Calling all Security Architects to Arms

Too long have we lived in the shadows of theory and spaghetti diagrams! Too long has our architecture been misunderstood by those who pay us! Too long blame of not adding value to the business has stained our hands! It is time to call all Security Architects to arms!

Our weapons of choice are the power of reason, the snazziest of diagrams and the arcanest (is that a word? most arcane?) of technology knowledge. And let us not forget about SABSA Business Attributes! Last week we released something quite exciting at The SABSA Institute — our Call for Attributes.

Next to my position as Director on the Board of Trustees, I also lead a working group called SABAC. SABAC is short for SABSA Attributes Catalogue. We use a lot of these abbreviations for working groups. I love that every so often during board meetings a Director goes: “What did that abbreviation stand for again?” SSC, MSA, SENC, STPA, SAPP and SABAC. I feel quite rebellious having gone with 5 letters. Never a dull day in the board. Anyway, SABAC. SABAC is all about SABSA Business Attributes. These are important; they are core to SABSA’s ideology. I think if you ask a SABSA practitioner what the single thing is that they remember from SABSA — it’s the attributes.

What are SABSA Business Attributes, Esther?

Okay, brace yourself! An attribute is a conceptual abstraction of a real business need (e.g. its goals, targets, or assets). We express these labels often as adjectives, if possible in a single word. When we’ve got an attribute, we create an attribute profile. This contains its definition, what attribute type it is and how we measure its success.

For instance, when we look at this article, one of the goals (my driver) is for many people to read it. Also, I’d like them to learn something about Security Architecture from them. So, we can define the following two attributes:

READ

  • Definition: The article is read by people on LinkedIn.
  • Type: Enterprise*
  • Measurement approach: Review the ‘article views’ stats on LinkedIn every week.
  • Metric: 200+ people read my article.

INFORMATIVE

  • Definition: People find the article interesting.
  • Type: Enterprise*
  • Measurement approach: 1) Review the number of reshares of this article on LinkedIn every week, 2) Review the number of likes etc. for this article on LinkedIn every week, 3) Review the qualitative feedback in the comments for this article LinkedIn every week.
  • Metric: 1) 5+ reshares of the article, 2) 50+ likes of the article, 3) Mention of words such as ‘interesting’, ‘informative’, ‘I have learned’, ‘insight(ful)’, ‘helpful’ etc. in the comments.

*A note on ‘Type’: The three main types we use for SABAC are Enterprise, Technology and Security. Enterprise relates to your (business) strategy. They are the attributes closest to one’s reason for doing anything. The Technology attributes are what technology needs to be in place to enable the business goals. For example, the attribute ACCESSIBLE (ensure visitors can view the article on Linkedin). The Security attributes are what security needs to be in place to enable the business goals. This could be the attribute ATTRIBUTABLE (ensure the article is and remains registered to my name instead of somebody else). The Blue Book uses a more granular division: Business Strategy attributes (mapped to our Enterprise category), Legal & Regulatory attributes (Enterprise), Technical Strategy attributes (Technology), User attributes (security), Management attributes (security), Operational attributes (security) and Risk Management attributes (security).

Pretty intuitive, right? But we are not used to expressing security in relation to what we actually want to achieve for our organizations. Security professionals always go on about the number of servers we’ve patched or weak passwords we’ve fixed. That’s nice, but why are we doing that? “Because otherwise something could go wrong…” Yes, but why does that matter to our organization? Attributes allow us to express what could go wrong (or right!) in relation to what matters most to our business. Furthermore:

  • Attributes allow us to tie back our security controls to the business objectives. They use language and metrics that are understandable to every organizational stakeholder. Yes, also for the Board, and they open up a whole new way of reporting on security to them in an organization. It should make it very clear to them why they need to invest in security, and in which places they need to do so.
  • Attributes are also great for understanding relationships and dependencies. Suppose you put in place something that improves the attribute ‘Access-controlled’. What effect does that have on the attribute ‘User-friendliness’? How can we compensate for that effect?
  • We can map our security risks (and other types of risks) onto attributes. Also, we can assignment ownership and governance per attribute. This ensures there’s focus on achieving the best outcome for business goals. Now compare that to the traditional practice of putting in place all the ISO27001/2 controls.

