Six months ago we launched this blog with a brief history of how SABSA was born. Now with the launch of the new SABSA Institute web portal with full membership facilities, it’s time to pick it up again and tell the story of what happened next.
During 1996 I was working mostly for S.W.I.F.T., assisting Erik Guldentops, Director of Global Information Security, with the development of his security strategy. The architecture model was a central part of that, although not the only part. For example, we developed a security benchmarking method based on the concepts of the Carnegie Mellon University, Software Engineering Institute, Capability Maturity Model (CMM) and used this as a tool for Erik to present a rationale to the S.W.I.F.T. Board to get their approval for the mega-BEF budget.
We developed a measurement framework and charted four metrics of security maturity: where is the banking industry today? Where are the international standards? Where is S.W.I.F.T.? And finally, where does S.W.I.F.T. want to be? The latter was based on benchmarking the industry and the international standard scene and making choices about our target state maturity. Then we identified the gaps between the current state and target state and planned projects to close the gaps. Finally, we classified the projects according to type: strategic, tactical, organisational and procedural. We assessed each one for it’s beneficial impact and its cost/risk and plotted them on a quadrant graph to prioritise them. Those in the high impact, low cost/risk quadrant were highest priority.
Erik took all this material to the Board along with budget estimates for each project. The slides were on acetate (no PowerPoint then) and were almost all diagrams – very few words. In blew them away and he came back from the Board meeting with full approval. We learned that measuring security benefit is an essential aspect of convincing senior management to invest in it. Measurement was to become one of the distinguishing features of SABSA, although it took a few years for us to develop the Business Attributes profile as a tool.
I was back at S.W.I.F.T. in 1998 as Chief Security Architect on a project named Next Generation. At the time S.W.I.F.T. had a network built on X.25 technology – fully encrypted at the physical layer. During our research in 1996 we had asked the executive management team at S.W.I.F.T. what they thought would be the future of the S.W.I.F.T. network. Would it ever move to IP technology? Never in a thousand years we were told – not secure enough. Well it took only two years and a new CIO to change all that. Next Generation was all about building a totally new IP infrastructure that had to be secure to the levels expected by S.W.I.F.T. in its business commitments. Being part of that project was a great honour and a great buzz. The technologies were the TCP/IP stack and PKI, the core services were directory, service management and multiple applications, and the conceptual architecture was a three layer model: network, middleware and applications layer, each to be independently secured and not to rely on security from the layer below. It was awesome – innovative and challenging – very exciting work. It was implemented in stages as SWIFTNet between 2001 and 2005 and remains in play today.
During the Next Generation project I was sent to an Enterprise Architecture conference in San Francisco. It was there that I met John Zachman and listened to his keynote presentation on the Zachman Framework® – the first time I had encountered his work. It was a moment of realisation that what we had in the SABSA layered model was conceptually the same as Zachman’s layers. His language was different and he had analysed the layers into six columns, but otherwise it was so similar. I went back to S.W.I.F.T. and reworked the model to align the terminology. Figure 1 shows how the language of SABSA layering was positioned in 1998 following Zachman and how it has evolved since then.
The next step in the SABSA journey took place in 2000, after David Lynas and myself had joined the Netigy Corporation, a dot.com consulting firm operating in the topic area of networking and security. I was Executive Director of Architecture and David was Director of Professional Relations, both in the Global Security Practice. There was a working group on architecture development that spanned both the security practice and the networking practice. One idea that came from the group was aimed first at networking. It was a concept called eAttributes in which we defined sixteen attributes of networking and used them to measure network performance. The thrust of the work was to create measurability. I took this up and defined a series of 83 security attributes in a seven-column taxonomy, which we also adopted. When Netigy collapsed in 2001 and all the SABSA IPR reverted to me, that taxonomy became what is now the SABSA Business Attributes™ taxonomy. The concept has been much extended since those days. Now we have customised taxonomies and multi-tiered Business Attribute Profiles™.
I had realised in 1998 that we had something special. I started then to write a book on security architecture because there was an obvious gap in the market for such a work. I knew I would never achieve my goal as a loner and that I needed support. I had known Andy Clark since 1985 when I joined Open Computer Security and was working under Andy’s leadership on developing cryptographic solutions for the banking industry. I had also known David Lynas from the very first COSAC event in 1993 at which I was one of the presenters. I had used David at S.W.I.F.T. as an associate consultant and we had both done extensive work there. These were the two very good friends and associates that I chose to invite to join my book project. I owe them a lot for the support that they gave. Andy took on the whole thing about dealing with publishers and David was my primary reviewer. We were all working full time on our various businesses and there were periods of as much as six months that not a single word was written for the book. Eventually we had a completed version in 2003, but it took another two years of negotiating with publishers, editing, correcting, reworking and formatting to get it out to the world. It was finally launched at COSAC 2005 in Naas, Republic of Ireland, seven years after we started it. The photograph records the book launch event. Andy, David and John from left to right.
Since that moment the book, entitled Enterprise Security Architecture: A Business Driven Approach has enjoyed some popularity around the world. Some people affectionately refer to it as The Blue Book or even The Blue Bible and it has become a definitive work on the subject. The book describes SABSA as it was in around 2003 and as such is a little out of date. SABSA is a living, growing thing that benefits all the time from members of the SABSA Community applying in their work and finding new pieces to add to it. As a framework for developing security architecture in a dynamically changing digital business world, it will never be finished.
During the writing of the book I made a lot of decisions about content. Previously SABSA had tended to be fluid and changing depending on my thoughts on a given day. If I may quote for a moment from our own book, on page 58 it says:
It is a truism that if you can’t write it down, you haven’t thought it through. So often one experiences presentations where new projects are being described in the early stages of planning where the presenter has not really understood the scope and interdependencies of the system they are proposing. The simple act of writing these early ideas down forces you into identifying the whole context of the system and identifying problem areas.
That was certainly my experience in writing the book. I had to consider the various versions of ideas and make choices as to what would go into the published version. The same process is still going on today. As we write more and more SABSA white papers and other similar documents we have to decide what will be the definitive version. It also means that over time our ideas mature and sometimes we need to publish updates and new versions. This year (2018) will see a lot of that type of activity. In particular, we have published a major refreshment of the SABSA Matrix™ and its companion the SABSA Management Matrix™. These were last updated in 2009. After nine years of intensive use they needed a major revision.
I’ll end this historical account here in 2005 for the moment, with a textbook on sale and people beginning to spread the word about SABSA. David Lynas had already been standing on conference platforms around the world since 1997 evangelising about SABSA, but his next big idea was to develop a training and education programme for SABSA. He envisioned The SABSA Institute™ at its core and a certification scheme by which security architects could be recognised for their professionalism. I’ll tell you all about that in the next instalment.