The Short History of SABSA had reached the year 2005 in my last blog. Now it’s time to finish the story and bring it up to date. I first need to retrace my steps back to 2003 for a moment. David Lynas and I had been working for QinetiQ from 2001 to 2002. It was a short spell of full time employment during which SABSA languished a little because QinetiQ did not want to adopt the framework. The relationship did not work out, and by the end of 2002 we were back on the streets again, planning our next move for business and career development. We looked to SABSA to be the anchor for those plans.
During the 1990’s I had been doing a lot of security management training in Europe, the Far East and Australia. My Australian contact was a training company called ALC, run by Zika Milenkovic and Matt Whelan. For personal family reasons I decided that in 1999 I could no longer service the security courses at such great distance and so I recommended to Zika and Matt that they should adopt David Lynas to take my place. That proved to be a winning partnership for all concerned. Between them, Zika, Matt and David grew the security training business in Australia, New Zealand and South East Asia. David had been promoting SABSA as a security architecture framework on conference platforms around the world since 1997 (firstly at the Computer Security Institute conference in the USA). I had also been including SABSA ideas and concepts in my training material and my conference presentations. I must acknowledge that it was David’s evangelising of SABSA that made it known across the English-speaking world.
It became clear that SABSA was capable of popular consumption and so David and I developed the first official SABSA course. He presented this in Australia in 2007. The use of Bloom’s Taxonomy of Cognitive Levels to map competencies was based on a consulting project that we had done, led by David, in 2005/6 for the Association of Information Security Professionals (AINSEP) in Singapore. They wanted a framework for career development and certification of information security professionals. It was a forerunner for what we built for the SABSA programme. The main driver for developing the SABSA certification programme came from the UK Ministry of Defence (MoD) which was looking at adopting SABSA for their information assurance architecture. The question came from a very senior officer level: how Defence could determine the competence of potential providers to the MoD Information Assurance Programme if SABSA was incorporated into that as a standard. That meant not just training but a structured competency framework against which to assess the candidates.
The launch of the SABSA training programme in Australia was not just a stand-alone training course. It had behind it the concept of The SABSA Institute™ and a certification programme for professional Security Architecture practitioners, based to some extent on our experience with Singapore. The founders of the Institute were David, Zika, Matt and myself. It was an exciting time for us. We were seeing a great enthusiasm in the Australian market for SABSA and so we took some business risks. It was Zika and Matt who took the most financial risk by investing in a wide marketing programme for the courses and the certification programme. David and I developed the training and examination materials and Matt also developed the administration software and the first web site. Entrepreneurial activity is full of risk – in SABSA terms, both opportunity and threat. It’s also very thrilling. I looked up a reference for ‘entrepreneur’ and found this:
“The pursuit of opportunity beyond resources controlled”. [Professor Howard Stephenson, Harvard Business School].
Other references expand a little on this by defining the characteristics of an entrepreneur:
- Not afraid to take risks
- Self-belief, hard work and disciplined dedication
- Innovative – developing something new that the market needs
- Persistent – doesn’t take no for an answer
- Resourceful – because there are few resources available to support the project
I can tell you that we can put our hands up to all those characteristics. Why am I telling you all this about entrepreneurship? Because that’s what this project has been like. We have persisted in our self-belief that we could do this without any real resources and change the market in security architecture education and training. Not only that, we have believed we could change the way the world thinks about security architecture as a discipline – what we call SABSA Thinking™. We are passionate about it and we have persisted against all obstacles.
Back in 2003 David, Andy Clark and myself decided to form company to exploit SABSA as a commercial proposition. That company was called SABSA Limited and was registered in the UK as a private limited company. There was a lot of emphasis on developing training and certification, but also consulting. We started to make plans. However, the more we considered it the more we realised that we needed to put the SABSA IP in the public domain for it to succeed as a global standard. Our private company plan was not the right vehicle for that. We did not ever use that company and it was later wound up. Our thinking changed towards what we now have – The SABSA Institute CIC, owned by the membership.
I have a document written by David dated February 2003 in which he describes in detail, over five pages, his vision for the training and certification programme. When I look at what we have now there are only a few minor differences from David’s original vision. Between that time and 2007 we worked on the plan for The SABSA Institute and developed the infrastructure and documentation. We are still back-filling gaps in the governance processes, but we launched with sufficient process in place to make it work. If you are reading this, you will probably agree that we did it.
Here are some statistics:
- First courses Australia, UK & North America 2007
- First courses European Mainland (NL) & Asia 2008
- First SABSA Master (outside original authors) 2009
- First SABSA World Congress 2009 (alongside COSAC in Ireland)
- First course Africa 2011
- Exceeded 1000 certificates 2011
- Exceeded 2000 certificates 2013
- Exceeded 50 countries 2014
- Matt Whelan Founders’ Award introduced 2014
- Exceeded 5000 certificates 2016
- UK exceeded 500 certificates 2017
- Australia exceeded 1000 certificates 2017
- Exceeded 70 countries 2018 (currently 71)
- Exceeded 6000 certificates 2018
Those numbers continue to grow. The SABSA footprint is now established on a global scale. We are confident that our passion, self-belief, hard work, dedication, persistence, risk appetite, and belief in the growing body of SABSA-certified professionals has paid off. Not, however, without some obstacles to be overcome. It was Zika who in 2009 spotted the fact that in the UK the use of the word ‘Institute’ in a business name is protected by company law. You can only use it if you have permission from the Secretary of State for business. At that time the relevant government department was called Business, Innovation and Skills. It is now named Business, Energy and Industrial Strategy. The rule is that the organisation must meet the following conditions:
Institute or Institution: Approval to use this word is normally only given to fully functioning established organisations that are already functioning as an institute but operate under a different name. The range of activities may vary, but institutes are organisations that typically undertake research at the highest level or are professional bodies of the highest standing.
