I decided that I would like to write again for Medium. For those of you that read my SecArch Files, I’ll do so under a new name given this new topic: CISO Contemplations. Moving from consulting to a new and executive role within my organisation is a big change for me. I will be sharing some of the questions I ask myself and how I go about solving them to become a better CISO. I am looking forward to your feedback and I hope these articles will help you in your role.

We’re coming to a close of week 2…


Everybody has things in life they regret. Not speaking anymore with that childhood friend. Not studying harder for that exam. Eating that extra slice of pizza. In my case, I really, really regret not doing the SABSA Advanced Exam Papers immediately after the training when the content still seemed crystal-clear to me. Can I get a ‘hear, hear’ from the crowd?

The training was in March 2019. In my defense, I did both the A1 and A3 trainings back2back. Everybody would be daunted by the prospect of four exam papers (you need to do 2 per course). And life happened…


As an adventurous learner my eye is always on the horizon for the next big thing to learn. This week I dove into TOGAF and its ADM. I like that it seems to be more clear in its process steps and what is expected from each step than SABSA. But it brought me back to a discussion I’ve had with various people in the community. How do we relate Enterprise Architecture (EA) and Enterprise Security Architecture (ESA)? And how useful is it for me to become an ‘expert’ in Enterprise Architecture?

So, let’s set the scene:

  • Enterprise architecture (EA) is…

Then, let’s face it, it should be like COSAC. Period. What follows is an eye-witness account of the incredible value that COSAC brings. Why? Because I tell many of you to come and join me at COSAC and then you don’t show up! You make all kinds of excuses about partners and children (bring them!), holidays (in October?!), bosses (do you normally listen to them?) and the money (come and speak == conference is free). I think that some of you stayed away because nobody has been able to convey the true value of the COSAC Security Conference to you…


Welcome back to this article series that dives into what it is that a Security Architect does and what tools in the shed are needed to achieve ‘greatness’. In part I of this article series I talked about what tasks, knowledge, skills and abilities a Security Architect needs. This part II brings you useful learning resources that match these requirements.

In our Cyber team at Deloitte Netherlands we use Gallup’s CliftonStrengths test. The test gives you insight in your ‘Top 5 strengths’. Instead of focussing on where people need to improve, we focus on their strengths. Strengths are things that…


Too long have we lived in the shadows of theory and spaghetti diagrams! Too long has our architecture been misunderstood by those who pay us! Too long blame of not adding value to the business has stained our hands! It is time to call all Security Architects to arms!

Our weapons of choice are the power of reason, the snazziest of diagrams and the arcanest (is that a word? most arcane?) of technology knowledge. And let us not forget about SABSA Business Attributes! Last week we released something quite exciting at The SABSA Institute — our Call for Attributes.

Next…


In an earlier article we tackled the question of what Security Architecture is. Today’s article is about why others should care. The first one may be the most difficult question, but this one is the most important question. What’s more frustrating than you slaving away on Security Architecture, and your colleague goes: “So what?”. Or worse: what if your boss goes: “So what?”. Talking about Security Architecture can feel like shouting in the desert with no listening.

Some of your may know I am a Director at the Board of Trustees for The SABSA Institute (TSI). Every year at the…


Those who know me well, know I fell in love with the COSAC conference first, SecArch second. Maurice Smit invited me to come and speak at COSAC in one of the non-SABSA security tracks. My first year I entered the SABSA Design Off contest, not knowing what SABSA even was. The following years my interest grew as I stayed connected with the COSAC architects. But every time I entered a talk in the SABSA track, I felt I did not know what these people we’re on about. The pivot occured in 2017 when I followed my SABSA Foundation Course with…


Drumroll…. I think it is this one:

What is Security Architecture?

Uhm, Esther, are you sure? Seems pretty basic to me.

When me and my team were creating our new Security Architecture brochure at Deloitte, we got a lot of feedback on a certain slide. Our definition slide. “Why do you need to explain what it is, isn’t it clear?” and “We never put in definition slides in our brochures.” And this is fair as for most security capabilities the answer is very intuitive. E.g. our incident response team helps you respond to cybersecurity incidents. They come in, assess the situation, take actions to limit the damage and get you…


I had the pleasure of participating in both the SABSA A1 and SABSA A3 courses in February/March 2019. Doing the course and passing the exam that follows are two very different things. The official period for submitting your exam is four weeks — rarely anyone is actually able to do that. This blog is about how my journey in the past year of doing my SABSA A1 Exam.

First up, what kind of exam is it?

There are three kinds of certifications in the SABSA world:

SABSA SCF (Chartered Foundation). The foundation level is the easiest title to get. You do a week-long course with an accredited training…

Esther Schagen-van Luit

Specialist in Security Architecture | Director @ The SABSA Institute’s BoT | Diversity & Inclusion Champion | Conference Speaker | Personal account

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store