I was having a very interesting conversation today with a Security Architect who has done all of the SABSA training, and one of the things he mentioned was how overwhelming it all seemed. In fact, his position was that, because it was so big, it wasn’t really practical to use the whole thing—unless you were doing something completely hard-core, government grade and safety critical.
And I can totally get that, I mean, you might remember that I used to teach Foundation, and it was a common comment during the week of training. I actually went through the material with a fine-toothed comb – multiple times – and discovered that, by my count, there’s 7 primary frameworks (counting the Architecture framework, which is basically the Matrix and the overlay), and then there are 11 supporting frameworks, give or take a few things you might be able to argue either are or aren’t frameworks on their own.
As he said, it’s a bit of a beast…
…but only if you try and digest it all at once. If you try that, you’ll end up looking like that cartoon of the python who ate the piano—wearing a very uncomfortable and sad face indeed.
Now you’ve heard me talk about my old customer Carlos. Yeah, the “You must cut the elephant into pieces,” Carlos. And it’s really the reason I don’t really talk to my customers and clients about the matrix very much at all. I mean, sure, in the first week of the Building Effective Security Architectures program, I do a whirlwind tour through SABSA, which necessarily includes introducing the two matrices.
But the most important thing you can ever remember about SABSA – even if you remember nothing else that I say…or write in these emails – is that the SABSA matrix isn’t SABSA. The SABSA matrix *organizes* the other Frameworks and concepts of SABSA into a layered architecture model so that you can have a quick-reference for where everything more-or-less lives.
And I say “more-or-less” because some of the labels in the Matrix – even the recent updates – are a little tricky to extract on their own unless you really understand how the whole thing works.
But it certainly isn’t a step-by-step guide to you must slavishly follow from top left to bottom right – like a rather formally specified security architecture Bingo card – every time you apply the method. That would be crazy indeed!
So, my approach?
I ignore it.
Blasphemy, I know. And, were John, David and Andy not long-time, personal friends of mine, it’s something for which I would otherwise probably expect a Zeus-like lightning bolt crackling out of the sky headed straight for my left testicle for saying such a thing.
Because after digging through all the material, taking it apart, carefully reconstructing and aligning it so that each and every piece fit nicely together – regardless if you were coming from a security operations, security architecture or operational and business risk background – what I discovered was…
…all those boxes in the matrices…all 66 of them…only exist so you can identify, define, organize and annotate 3 pretty straightforward things:
- The SABSA Governance model
And that last one is the ultimate “secret sauce” of the whole method, because it gives you a formalized model that, once they understand it, either makes other types of architects green with envy…
…or they just get pissed off, take their toys and go home—never speaking to you again…because they can’t understand why all of the complexity they learn in their own approaches to architecture…
(*cough* TOGAF *cough*)
…isn’t really necessary to get the job done.
And that “job” is to protect and enable the organization as it goes forth, rescues damsels in distress, tames wild beasts, fights the demonic hordes of APT hell…
…and still gets home in time for dinner, a hot bath and a bedtime story for the kiddies—at least most nights of the week.
If you want to understand more about how this is possible, how to get inside the heads of your security customers, and how to reliably connect business strategy to security strategy to security operations using the power of a truly business-driven security architecture…
…the you might want to consider joining us in July for the 7 weeks of the Building Effective Security Architecture program. In it, you’ll learn to leverage all of the power of SABSA – in the right way, at the right time, to solve the right problems – as fast and easily as I’ve ever seen in doing it for 14 years.
To join us, simply visit this link with your credit card in hand:
And if you do it before Sunday night at midnight, US/Eastern, you’ll get a whopping $2,000 discount off the regular price of the program. But be warned, this isn’t for everyone. It’s not a go-at-your-own-pace program that you can buy, forget about and never visit…or at most watch 1 or 2 videos, get distracted, and never make it back to again.
Nope, it’s not like that at all.
It’s a LIVE cohort of fellow architects and security professionals who are all working through the materials at the same time, doing the same exercises as you, and who will be giving you peer feedback on your answers each week—the same as you will be doing for them.
And, you’ll have the chance, every week for the 7 weeks of the cohort during one of our live Q&A calls, to ask me any questions you might have about the materials and exercises of the program…
…as well as anything you’d like to know about how to apply it to a situation you’re facing now, or one you’d like to know how different it would look if you’d applied the Principles, Practices and the Baseline Perspectives™ of The Agile Security System™ instead of the approach you used at the time. In fact, we had a bit of that on the last call I did with the previous cohort this week.
Sooooo….if you’re ready to develop some new security skills you can immediately put to work, are committed to showing up and doing what needs to be done for the 7 weeks of the cohort, and are prepared to give and receive open, honest and constructive feedback on your progress…
…then what’re you waiting for? Get clicking this link, already:
But if you’re not, or you’re not yet sure if it’s right for you, then by all means either just give it a miss, or think about it enough to make sure it’s the right choice for you. It’ll probably work out better for all of us that way.
Andrew S. Townley
Archistry Chief Executive