Leadership & Governance

The SABSA Institute has an organisation model summarised in the diagram:

The Founders

Four original members, known as The Founders, founded The SABSA Institute as a vehicle to develop and promote the SABSA education and training programme, and to be the centre for on-going research and development of the SABSA IP. It existed at first as a concept from 2007 but was formally incorporated as a Community Interest Company under UK company law on 11th March 2013. The founders are: David Lynas, John Sherwood, Zika Milenkovic and Matt Whelan (deceased).

Matt Whelan passed away after a long illness before we could bring the Institute to full incorporation, but his huge contribution to the development process is remembered in the annual prize awarded for the “Best” Advanced SABSA Exam Answer submitted by SABSA Practitioner or Master candidates.  “Best” does not necessarily mean the exam answer receiving the highest mark from examiners.  Rather, to commemorate the enormous contribution by our greatly missed colleague and fellow founder Matt Whelan, the Founders, with the support of the Whelan family, evaluate exam answers that reflect Matt’s defining characteristics including: innovation, determination and succeeding against the odds.

The prize is known as “The Founders’ Matt Whelan Commemorative Award” and has a cash value of GBP 500. The annual period for the award now runs from 1st October to 30th September, and the award is announced at the Gala Dinner at COSAC (Republic of Ireland) each year.

Board of Trustees

The overall governance of The SABSA Institute comes from the decisions of the elected Board of Trustees. The current Board was appointed by the Founders of the Institute on 1st October 2014 to bootstrap the launch of the Board and to ensure international representation and broad industry sector representation. The current Board has been further strengthened in October 2017 by the appointment of some additional members. In future there will be an electoral process for the SABSA Community to elect it’s own representatives. An election process will be used to determine membership of the new Board on a three year staggered cycle, so that one third of the Board is elected every year to ensure continuity. The detailed election process and scheduled launch date has yet to be developed.

The ex-officio officers of the Board are the President, the President Elect, the Previous President, Chief Architect and the Deputy Chief Architect of SABSA. These members do not need to be elected by the membership while their term of office is still running. In the future the Institute may employ a General Manager to take the role of Chief Operating Officer as a paid employee. This post holder would also be an ex officio member of the Board. At the present time we have a volunteer fulfilling this role. All Board members are also Directors of the company under UK Company law.

The first President is David Lynas, who was appointed by The Founders to take this role during the bootstrapping phase. As first President be will serve for six years, beginning at the time when the electoral process for the Board is launched. He will then serve another three years on the Board as Previous President, Following the initial six years of office for the first President, there is a nine-year cycle of presidential office: three years as President Elect, three years as President, and three years as Previous President, all being ex officio members of the Board.

Depending on the rules yet to be determined, a retiring Previous President may stand for re-election as a regular Board Member. However, after a nine-year presidential service cycle those who have served may decide to make way for newcomers.

Currently in 2018 the international Board of Trustees comprises the following members:

David Lynas
David Lynas CEO, The SABSA Institute (UK)

David has over 32 years of experience in Information Security.  He is a co-author of the SABSA Blue Book as well as the Head of the SABSA Institute.  David is also the co-author of “Enterprise Security Architecture” and the “SABSA Pocket Guide”.  David is a Fellow BCS & CSI Lifetime Achievement Award winner.  He is also the Founder and Chairman of COSAC and SABSA World Congress.

Email: david.lynas@sabsainstitute.org

John Sherwood
John SherwoodChief Architect, The SABSA Institute (UK)

John Sherwood is a Founder of The SABSA Institute. He is the thought leader and author of the SABSA framework and is its Chief Architect. John’s career as an IT and risk professional dates from 1971. Following an academic career in software engineering and digital communications systems he began with information security in 1985, consulting to major international enterprises and governments. He has published more than 100 conference papers and a similar number of learned articles on the topic.

Email: john.sherwood@sabsainstitute.org

Zika Milenkovic
Zika Milenkovic

Managing Director, ALC Group (Australia)

Zika has been involved in IT and technology training since 1981 when he was co-founder of MTE Management Technology Education, Australia’s leading technology training company during the 80s, with hands-on training centres in Sydney, Melbourne and Perth and a parallel stream of leading-edge seminars on developments in IT.

Subsequently Zika was co-founder with Catalina Lechner in 1994 of ALC Training (www.alctraining.com.au) providing IT seminars throughout Australia, New Zealand and Asia-Pacific. ALC had a number of firsts including: first seminar in Australia on the internet (November 1994); first seminar in Australia on eCommerce (May 1998); seminars on information security as early as 1995 (including seminars with John Sherwood); launched ITIL in Singapore and Malaysia (July 1998).

With business partner Matt Whelan, ALC held the first SABSA Foundation certificate courses in the world in Sydney (March 2007) and Singapore (May 2007).

