Money. Or the lack thereof. Without resources no security program can even begin to mitigate the many threats we all face. I have often heard this complaint at professional meetings, but it was really made clear in Michael Oberlaender's worthwhile book "C(I)SO-And Now What?: How to Successfully Build Security by Design."
He lists the top risks faced by CISOs...and puts budget shortfall at the top - right above management and users. This may not be news to you, but solutions have always been hard to come by. Last month I attended the semi-annual meeting of the Nashville SABSA group at Vanderbilt Medical Center, and one solution did become much clearer.
SABSA is probably the best business oriented security methodology that we have. This includes all of the usual suspects, PCI, NIST, COBIT, ISO 27001, etc. If you are looking for support for your security program, business orientation is step one and that is where SABSA comes in. SABSA is not a prescriptive security framework for your company, but a methodology and skill set you can use with any required framework. Its strength is aligning security with business goals. In this post I will summarize the SABSA principles and pros and cons, which will hopefully motivate you to learn more.
SABSA has been around since 1995 and stands for Sherwood Applied Business Security Architecture, after John Sherwood, the original creator. Its real strength is that it is top-down security, starting from the business needs. Business considerations are going to increase in importance now that basic compliance frameworks have been established and security technology adopted. The big question is how to put these frameworks and technology into a security architecture that does not have holes. In the SABSA context, security architecture refers to the sum total of people, process, technology and partners, not just security "technology architecture", the way most professionals use the term today.
I picked up more insight on related trends at a Secure World Atlanta keynote last week. Ben Desjardins of Radware spoke of the growing importance of security automation; and also pointed out that this trend would eliminate or at least change some of the jobs that keep security operations people busy today. Time to up your game and find out what the business really needs.
SABSA's security model embraces the notion of risk as opportunity and threat. This is always done in financial analysis, but not security, where practitioners often are focused only on threats. A security initiative is an opportunity to reduce risks, as well as lower costs and improve user experience. This was highlighted in a great blog post from Bob Deutsch.
The SABSA model of security architecture comprises six layers, starting with the contextual layer at the top. This is where the business attributes are defined and a risk analysis is done. Again, a SABSA risk analysis includes both negative and positive outcomes. The conceptual layer defines the security strategy, based on risk analysis and existing security controls. The output is the set of control objectives. The remaining four layers enable building out and operating the security architecture.
Sign up for CIO Asia eNewsletters.