The factors we take into account include:
- whether there is a good reason for establishing the institute
- whether the activities are regulated or unregulated
- whether the organisation already exists in some form
- the nature of any work it provides for other organisations
- the relevance and nature of support from existing organisations
- whether the institute offers training leading to its own qualifications
- whether the institute provides training or activities that support qualifications provided by other bodies such as universities or colleges
- whether the institute’s activities are supported by or associated with activities undertaken by a government body, an independent organisation established in the field or a funding organisation
To support your application, please obtain the views of one or more relevant bodies and include a copy of their response with your application. All applications are considered on their merits. But, if you aren’t an established body, you may wish to consider the option to register under a different name and re-apply later.
We thought that we could meet the conditions, but the issue was how to demonstrate compliance. As always, being compliant is one thing, demonstrating compliance is quite another. We were an established organisation, but already using the word in our name. However, we were not a registered company in any jurisdiction. The SABSA Institute was a concept, not a registered entity. We looked at the possibility of registering in other jurisdictions but in the end decided that UK registration would provide the strongest branding. We also decided to go for registration as a Community Interest Company, to demonstrate our commitment to being exactly that – a company owned by the SABSA Community for the benefit of the community. The characteristics of a CIC are that there can be no private ownership of shares, no dividends paid to owners and that the assets of the company are locked such that they cannot be transferred out for private gain. There is a Regulator of CICs that enforces these rules over and above the normal company compliance requirements. It was perfect for realising our intentions.
It turned out to be a steep hill to climb. The Founders developed our strategy during 2009/2010. I wrote a detailed business plan that was completed and internally approved in October 2010. Then we had to gain support from ‘one or more relevant bodies’. I wrote letters to universities where we had contacts, training companies where SABSA training was being offered, and corporate organisations using SABSA. We submitted our first application in October 2010 but that attempt failed. The key missing piece was support from a government department. I approached GCHQ because we knew that they were aware of SABSA. They were cautious, because they cannot be seen to favour publicly one security method or product over another. After many exchanges of emails over an extended period of 2011/2012 we finally received letter of support for the forming of the Institute signed by a Deputy Director. That was the key. We were successful in our application this time. The SABSA Institute CIC was registered as a private company limited by guarantee without share capital on 11th March 2013. Phew! Yes, we did it. Now the hard work would begin to build the Institute as an operational entity.
You may have noticed that the list of dates above includes the Matt Whelan Founders’ Award. Matt was one of the Founders of the Institute and a key player in developing it. We owe a lot to him, but our dear friend sadly passed away after a long illness in 2014. We commemorate him and his contribution with this award to the best SABSA Practitioner exam submission in each year. The prize is £500. ‘Best’ does not necessarily mean highest marks. The judging includes input from the Whelan family and the award goes to the exam paper that the panel believes Matt would have considered ‘best’ with factors such as: achievement against the odds, innovation, creativity and even possibly a sense of humour in adversity. The four award winners to date have been globally distributed which would also have pleased Matt:
2014: MZ Omarjee, South Africa
2015: Michael Kitsisa, Ghana
2016: Andy Wall, UK
2017: Michael Price, New Zealand
In 2014 at the SABSA World congress in Ireland we appointed a group of new directors to strengthen the management team and bring fresh ideas to the Institute. We had achieved incorporation, both as a CIC and with the word Institute approved for our business name. We had a business plan developed to achieve that goal of incorporation. Now it was time to implement the plan and we needed more human recourses. The Board of Trustees (as we now designated the board of directors) was recruited by personal selection by David and myself. We deliberately chose a group that represented the international nature of the Institute and the diverse nature of industry sectors in which SABSA is used. Not everyone that we invited accepted, but we did then finish up with a Board of nine Trustees/Directors covering the English-speaking world.
Over the past few years we have developed a close working alliance with The Open Group. We participate in joint projects and work together towards common goals. This year we received an award from them for the organisation that had partnered effectively with the Open Group. We continue to seek alliances with other organisations with similar goals where joint work can add value to both parties.
So here we are in 2018. This year has seen a great deal of new activity to further the goals of the Founders. We again recruited several more directors to the Board of Trustees. Each Board member takes responsibility for leading one or more areas of development – both of the SABSA IP and the operational capability of the Institute. Our newly launched web portal provides the technical capabilities for people to join as official members and contribute to this development programme. SABSA Foundation courses now include a first year’s paid membership in the Institute. And on-going membership subscriptions will deliver a revenue stream to support future development. Our publications schedule is aggressive, and we anticipate continued growth and strong international interest.
This has given you a short history to-date. We continue the adventure, focused on engagement with our community, our future, and the continued emergence of SABSA as a global standard and framework for security architecture.