Calling all Security Architects to Arms

Too long have we lived in the shadows of theory and spaghetti diagrams! Too long has our architecture been misunderstood by those who pay us! Too long blame of not adding value to the business has stained our hands! It is time to call all Security Architects to arms!

Our weapons of choice are the power of reason, the snazziest of diagrams and the arcanest (is that a word? most arcane?) of technology knowledge. And let us not forget about SABSA Business Attributes! Last week we released something quite exciting at The SABSA Institute — our Call for Attributes.

Next to my position as Director on the Board of Trustees, I also lead a working group called SABAC. SABAC is short for SABSA Attributes Catalogue. We use a lot of these abbreviations for working groups. I love that every so often during board meetings a Director goes: “What did that abbreviation stand for again?” SSC, MSA, SENC, STPA, SAPP and SABAC. I feel quite rebellious having gone with 5 letters. Never a dull day in the board. Anyway, SABAC. SABAC is all about SABSA Business Attributes. These are important; they are core to SABSA’s ideology. I think if you ask a SABSA practitioner what the single thing is that they remember from SABSA — it’s the attributes.

What are SABSA Business Attributes, Esther?

Okay, brace yourself! An attribute is a conceptual abstraction of a real business need (e.g. its goals, targets, or assets). We express these labels often as adjectives, if possible in a single word. When we’ve got an attribute, we create an attribute profile. This contains its definition, what attribute type it is and how we measure its success.

For instance, when we look at this article, one of the goals (my driver) is for many people to read it. Also, I’d like them to learn something about Security Architecture from them. So, we can define the following two attributes:



*A note on ‘Type’: The three main types we use for SABAC are Enterprise, Technology and Security. Enterprise relates to your (business) strategy. They are the attributes closest to one’s reason for doing anything. The Technology attributes are what technology needs to be in place to enable the business goals. For example, the attribute ACCESSIBLE (ensure visitors can view the article on Linkedin). The Security attributes are what security needs to be in place to enable the business goals. This could be the attribute ATTRIBUTABLE (ensure the article is and remains registered to my name instead of somebody else). The Blue Book uses a more granular division: Business Strategy attributes (mapped to our Enterprise category), Legal & Regulatory attributes (Enterprise), Technical Strategy attributes (Technology), User attributes (security), Management attributes (security), Operational attributes (security) and Risk Management attributes (security).

Pretty intuitive, right? But we are not used to expressing security in relation to what we actually want to achieve for our organizations. Security professionals always go on about the number of servers we’ve patched or weak passwords we’ve fixed. That’s nice, but why are we doing that? “Because otherwise something could go wrong…” Yes, but why does that matter to our organization? Attributes allow us to express what could go wrong (or right!) in relation to what matters most to our business. Furthermore:

As my example above shows, the cool thing about this way of thinking is that you can apply it to everything. Not just security. My fellow TSI Board Member Maurice Smit wrote his Master Thesis on applying SABSA onto human life. Working with attributes is about having a clear goal, and then using your attributes as ‘requirements’ for how you will achieve that goal. The profile (definition, measurement approach and metrics) forces you to make attributes SMART. It is a great way to get anything done in life.

Okay, cool. So what’s this Call for Attributes?

Many security architects have used the original set of 84 SABSA attributes from the Blue Book, the ‘Holy Bible’ of SABSA written in 2005. But the world has changed. Community members have developed new attributes to meet their needs. Our SABAC working group will collect those attributes and unite them in a single database.

The added value of the new SABSA Attributes Catalogue is as follows:

What do we need from you?

We have already made a base collection of new attributes with the input from our own SABAC working group. Now we would like to ask you for the attributes you have developed for your projects or organization. That is why we are now opening this Call for Attributes. Specific instructions on how to get your attributes to us follow below.

What you will get in return?

We know that you spend time and effort on your attributes. Including them in our catalogue means a lot to us, and we don’t expect you to do it for nothing. In return for your contribution (min. 5 attributes), we would like to offer you the following perks:

When is the deadline?

The initial submission deadline is the 1st of June. After that, the web page will stay online and we will continue to accept and review your attributes, but we will only include attributes submitted before June 1st in the launch edition repository.

What happens after this?

The SABAC working group will review incoming attributes based on five criteria:

We will not inform you which of your attributes we have selected for the catalogue. We may reach out to you in case of questions on the attributes you have submitted. After agreement on which attributes make it to the catalogue, we will refine them. We will create industry collections and create a launch version of the repository. We will set up governance and open the repository up to the community. We will host a webinar to explain how the SABSA Attributes Catalogue works. Six months in, we will issue a survey to the community to review adoption and improvements needed.

When will you see the results?

We plan on presenting the first edition of the SABSA Attributes Catalogue at COSAC 2020. Between the conference and the end of the year we will launch the catalogue online on the TSI website. The SABSA Attributes Catalogue will be accessible to TSI members only. The working group is currently working towards a first edition of the catalogue. After its launch we continue to add attributes to the catalogue and work on requested features.

Where can you upload your attributes?

To contribute the attributes you’ve developed, please view the Call for Attributes & visit the upload page. Here you can download the SABAC Upload File. This is a template in which you can register your attributes. We prefer if you complete all fields. Once you’re done, you can enter your name and email address in the form and upload your completed Excel file with your name added to the Excel sheet’s name, e.g. “EstherSvL-SABAC-Attributes-Submission.xlsx”. We ask for your personal information only to contact you in case of questions and list you as a SABAC contributor (if you desire so).

For questions or comments, you can reach out to We look forward to receiving your attributes in this Call for Attributes!

The SABAC Working Group

Esther Schagen-van Luit (project lead), Aksel Bruun, Ivan Philips, James Alderman, James Lynas, Jonathan Bentley, Muhammed Adeel

Originally published at

Specialist in Security Architecture | Director @ The SABSA Institute’s BoT | Diversity & Inclusion Champion | Conference Speaker | Personal account

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store