SABSA foundation training review
UnixGuy Are we having fun yet?Mod Posts: 4,226 Mod
edited June 2019 in Other Security Certifications
So I had the pleasure of attending SABSA foundation training by non other than David Lynas (one of the original authors of the framework).
Now if you live in the US, there a strong chance that you haven't heard of SABSA.
So what is SABSA?
It's an 'Enterprise Security Architecture' framework. This is the simplest definition that I could come up with. you can Google it to get more info.
Who uses SABSA?
SABSA is extremely popular in Australia, New Zealand, South Africa, Malaysia, Singapore, Canada, UK, Middle East and other Western European countries. It exists elsewhere, but that's where it's most popular.
Now that's not to say it's never been used in the US...the author told us multiple stories throughout the training about his engagements with big part of US Defence, NASA, and other government organizations.
I don't want to bore you with more details, but I want to clarify few things, specially that there was a thread about it here in this forum: https://community.infosecinstitute.com/discussion/130254/sabsa-highly-recommended-for-enterprise-solution-architects
SABSA is NOT the equivalent of TOGAF or Zachman.
TOGAF is framework for Enterprise Architecture. SABSA is a framework for Enterprise Security Architecture.
If you're a TOGAF shop, then SABSA will fit nicely to cover the security part. Ditto for Zachman (which is a dying framework outside of the US but I digress).
SABSA integrates well with service management frameworks such as ITIL. It also works with Risk assessment frameworks such as ISO 27001 and NIST.
My review of the training:
The instructor is top notch, a real veteran in the industry. His consulting stories with big name clients are impressive and he knows what he's doing.
The most value I got from the training is how to translate Security requirements to a proper business language. If you've struggled to talk to a senior executives about security, then this training is excellent. I've never struggled before, but I still get plenty of value out of it.
If you are or want to be an enterprise security architect, then there is simply no other training course that covers this topic.
If you are American and you're worried that your local market won't recognise the cert..you will still get plenty of value from the training. You will gain marketable skills (even if you're employer haven't heard of SABSA, they still have business objectives and a budget for security....Architect that). SABSA training runs in the US, and there are plenty of SABSA certified people in the US, I don't believe it appears on American job boards.
The exam is on the fifth day and this is the worst part. you really have no time to study, and the questions are wordy (they instructor joked about how CISSP questions are wordy multiple choice...I'd say his questions are WORSE). Think of wordy CISSP questions, then re-write in 18th century Her Majesty's English vocabulary.
I've got questions that say "What's the LEAST TRUE"....seriously?
Anyway, I don't know if I passed or failed the SABSA SCF, but I don't really care about the piece of paper. I'm a point in my career where certs add no value to me anymore (well apart from the knowledge that I gain, the piece of people doesn't add much).
I've got the value that I'm after, and I'm a lot comfortable communicating and creating sound enterprise security architecture.
Can't attend the training or don't wanna pay for it? No problem, they have a book that explains the framework:
I can't comment on the quality of the book, and I'm aware it's a bit old now (2005), but I doubt much have changed. The instructor used sound engineering principles and framework is designed to address the dynamic nature of IT Security (got cloud or Agile enviroment? It shouldn't matter).