I’ve been having quite a number of conversations recently with people about their experiences with putting SABSA in practice. I know I did this in 2017-2018, but these are new conversations, so some new insights are emerging.
An interesting conversation I had yesterday with a couple of people highlighted a pretty big perception problem. And in fairness, it’s a perception problem I’ve been fighting for a number of years now, actually.
So let’s start with a question:
When you think of applying SABSA to a problem, what comes to mind? What is it that you think you need to do?
And if you want to reply to this email and tell me, that’d be cool too. It’s not entirely a rhetorical question.
A long time ago in a country far, far away, I discovered the work of Erich Fromm. Now Fromm was a German Jew who was quite an accomplished thinker and writer in terms of psychology, philosophy and sociology. Now, while I don’t always agree with his politics, there’s one book in particular he wrote that’s relevant here to the shift of mindset you actually need to make in order to start getting value out of SABSA.
That book was, To Have, Or To Be? It was originally published in 1976, and I think worth a read for anyone who enjoys thinking more deeply about themselves and the world we live in.
The contrast of the two viewpoints or approaches to life are basically, we are the sum of what we have or own, or we choose to focus on defining what it is that we think is important and then striving to make sure they live up to those ideals—independently of what anyone else chooses to think of them.
Now, it’s some pretty deep stuff, and certainly not everyone’s cup of tea, as they say.
However, it was the first thing that came to mind after a couple of the conversations I had yesterday about SABSA.
Certification junkies just see SABSA as one more badge they can add to their LinkedIn profile and move instantly on to the next one. It’s part of their collection. It’s a test they’ve passed, and if they somehow ever find an environment where it can be used, then they’ve already passed that test.
They’re not the kind of people who are going to try and figure out how to apply it because they’re too focused on collecting proof that they’re Security Wizards and can do everything with anything you might ask them to use.
Not surprisingly, these aren’t the people who are on the list getting these emails with you. Or if they are, they’re breaking their fingers clicking the Unsubscribe link at the bottom of this email just now.
And that’s cool.
In fact…it’s even better that way.
But for everyone else, there’s this challenge you need to face on your SABSA journey that – as I see it, anyway – is pretty-much the ultimate rite of passage for you. Because while the certifications are nice, they’re not the point—or they shouldn’t be if you really believe in the value of SABSA.
By all means get them. All of them that make sense to you. You’ll come out of it better.
But there’s a not-so-subtle shift you have to make in your little brain if you want to be successful with SABSA, and, to bastardize an iconic line from the Matrix:
There is no Matrix.
The 2 SABSA matrices are interesting and useful frameworks for thinking and problem solving, but those two grids of 66 cells aren’t a list of something you create…
No, dear reader…SABSA is a way of solving problems that you DO.
So that means, you don’t have SABSA…you DO it. It’s not some framework to map side-by-side with your-favorite-framework-du-jour to show how it all relates, and draw some nice mapping views, boxes and lines to show how amazing you are because you’ve “mapped” or “aligned” Framework X and SABSA.
That’s missing the point. That’s about HAVING…
Look, Ma. We’ve got SABSA, and NIST…and ISO…and ISF…and Monkeys Fly Out Of My Butt!
And they’re all in one place!!!!
Isn’t that AWESOME?!!??!!
…er…no.
You…point…1 bazillion miles apart.
If you actually “get” SABSA, it’s a state of being. It’s a way you look at solving problems. It’s a set of techniques you use together to help you accomplish something else.
…and that “something else” isn’t filling in 66 boxes so your manager, boss, customer or significant other can pat you on the head, give you a chew toy and say, “Good boy/girl/undecided/both/person/whatever/notactuallythepointofthestory.”
If you think of SABSA as a state of being, then you actually…well…apply it. You get a problem of “how will I approach this risk assessment?”
And you start thinking in terms of attributes and domains to target the risks to the smallest and most relevant part of your customer’s world so you can give them the best answer.
Or…
You get a problem of “how will we demonstrate compliance with Framework X?”
…and, Wow! The crowd lapses into hushed silence when you start…
building attributes and domains.
Huh. Maybe there’s a pattern here?
Or maybe not.
Everyone’s gotta make their own choice. Certification Junkies are gonna’ keep testin’, and collectors are gonna keep collectin’.
If you actually want to start BEing the best security professional you can be – regardless of your role within the organization – then I have something that might help.
Go to https://securitysanity.com right now…no, seriously. Right now.
And subscribe to our new print newsletter, and sometime after August 1st when it goes to the printer, the easiest way I’ve ever found to get started BEING a SABSA practitioner is laid out in about 47 pages that you can read and apply right now.
Or not.
Feel free to keep mapping away like a one-armed paper-hanger if you want. I’ll be here either way.
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
P.S. Here’s something you can do if you liked today’s post: you can sign up for those daily emails that annoying pop-up keeps asking you about. Or, if you want to know more about what you’re going to get if you do and how it works, then just go knock on the front door: https://archistry.com and you’ll get the whole deal.
Or…you can just keep reading the blog, or ignore me and Archistry all together. I’m good either way.