John Czaplewski
John Czaplewski

John has more than 16 years experience providing risk management and security assessment services to federal agencies and commercial enterprises.  John joined the Board of Directors of The Institute in 2014.  His area’s of specialty include: Enterprise Security Architecture and SABSA • Enterprise Risk Management • NIST Risk Management Framework • FISMA compliance for the commercial sector • FISMA compliance readiness review, planning, implementation, and assessment • Security Authorization-Certification & Accreditation (C&A) • Cloud Security • FedRAMP
Email: john.czaplewski@sabsainstitute.org

Maurice Smit
Maurice Smit

SABSA Instructor & Principal Consultant, David Lynas Consulting Ltd, (Netherlands)

Maurice R.P Smit is an Information Risk & Security Management specialist with over 18 years of IT experience including development, operational maintenance and management. He was one of the first people in Europe to achieve SABSA Master Certification.

Maurice has contributed significantly to the development of the SABSA methodology, including co-authoring the “SABSA for Enterprise Risk Management” training course and leads the volunteer effort “SABSA World” with the aim of establishing regional SABSA communities of interest.

Within TSI Maurice is responsible for Online Member services

Email: maurice.smit@sabsainstitute.org

Esther Schagen-van Luit
Esther van LuitSenior Consultant, Risk Advisory at Deloitte LLP (Netherlands)

Esther is a junior manager at Deloitte’s Cyber Risk Services. She specializes in security risk and maturity assessments, but her ambition is to become a full-stack security professional. Esther researches the cybersecurity skills gap and develops solutions on artificial intelligence in security and cybersecurity workforce development. She encourages women and girls to pursue a career in technology/security.

Esther has won the Techionista ‘Tech Favourite’ Award 2018 and was finalist for the Cyber Security Awards 2015 ‘Woman of the Year’ category.

Peter Nikitser
Peter Nikitser

Director, ALC Cyber Security Pty Ltd (Australia)

Peter has over 30 years of industry experience in Information Security. He is a co-founding member of the Australian Computer Emergency Response Team (AusCERT) and Sri Lankan national CERT (SL-CERT) and became the first Australian to achieve SABSA Masters. He also holds a Masters of Information Technology from the Queensland University of Technology and is a current IRAP assessor for the Australian Government. He has worked for government, financial, oil and gas, consulting firms and research institutes. His specialities include: SABSA, IRAP, PCI, ISO27001, NIST Cyber Security Framework. Peter authored the UNIX Security Checklist for AusCERT and recently co-authored a new Australian Standard AS7770:2018 Rail Cybersecurity.

Chris Blunt
Chris BluntDirector and Consulting Partner at Axenic Ltd (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist security and privacy consultancy he co-founded in 2009. He has over 25 years of ICT industry experience, specialising in security for the last 13 years.

Chris specialises in Enterprise Security Architecture. He is an exponent of business-driven security and is passionate about delivering practical advice that enables his clients to achieve their business objectives.

Chris has a Masters in Information Management (MIM) and is a SABSA Chartered Master (SCM).

Char Sample
Dr Char Sample

Research Fellow, ICF International/ US Army Research Labs (USA)

Dr. Char Sample is research fellow employed for ICF International at the US Army Research Laboratory in Adelphi, Maryland, and is also with the University of Warwick, Coventry, UK.

Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization, data fidelity, and deceptive data.

Dave Hornford
Dave Hornford


Dave has over twenty-five years continuous experience in organizational change & information systems. His specialities include Enterprise Architecture, Strategy, Project leadership & execution.  Dave has served as a member of the Board since October 2014.

Muhammad Zubari (Mz) Omarjee
MZ Omarjee
Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) is an Enterprise Security Architect with Standard Bank GroupSouth Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in shaping the information security practice as a transformative business driven and risk oriented discipline.

Together with 17 years of experience in the Banking and IT sectors, Muhammed Zubair (Mz) has architected and delivered a diverse portfolio of successful IT projects. He has been instrumental in key enterprise wide IT initiatives as it relates to: Design and development of Mobile banking and Speech Banking Solutions, Defining organizational strategies for Cyber Resilience, Driving the implementation of a strategic enterprise wide Digital Identity and Access Management initiatives, Designing of a multi-channel architecture aiming to integrate vertical and horizontal business domains within Standard Bank, and Establishing an Enterprise Architecture Practice.

Kirsten Lewis
Kirsten Lewis
General Manager, The SABSA Institute

Kirsten is the General Manager for The SABSA Institute. She has over 10 years’ experience in Business Administration. She holds a Bachelors of Business (Communication) degree from Bond University, and is SABSA Foundation certified. Kirsten has been involved in the successful listing of two companies on both the Johannesburg Stock Exchange (JSE) and Mauritius Stock Exchange (MSE), with a focus on Corporate Governance. She has a focused and results driven approach to ensuring successful project delivery.

