How to Ace Your SABSA Advanced Security Architecture Exam — Part II

Everybody has things in life they regret. Not speaking anymore with that childhood friend. Not studying harder for that exam. Eating that extra slice of pizza. In my case, I really, really regret not doing the SABSA Advanced Exam Papers immediately after the training when the content still seemed crystal-clear to me. Can I get a ‘hear, hear’ from the crowd?

The training was in March 2019. In my defense, I did both the A1 and A3 trainings back2back. Everybody would be daunted by the prospect of four exam papers (you need to do 2 per course). And life happened. By now I have resorted to drastic measures. This involves taking a day off every week to force myself to finish the exam papers.

In the previous article on this topic, I wrote about about how the SABSA certifications are structured and what is expected of an exam paper. In today’s article I will dive into the five ‘cliffhangers’ I left you with last time.

1. Pick a case study

That is what they recommend in the training and it makes sense. In the exam paper you need to apply your SABSA knowledge to a scenario. You need to produce examples and show how it SABSA would work for a real organization. If you are the resident security architect of organization XYZ, you’re in luck — there’s your case. Here’s to the drawbacks of being a security consultant:

  • I know nothing about the Security Architecture of Deloitte. After all, the objects of my attention are my clients.

So I decided to settle on a fictional case. This addresses a major issue I have with security architecture: nobody publishes their work. I get that real architectures give away a lot of security details. Attackers could easily abuse this information (then again, I thought we agreed on not doing ‘security by obscurity’). But as a community we can’t grow unless we publish on how our architecture works in practice. I hope The SABSA Institute will allow me to rework it into a resource that helps the community.

Finding a fictional case that provides significant context is not easy either. I ended up going with The Open Group’s ArchiMetal case. There is also a somewhat shorter ArchiSurance case. What I love about these is that they contain a full Enterprise Architecture, but never mention the word ‘security’. Although this is sad in some ways, it also means that everything I add to it will be original work. And perhaps it will make for an interesting addendum for the EA/TOG folks while we’re at it.

So, carefully reflect on what object you will apply your SABSA knowledge. If you can, make it something that can be published someday for the sake of the community. And re-use the case for all your other exam papers! One final reflection: For COSAC 2020 I am developing a security architecture board game. We ended up choosing a simplistic version of a bakery as a case study with only 12 business attributes. Our working title is SA B(S)Akery (ha, see what I did there!?). My ArchiMetal model contains 29 business attributes. So although it is nice that ArchiMetal mimics a real company, I wonder whether I shouldn’t have gone with a highly abstracted version of an organization.

2. Determine what the actual question is

I can’t share the questions here obviously, but each exam question asks you to answer sub questions on a SABSA-specific topic. You should know how to answer them through the means of ‘competency words’. For instance, a question asks to ‘ deliver X’. This means that you should supply, provide, or present to the stakeholder. There have actually been presentations at COSAC on how to write a good exam question. In many exam papers that the examiners review candidates have written great things over many, many pages. But they received a failing grade because they didn’t answer the actual question!

So the pro-tip is to break the entire question up into each competency word and you do exactly that, not more, not less. This sounds easier than it is. Take the subquestion ‘ demonstrate the application of’ where demonstrate means ‘to show’ and to apply means ‘to do, execute’. All I know then is ‘to do XYZ’ (not the steps, detail or artefacts you’d expect with that) and then I have to write about it?! It makes one doubt very much at what point the question is sufficiently answered. I guess this is the reason they end up with lengthy papers that include a lot of details examiners find unnecessary.

As a check I have created a table to ‘help’ the examiner judge decide whether I have answered the question. But really it’s a way for myself to check whether I have answered the question. The table contains the work products from the question in the 1st column, the competency world associated with it in the 2nd column, and then a 3rd column with: “I have done competency X because I did XYZ in my paper”. So, why don’t you try that in yours?

3. How not to write 100 pages

I really don’t know — I am on page 22 now. To be fair, there’s a lot of diagrams in there. But describing my case study (mind you, the original ArchiMetal document is 29 pages) already took 5 pages. By the time it’s done (and the other 3 papers?!) I think it will be the best thing in history of SABSA. I also think I should be exempted from the SABSA Master Thesis based on the sheer effort I put into it. And lastly I think O’Reilly should just turn it into ‘The Definitive Guide on Security Architecture’ while we’re at it. I deserve royalties at this point, that’s how much blood, sweat and tears is in there.

And this concerns me because originally the exam was something that you should do in a couple of hours after the training. Some of the examiners have also mentioned that the short papers (e.g. 12 pages) are usually the best. Of course there is all kinds of things you can do to shorten the papers. Removing the case study, enormous diagrams and Excels to a separate file and embedding them into the paper as an attachment helps. Not spending pages on explaining SABSA concepts to an examiner (they know about those, trust me) helps. And just writing effectively and succinctly — programs like Hemingway prevent me from creating sentences that run for 5 lines.

4. Basing yourself on conflicting materials

I have written on this matter before and I know there are some people hard at work in The SABSA Institute to address this. But in the meantime, we have to deal with this. The Blue Book that you might know and love is usually the first piece of canon that comes to mind. It is quite old, but once you publish something you can’t take it back. And the SABSA canon has evolved quite a lot over the years after the book. That’s why the trainings introduce fully new materials and concepts, that may contradict the book. And how you apply the training materials in the training workshops is not necessarily complete, in the right order or suited to different scenarios. So during an exam paper you realize you have a ‘SABSA patchwork’ in your head. I am not actually sure what is the correct, step-by-step way to apply the SABSA Risk Management Process. And I am not sure anyone really knows. I feel I collected several ‘patches’ and started laying them in a pattern that made sense to me to answer the question. Having to do that is one of the most time-consuming efforts of doing the exam — unfortunately I don’t think it was ever intended that way. So, I’ll let you know when I’m publishing my ‘Definitive Guide to Security Architecture’ based on those exam papers and maybe we can settle this for once and for all. Ha!

5. Structuring your answers within a Word Doc

To be fair, nobody ever said you needed to submit it in a Word document. But I think you’ll find only submitting an Archimate file and passing your exam a tall order. In security architecture we tend to have a lot of elements (like my 29 business attributes) that need to be visually represented in some way. A model, diagram or table is usually what follows. Although I think I am very good at visualizing content (even had a COSAC session on it this and last year!), having to put it in a Word document is quite limiting. The font tends to get very small and since the examiners are typically somewhat senior, this is not a great place to be in. I love having my diagrams in text though. I’ve written my paper like an engaging story — I don’t want my readers to have to open a separate Excel at a ‘cliffhanger’. It takes all the excitement out of the read. So I will have my diagrams in text (flip to landscape view, people) and put the original Excel file & diagrams from PowerPoint in the appendix. That said, it makes it once again very clear that there is no single means or tool that you can just put your security architecture in. What’s your strategy?

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Now, some final words on this post. I realize my comments above make it sound very bleak. I am determined to submit and so should you. Yes, I think the process is too cumbersome and inappropriate for examination. But at the same time it is one of the best ways to challenge yourself as an architect. At a client I never get this much time to think about security architecture. It always needed to be finished yesterday and they don’t want that level of detail. So embrace this chance to find out for yourself what you think security architecture should be. As for myself — maybe I’ll start using our little SA B(S)Akery to explain how I think some SABSA concepts work in a simplified manner in my next posts.

Originally published at

Specialist in Security Architecture | Director @ The SABSA Institute’s BoT | Diversity & Inclusion Champion | Conference Speaker | Personal account