SABSA foundation training review
UnixGuy
Mod Posts: 4,541 Mod
So I had the pleasure of attending SABSA foundation training by non other than David Lynas (one of the original authors of the framework).
Now if you live in the US, there a strong chance that you haven't heard of SABSA.
So what is SABSA?
It's an 'Enterprise Security Architecture' framework. This is the simplest definition that I could come up with. you can Google it to get more info.
Who uses SABSA?
SABSA is extremely popular in Australia, New Zealand, South Africa, Malaysia, Singapore, Canada, UK, Middle East and other Western European countries. It exists elsewhere, but that's where it's most popular.
Now that's not to say it's never been used in the US...the author told us multiple stories throughout the training about his engagements with big part of US Defence, NASA, and other government organizations.
I don't want to bore you with more details, but I want to clarify few things, specially that there was a thread about it here in this forum: https://community.infosecinstitute.com/discussion/130254/sabsa-highly-recommended-for-enterprise-solution-architects
SABSA is NOT the equivalent of TOGAF or Zachman.
TOGAF is framework for Enterprise Architecture. SABSA is a framework for Enterprise Security Architecture.
If you're a TOGAF shop, then SABSA will fit nicely to cover the security part. Ditto for Zachman (which is a dying framework outside of the US but I digress).
SABSA integrates well with service management frameworks such as ITIL. It also works with Risk assessment frameworks such as ISO 27001 and NIST.
My review of the training:
The instructor is top notch, a real veteran in the industry. His consulting stories with big name clients are impressive and he knows what he's doing.
The most value I got from the training is how to translate Security requirements to a proper business language. If you've struggled to talk to a senior executives about security, then this training is excellent. I've never struggled before, but I still get plenty of value out of it.
If you are or want to be an enterprise security architect, then there is simply no other training course that covers this topic.
If you are American and you're worried that your local market won't recognise the cert..you will still get plenty of value from the training. You will gain marketable skills (even if you're employer haven't heard of SABSA, they still have business objectives and a budget for security....Architect that). SABSA training runs in the US, and there are plenty of SABSA certified people in the US, I don't believe it appears on American job boards.
The exam is on the fifth day and this is the worst part. you really have no time to study, and the questions are wordy (they instructor joked about how CISSP questions are wordy multiple choice...I'd say his questions are WORSE). Think of wordy CISSP questions, then re-write in 18th century Her Majesty's English vocabulary.
I've got questions that say "What's the LEAST TRUE"....seriously?
Anyway, I don't know if I passed or failed the SABSA SCF, but I don't really care about the piece of paper. I'm a point in my career where certs add no value to me anymore (well apart from the knowledge that I gain, the piece of people doesn't add much).
I've got the value that I'm after, and I'm a lot comfortable communicating and creating sound enterprise security architecture.
Can't attend the training or don't wanna pay for it? No problem, they have a book that explains the framework:
I can't comment on the quality of the book, and I'm aware it's a bit old now (2005), but I doubt much have changed. The instructor used sound engineering principles and framework is designed to address the dynamic nature of IT Security (got cloud or Agile enviroment? It shouldn't matter).
Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE
Check out my YouTube channel: https://youtu.be/DRJic8vCodE
Comments
I've purchased the book (because of you) and can't wait for it to arrive.
I might check out the exam if I enjoy the material in the book.
Best of luck with the results.
Great to hear.
2023 Cert Goals: SC-100, eCPTX
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
You're right that SABSA is a security framework, but in my work with it over the last 14 years, I've also applied it to real enterprise architecture (as opposed to just enterprise IT architecture), as well as working with business leaders to help them achieve their organizational objectives—not to mention as a general framework for effective risk management.
One of the biggest problems I've seen with people who see the value in SABSA is actually putting it in practice. What are your ideas for how you'd do that yourself?
Having done a good bit of work with TOGAF in the past (and a good bit more avoiding using it). It's interesting too that you mentioned the words "TOGAF" and "agile" in the same description of the other members of your cohort, which is also generally a recipe for disaster in any case. Add the fact that most people really don't understand Agile to the fact that most people really don't understand TOGAF, and, well... there you go.
As someone with a good bit of real-world technical experience, I do tend to agree with you. However, given some of the people I've had in the Foundation courses I used to teach, this can also cause problems because people with high levels of comfort in technology often want to "jump in" because they "know" what the right answer should be. They just don't have enough background into the business fundamentals of the organizations they're trying to support, and that's one of the reasons that when I developed our own security architecture courses, I spend 2 weeks giving people a crash course in the fundamentals of business so that they can better relate to their security customers.
The best architects I've ever met had a good blend of business knowledge, technical expertise and working knowledge of several different frameworks and roles, e.g., business architect, business analyst, software development, operations, testing and support. It's not easy to put all those together for sure, but I think ultimate that the title architect has to mean polymath to at least some degree.
To your point on Agile, the best approach to agile architecture was a quote I heard from Martin Fowler which I'm paraphrasing here, "Architecture is the decisions you make that are the hardest to change and that are the most important for ensuring things stay consistent." And most people don't realize that agile, by definition is what it is so project teams can more easily manage risk and adapt to change.
I'm glad you seem to have gotten a lot out of it. The Requirements Engineering aspects are certainly a key part, but they're really only the beginning. It doesn't really deliver its full value until you start embracing some of the more fundamental concepts across all of your thinking—but then I've been doing it for quite a while at this stage.
What was your primary motivation for taking the course? Was it just about the RE aspects?