Training helps CISOs stay relevant

Money. Or the lack thereof. Without resources no security program can even begin to mitigate the many threats we all face. I have often heard this complaint at professional meetings, but it was really made clear in Michael Oberlaender’s worthwhile book "C(I)SO—And Now What?: How to Successfully Build Security by Design."

He lists the top risks faced by CISOs…and puts budget shortfall at the top - right above management and users. This may not be news to you, but solutions have always been hard to come by. Last month I attended the semi-annual meeting of the Nashville SABSA group at Vanderbilt Medical Center, and one solution did become much clearer.

SABSA is probably the best business oriented security methodology that we have. This includes all of the usual suspects, PCI, NIST, COBIT, ISO 27001, etc. If you are looking for support for your security program, business orientation is step one and that is where SABSA comes in. SABSA is not a prescriptive security framework for your company, but a methodology and skill set you can use with any required framework. Its strength is aligning security with business goals. In this post I will summarize the SABSA principles and pros and cons, which will hopefully motivate you to learn more.

SABSA has been around since 1995 and stands for Sherwood Applied Business Security Architecture, after John Sherwood, the original creator. Its real strength is that it is top-down security, starting from the business needs. Business considerations are going to increase in importance now that basic compliance frameworks have been established and security technology adopted. The big question is how to put these frameworks and technology into a security architecture that does not have holes. In the SABSA context, security architecture refers to the sum total of people, process, technology and partners, not just security “technology architecture”, the way most professionals use the term today.

I picked up more insight on related trends at a Secure World Atlanta keynote last week. Ben Desjardins of Radware spoke of the growing importance of security automation; and also pointed out that this trend would eliminate or at least change some of the jobs that keep security operations people busy today. Time to up your game and find out what the business really needs.

SABSA’s security model embraces the notion of risk as opportunity and threat. This is always done in financial analysis, but not security, where practitioners often are focused only on threats. A security initiative is an opportunity to reduce risks, as well as lower costs and improve user experience. This was highlighted in a great blog post from Bob Deutsch.

The SABSA model of security architecture comprises six layers, starting with the contextual layer at the top. This is where the business attributes are defined and a risk analysis is done. Again, a SABSA risk analysis includes both negative and positive outcomes. The conceptual layer defines the security strategy, based on risk analysis and existing security controls. The output is the set of control objectives. The remaining four layers enable building out and operating the security architecture.

So how do you learn about SABSA? Start with the 30 page white paper. This should be required reading for all security managers. Next check out, which highlights activities of regional SABSA practitioners. SABSA training courses are offered here. Finally, if you want to really get into SABSA, you can purchase or rent Enterprise Security Architecture, by John Sherwood.

All of this highlights the downside of SABSA: it has a challenging learning curve. Virtually nothing is available online. However, you can get started with a one-week investment in face to face training; after passing two exams you will receive the SABSA Chartered Architect certificate. No, this cert is not as well-known as the CISSP. But our field is changing and approaches like SABSA will help us all stay relevant to the business.

Join the CSO newsletter!

Error: Please check your email address.

Tags SABSAsecurity programCSO OnlinetrainingCISOscyber securityTraining and Employment

More about ISORadwareSherwood

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Frederick Scholl

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts