SABSA foundation training review

UnixGuy

So I had the pleasure of attending SABSA foundation training by non other than David Lynas (one of the original authors of the framework).

Now if you live in the US, there a strong chance that you haven't heard of SABSA.

So what is SABSA?

It's an 'Enterprise Security Architecture' framework. This is the simplest definition that I could come up with. you can Google it to get more info.

Who uses SABSA?

SABSA is extremely popular in Australia, New Zealand, South Africa, Malaysia, Singapore, Canada, UK, Middle East and other  Western European countries. It exists elsewhere, but that's where it's most popular.

Now that's not to say it's never been used in the US...the author told us multiple stories throughout the training about his engagements with big part of US Defence, NASA, and other government organizations.

I don't want to bore you with more details, but I want to clarify few things, specially that there was a thread about it here in this forum: https://community.infosecinstitute.com/discussion/130254/sabsa-highly-recommended-for-enterprise-solution-architects

SABSA is NOT the equivalent of TOGAF or Zachman.

TOGAF is framework for Enterprise Architecture. SABSA is a framework for Enterprise Security Architecture.

If you're a TOGAF shop, then SABSA will fit nicely to cover the security part. Ditto for Zachman (which is a dying framework outside of the US but I digress).

SABSA integrates well with service management frameworks such as ITIL. It also works with Risk assessment frameworks such as ISO 27001 and NIST.

My review of the training:

The instructor is top notch, a real veteran in the industry. His consulting stories with big name clients are impressive and he knows what he's doing.

The most value I got from the training is how to translate Security requirements to a proper business language. If you've struggled to talk to a senior executives about security, then this training is excellent. I've never struggled before, but I still get plenty of value out of it.

If you are or want to be an enterprise security architect, then there is simply no other training course that covers this topic.

If you are American and you're worried that your local market won't recognise the cert..you will still get plenty of value from the training. You will gain marketable skills (even if you're employer haven't heard of SABSA, they still have business objectives and a budget for security....Architect that). SABSA training runs in the US, and there are plenty of SABSA certified people in the US, I don't believe it appears on American job boards.

The exam is on the fifth day and this is the worst part. you really have no time to study, and the questions are wordy (they instructor joked about how CISSP questions are wordy multiple choice...I'd say his questions are WORSE). Think of wordy CISSP questions, then re-write in 18th century Her Majesty's English vocabulary.

I've got questions that say "What's the LEAST TRUE"....seriously?

Anyway, I don't know if I passed or failed the SABSA SCF, but I don't really care about the piece of paper. I'm a point in my career where certs add no value to me anymore (well apart from the knowledge that I gain, the piece of people doesn't add much).

I've got the value that I'm after, and I'm a lot comfortable communicating and creating sound enterprise security architecture.

Can't attend the training or don't wanna pay for it? No problem, they have a book that explains the framework:

I can't comment on the quality of the book, and I'm aware it's a bit old now (2005), but I doubt much have changed. The instructor used sound engineering principles and framework is designed to address the dynamic nature of IT Security (got cloud or Agile enviroment? It shouldn't matter).

ansionnachcliste

Great post, thank you.

I've purchased the book (because of you) and can't wait for it to arrive.

I might check out the exam if I enjoy the material in the book. 

Best of luck with the results. 

UnixGuy

@ansionnachcliste glad you enjoyed the post! I still haven't heard whether I passed or not, but chances are I didn't pass. I'm thinking of summarising the material and potentially buying the books to understand the topics a little bit better, and have a crack at the exam later this year (in between my MBA subjects...)

UnixGuy

Well what a nice surprise, I PASSED

My scores:

F1 module: 88%

F2 module: 81%

The passing score is 75% so I did pretty well. I honestly wasn't sure I passed at all. The cert doesn't expire. Pretty happy with this. I'm usually good with doing one certification per year, specially that my focus is on my part-time degree at this point.

ansionnachcliste

Awesome!

Great to hear. 

averageguy72

Congrats!

Johnhe0414

@UnixGuy Congrats!

chrisone

Congrats! I have the book and read up a lot about SABSA, but I haven't had the time to focus on the topic. I bought my book used on amazon and it was signed by Lynas lol

JoJoCal19

Congrats on the pass! SABSA is still on my wishlist. 

atownley

As someone who used to teach the Foundation course, I'm really glad to hear your perspective on it. I agree that there's a lot of value in applying those core concepts of tying security to the business, and that's going to be relevant whoever you work for and whatever frameworks they use.


