How to Ace Your SABSA Advanced Security Architecture Exam — Part II

1. Pick a case study

That is what they recommend in the training and it makes sense. In the exam paper you need to apply your SABSA knowledge to a scenario. You need to produce examples and show how it SABSA would work for a real organization. If you are the resident security architect of organization XYZ, you’re in luck — there’s your case. Here’s to the drawbacks of being a security consultant:

  • I know nothing about the Security Architecture of Deloitte. After all, the objects of my attention are my clients.
  • I can’t use a client as a case study either. Even though the exam papers are not published, it would still be a breach of our code of conduct.

2. Determine what the actual question is

I can’t share the questions here obviously, but each exam question asks you to answer sub questions on a SABSA-specific topic. You should know how to answer them through the means of ‘competency words’. For instance, a question asks to ‘ deliver X’. This means that you should supply, provide, or present to the stakeholder. There have actually been presentations at COSAC on how to write a good exam question. In many exam papers that the examiners review candidates have written great things over many, many pages. But they received a failing grade because they didn’t answer the actual question!

3. How not to write 100 pages

I really don’t know — I am on page 22 now. To be fair, there’s a lot of diagrams in there. But describing my case study (mind you, the original ArchiMetal document is 29 pages) already took 5 pages. By the time it’s done (and the other 3 papers?!) I think it will be the best thing in history of SABSA. I also think I should be exempted from the SABSA Master Thesis based on the sheer effort I put into it. And lastly I think O’Reilly should just turn it into ‘The Definitive Guide on Security Architecture’ while we’re at it. I deserve royalties at this point, that’s how much blood, sweat and tears is in there.

4. Basing yourself on conflicting materials

I have written on this matter before and I know there are some people hard at work in The SABSA Institute to address this. But in the meantime, we have to deal with this. The Blue Book that you might know and love is usually the first piece of canon that comes to mind. It is quite old, but once you publish something you can’t take it back. And the SABSA canon has evolved quite a lot over the years after the book. That’s why the trainings introduce fully new materials and concepts, that may contradict the book. And how you apply the training materials in the training workshops is not necessarily complete, in the right order or suited to different scenarios. So during an exam paper you realize you have a ‘SABSA patchwork’ in your head. I am not actually sure what is the correct, step-by-step way to apply the SABSA Risk Management Process. And I am not sure anyone really knows. I feel I collected several ‘patches’ and started laying them in a pattern that made sense to me to answer the question. Having to do that is one of the most time-consuming efforts of doing the exam — unfortunately I don’t think it was ever intended that way. So, I’ll let you know when I’m publishing my ‘Definitive Guide to Security Architecture’ based on those exam papers and maybe we can settle this for once and for all. Ha!

5. Structuring your answers within a Word Doc

To be fair, nobody ever said you needed to submit it in a Word document. But I think you’ll find only submitting an Archimate file and passing your exam a tall order. In security architecture we tend to have a lot of elements (like my 29 business attributes) that need to be visually represented in some way. A model, diagram or table is usually what follows. Although I think I am very good at visualizing content (even had a COSAC session on it this and last year!), having to put it in a Word document is quite limiting. The font tends to get very small and since the examiners are typically somewhat senior, this is not a great place to be in. I love having my diagrams in text though. I’ve written my paper like an engaging story — I don’t want my readers to have to open a separate Excel at a ‘cliffhanger’. It takes all the excitement out of the read. So I will have my diagrams in text (flip to landscape view, people) and put the original Excel file & diagrams from PowerPoint in the appendix. That said, it makes it once again very clear that there is no single means or tool that you can just put your security architecture in. What’s your strategy?



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Esther Schagen-van Luit

Esther Schagen-van Luit

Specialist in Security Architecture | Director @ The SABSA Institute’s BoT | Diversity & Inclusion Champion | Conference Speaker | Personal account