As my example above shows, the cool thing about this way of thinking is that you can apply it to everything. Not just security. My fellow TSI Board Member Maurice Smit wrote his Master Thesis on applying SABSA onto human life. Working with attributes is about having a clear goal, and then using your attributes as ‘requirements’ for how you will achieve that goal. The profile (definition, measurement approach and metrics) forces you to make attributes SMART. It is a great way to get anything done in life.

Okay, cool. So what’s this Call for Attributes?

Many security architects have used the original set of 84 SABSA attributes from the Blue Book, the ‘Holy Bible’ of SABSA written in 2005. But the world has changed. Community members have developed new attributes to meet their needs. Our SABAC working group will collect those attributes and unite them in a single database.

The added value of the new SABSA Attributes Catalogue is as follows:

  • The catalogue will be larger than the original set of attributes. This raises the chance that the attribute you’re looking for is already in the catalogue, which will save you time.
  • We’re crowdsourcing these attributes from the community. We’re asking for attributes that are already used in real life. This means that they work in practice and will meet your needs.
  • We will offer six industry-specific attribute collections. Different industries may need different definitions and performance targets. This means that you can work with the attribute set that matches your organization best.

What do we need from you?

We have already made a base collection of new attributes with the input from our own SABAC working group. Now we would like to ask you for the attributes you have developed for your projects or organization. That is why we are now opening this Call for Attributes. Specific instructions on how to get your attributes to us follow below.

What you will get in return?

We know that you spend time and effort on your attributes. Including them in our catalogue means a lot to us, and we don’t expect you to do it for nothing. In return for your contribution (min. 5 attributes), we would like to offer you the following perks:

  • Beta testing access to the Attributes Catalogue;
  • The opportunity to request features & provide feedback;
  • List your name as a SABAC contributor on the TSI website.

When is the deadline?

The initial submission deadline is the 1st of June. After that, the web page will stay online and we will continue to accept and review your attributes, but we will only include attributes submitted before June 1st in the launch edition repository.

What happens after this?

The SABAC working group will review incoming attributes based on five criteria:

  • Completeness. The more complete the attribute profile, the more likely it is to be successfully used in practice. In case of missing information, we will try to complement the missing information ourselves.
  • Quality. Vague terminology makes the attribute less usable. We are looking for attributes that are SMART (Specific, Measurable, Achievable, Relevant, Time-bound).
  • Distinctiveness. If attributes resemble each other, we may choose to combine them into a single attribute.
  • Relevance. We are looking for attributes for the modern world. We will likely not accept attributes for out-of-date business-, technology- and security practices.
  • Anonymity. We cannot include client-specific information in our attribute profiles. We ask that you anonymize your attributes so that we can’t recognize the attribute’s origin.

We will not inform you which of your attributes we have selected for the catalogue. We may reach out to you in case of questions on the attributes you have submitted. After agreement on which attributes make it to the catalogue, we will refine them. We will create industry collections and create a launch version of the repository. We will set up governance and open the repository up to the community. We will host a webinar to explain how the SABSA Attributes Catalogue works. Six months in, we will issue a survey to the community to review adoption and improvements needed.

When will you see the results?

We plan on presenting the first edition of the SABSA Attributes Catalogue at COSAC 2020. Between the conference and the end of the year we will launch the catalogue online on the TSI website. The SABSA Attributes Catalogue will be accessible to TSI members only. The working group is currently working towards a first edition of the catalogue. After its launch we continue to add attributes to the catalogue and work on requested features.

Where can you upload your attributes?

To contribute the attributes you’ve developed, please view the Call for Attributes & visit the upload page. Here you can download the SABAC Upload File. This is a template in which you can register your attributes. We prefer if you complete all fields. Once you’re done, you can enter your name and email address in the form and upload your completed Excel file with your name added to the Excel sheet’s name, e.g. “EstherSvL-SABAC-Attributes-Submission.xlsx”. We ask for your personal information only to contact you in case of questions and list you as a SABAC contributor (if you desire so).

For questions or comments, you can reach out to wg102@sabsainstitute.org. We look forward to receiving your attributes in this Call for Attributes!

The SABAC Working Group

Esther Schagen-van Luit (project lead), Aksel Bruun, Ivan Philips, James Alderman, James Lynas, Jonathan Bentley, Muhammed Adeel

Originally published at https://www.linkedin.com.

Specialist in Security Architecture | Director @ The SABSA Institute’s BoT | Diversity & Inclusion Champion | Conference Speaker | Personal account