an opportunity to reduce risks, as well as lower costs and improve user experience. This was highlighted in a great blog post from Bob Deutsch.
The SABSA model of security architecture comprises six layers, starting with the contextual layer at the top. This is where the business attributes are defined and a risk analysis is done. Again, a SABSA risk analysis includes both negative and positive outcomes. The conceptual layer defines the security strategy, based on risk analysis and existing security controls. The output is the set of control objectives. The remaining four layers enable building out and operating the security architecture.
So how do you learn about SABSA? Start with the 30 page white paper. This should be required reading for all security managers. Next check out www.sabsaworld.org, which highlights activities of regional SABSA practitioners. SABSA training courses are offered here. Finally, if you want to really get into SABSA, you can purchase or rent Enterprise Security Architecture, by John Sherwood.
All of this highlights the downside of SABSA: it has a challenging learning curve. Virtually nothing is available online. However, you can get started with a one-week investment in face to face training; after passing two exams you will receive the SABSA Chartered Architect certificate. No, this cert is not as well-known as the CISSP. But our field is changing and approaches like SABSA will help us all stay relevant to the business.