No upper limit has been placed on the size of the Board. This and other matters concerning Board elections will be considered and decided by the Board during 2018.

Regular Board teleconference meetings are held on the fourth Monday of each calendar month, and a face-to-face meeting is held every six months, one at the end of September at COSAC in the Republic of Ireland, and one that will move from location to location in April each year. In 2016 the April meeting took place in Amsterdam, Netherlands.

Advisory Council

The Advisory Council will be a panel of industry experts invited by the Board of Trustees to provide strategic advice to the Board. It will have an advisory function only and will have no powers of direct governance. However, it will provide the Board of Trustees with an independent source of input to keep in touch with the evolving world stage for risk management and security. The Board will review this plan in mid 2018 to assess whether or not we are ready for it.

SABSA Academic Board

The Academic Board oversees all matters concerning the SABSA Education, Training and Certification programme. This Board comprises the Chief Education Officer, the Chief Architect, the Deputy Chief Architect and all accredited trainers. The Chief Education Officer is the chair of the Academic Board.

The Chief Education Officer is responsible for the development, approval and management of all education and training IP materials and is accountable to the Board of Trustees for maintaining the high quality of these materials. The Chief Education Officer coordinates all development activities regarding new training materials and new courses, and refreshing previous course versions with new IP or improved presentation materials.

The role of the Academic Board is to ensure that all training materials conform and are consistent with the definitive SABSA IP Body of Knowledge and Competencies, as approved by the Chief Architect and the Chief Education Officer.

The Board of Trustees only oversees education and training materials by ensuring that the relevant subject matter expertise has been deployed in the development and approval of the courseware, and that well-defined processes are in place and are followed to achieve this. SME content development and approval of the courseware is the role of the appointed subject matter experts and the Academic Board.

The Academic Board is responsible for reviewing, contributing to and developing the learning objectives in the Competency Framework, under the leadership of the Chief Education Officer, who has ultimate accountability to the Board of Trustees for the content and quality of the Competency Framework.

The Academic Board is also responsible for ensuring that all training materials are ‘teachable’ and address the required competencies, and that all trainers are competent to teach the courseware. The Chief Education Officer is accountable to the Board of Trustees for these matters.

Working Groups and Intellectual Property Development

The Chief Architect (assisted by the Deputy Chief Architect) co-ordinates the initiation of new IP development projects (except the development of new education and training materials). Each project has a working group of members of The SABSA Institute who are subject matter experts (SMEs) in the relevant field.

The Board of Trustees approves the formation of IP Development Working Groups. Any new project must first produce a Project Charter setting out the scope and goals of the project. The Board of Trustees must approve this Project Charter for it to be valid. A detailed process is used to ensure that project charter development and approval is consistent and fair across all projects.

The Chief Architect is responsible and accountable for coordinating the development of the Project Charter and submission to the Board of Trustees for approval. After Board approval the Project Charter may be published.

Work in progress may not be published until it has been finalised and approved for release by the Board of Trustees. All applicable processes must be completed at the appropriate stages of the development, approval and publication of new IP.

All work in progress must be marked as ‘Confidential’ and all members of working groups must be made aware that leaked publications are a serious violation of trust that have the potential for bringing the reputation of TSI into question. The Board of Trustees is accountable and responsible for protecting the reputation of TSI, by ensuring that there are in place adequate processes for controlling the development, approval, release and publication of SABSA IP.

The Board of Trustees has final approval rights on the release of new IP to ensure that the highest possible quality is maintained and that no materials are released that may have a negative impact on the reputation of TSI. The Board of Trustees will pay attention to the acceptability of official SABSA IP materials in all cultures around the world. The Board of Trustees will also pay attention to all legal matters pertaining to the publication official SABSA IP, such as: Do we own it? Are we violating anyone else’s copyright? Is it libellous or defamatory? Is it legal?

The Board of Trustees only oversees subject matter expert (SME) content by ensuring that the relevant subject matter expertise has been deployed in the development and approval of the IP materials, and that well-defined processes are in place and are followed to achieve this. SME content development and approval is the role of the appointed subject matter experts.

Members of the Board of Trustees may also be SMEs in some areas, but they should ensure that they segregate their different roles according to the specific processes in which they play these roles.

In cases where The SABSA Institute decides to collaborate with another similar organisation (such as The Open Group) there must be a formal legally binding agreement between the two organisations on the roles and responsibilities of the participant organisations and on the ownership of IP that will arise from the collaboration.

The Chief Architect is responsible and accountable for ensuring that the development and approval processes have been followed, and for reporting to the Board of Trustees in documented form on the completeness of the processes. All decisions must be traceable prior to approval by the Board of Trustees of new IP for release and publication (except education and training IP materials, which fall under the remit of the Chief Education Officer).

The Chief Architect will report periodically to the Board of Trustees on progress in active projects. These reports will be status reports, not content reports.