You're right that SABSA is a security framework, but in my work with it over the last 14 years, I've also applied it to real enterprise architecture (as opposed to just enterprise IT architecture), as well as working with business leaders to help them achieve their organizational objectives—not to mention as a general framework for effective risk management.


One of the biggest problems I've seen with people who see the value in SABSA is actually putting it in practice. What are your ideas for how you'd do that yourself?

UnixGuy

@atownley Welcome to the forums, glad that my post attracted a SABSA instructor to the forums!

To answer your question, I can see the issue in practice. Half of the class when I attended the training were "Domain Architects" from a big bank, a heavily regulated "agile" shop. It's a big TOGAF shop and they talked about how frustrating it was to implement the stuff they learned.

I personally think that the issue is a bit deeper. The main problem I noticed with the architects was that a shocking number of them didn't have a enough real world technical experience. I'm a big believer that a strong foundation of technical expertise is needed as a pre-requisitie to becoming an Enterprise Architect even though on paper it's not a requirement. I don't care how well they know frameworks, no foundational technical backgrounds means awful architect. This is non-negotiable in my books.

Second big issue I noticed is Agile. This is my personal unpopular opinion, but I found traditional architects struggling with the transition. There is a big push for Agile and quick continuous integration continuous deployments, and traditional purist architects may have issues with that.

I personally would implement SABSA architecture framework and references in any organisation. It works and it simplify things If was an Enterprise Security Architect. Even if you're not an architect, the training definitely helps you translate security requirements to business requirements. 

Curious to hear your thoughts on this!

atownley

Hi @UnixGuy. There were some good insights in what you posted, and given what I do, I try and keep up with people are saying and the issues they're facing in putting in practice what they learn.


Having done a good bit of work with TOGAF in the past (and a good bit more avoiding using it). It's interesting too that you mentioned the words "TOGAF" and "agile" in the same description of the other members of your cohort, which is also generally a recipe for disaster in any case. Add the fact that most people really don't understand Agile to the fact that most people really don't understand TOGAF, and, well... there you go.


As someone with a good bit of real-world technical experience, I do tend to agree with you. However, given some of the people I've had in the Foundation courses I used to teach, this can also cause problems because people with high levels of comfort in technology often want to "jump in" because they "know" what the right answer should be. They just don't have enough background into the business fundamentals of the organizations they're trying to support, and that's one of the reasons that when I developed our own security architecture courses, I spend 2 weeks giving people a crash course in the fundamentals of business so that they can better relate to their security customers.


The best architects I've ever met had a good blend of business knowledge, technical expertise and working knowledge of several different frameworks and roles, e.g., business architect, business analyst, software development, operations, testing and support. It's not easy to put all those together for sure, but I think ultimate that the title architect has to mean polymath to at least some degree.


To your point on Agile, the best approach to agile architecture was a quote I heard from Martin Fowler which I'm paraphrasing here, "Architecture is the decisions you make that are the hardest to change and that are the most important for ensuring things stay consistent." And most people don't realize that agile, by definition is what it is so project teams can more easily manage risk and adapt to change.


I'm glad you seem to have gotten a lot out of it. The Requirements Engineering aspects are certainly a key part, but they're really only the beginning. It doesn't really deliver its full value until you start embracing some of the more fundamental concepts across all of your thinking—but then I've been doing it for quite a while at this stage.


What was your primary motivation for taking the course? Was it just about the RE aspects?

UnixGuy

@atownley Good points, and true we had few "AWS technical" guys jump in and wanting to argue with David Lynas about how some concepts are wrong because they knew better - they completely missed the point.

I'm not an architect but I work in consulting and I help architects and businesses. My motivation was a mix of curiosity, wanting to learn more architecture, and just wanted more well rounded training as I've done a lot in the past.

I agree & disagree about the business knowledge. I'm half way through my MBA course and the term "business knowledge" is misleading. When it comes to architecture yeah you need to understand what the business actually does and why. To me this is just the basics  and honestly I see it a straightforward task.

Business knowledge is broader and a lot more than that, it means knowing things like finance, accounting, strategy, marketing, economics, .etc. I think this is out of the scope of Enterprise Architecture, but I do agree that having a basic understanding of the overarching business objectives, business unit functions, and business process mapping is essential for enterprise architecture.

I also agree with you, Architects need that mix of broad knowledge and it's VERY hard to find good ones.