Updates from The SABSA Institute for the month of November 2024
Greetings from The SABSA Institute!
SABSA World Canberra
November saw a very successful SABSA World Canberra event on Thursday, the 21st. The event was held during the ISACA Canberra monthly meeting and was sponsored by David Lynas Consulting (DLC) in collaboration with ISACA, the Australian Information Security Association (AISA) and The SABSA Institute.
About fifty participants attended David Lynas’ presentation, Conquer The Architect’s Eternal Dilemma: Turning Strategy into Reality, and listened attentively as David gave a talk and presented his latest insights.
SABSA Master and DLC Director Michael Hirschfeld opened proceedings for DLC, which was followed by David’s presentation and a closing speech by Gareth Watters. There were also door prizes of a bottle of Penfold’s Red Wine and a COSAC Journal.
Audience feedback of Conquer The Architect’s Eternal Dilemma: Turning Strategy into Reality was extremely positive, with one citing that it was undoubtedly ‘One of the best presentations of the year!’
Other SABSA World events
SABSA World is the banner under which SABSA community members and practitioners can organise events and gatherings to connect with one another. SABSA World can be an evening talk, a weekday lunch, a study group or a casual social networking event and may be regularly scheduled or spontaneous and occasional.
All SABSA World activities are intended to be a welcoming space for everyone – and all are welcome – seasoned SABSA practitioners or just the SABSA-curious alike.
Australia
Melbourne
26th November, Tuesday
SABSA World Melbourne – Monthly security architect’s lunch
A monthly casual networking lunch for the local security architect community, whether you are SABSA-curious or a SABSA enthusiast.
The November monthly security architect’s lunch was held at The General Assembly, which is located immediately outside the venue of the AISA CyberCon Melbourne conference this year, and The SABSA Institute welcomed attendees from the SABSA community from all across Australia.
To find out more details about the December monthly lunch event in Melbourne and register to attend, please contact Kirk Nicholls.
Belgium
Brussels and online
27th November, Wednesday
SABSA World Belgium with guest speaker Steven Bradley
Cutting the Gordian Bowtie: Untangling the Challenge of Multi-Regulatory Compliance with Precision, Style (and Models!)
Does the classic compliance bow-tie have you tangled in knots?
On the left-hand side, how to consolidate multiple citation documents (regulations, control frameworks, maturity models, etc.) into a minimal, normalised set that insulates the project teams from the background scale and complexity. On the right-hand side, how to select those controls that are in-scope and applicable to a particular situation.
In the session, Steven guided participants through one of the great challenges of our time using a security modelling-based approach.
Read more about this event here and get in touch with Steven via email.
And possibly, London in 2025!
Beaumont City Tower, 40 Basinghall St, London EC2V 5DE (To be confirmed)
Potentially in January 2025
Calling all SABSA enthusiasts in the UK and London!
The SABSA Institute is thinking of potentially kick-starting SABSA World London with a tentative event in January 2025. SABSA member and advocate Simon Cross has graciously offered to host a SABSA World gathering in London at his office space that could be used for hosting SWL events and meetings with an approximate seating capacity of about 25 to 30 people in addition to a reception and kitchen area.
We are looking for speakers who would be keen to present and if we could garner enough support and participants to sign up for this event, this may be a fantastic start to future regular SABSA World London events in 2025! Interested speakers are warmly invited to reach out to Simon at scross@infoblox.com.
Do note that initial places are limited, as such, do register your interest to attend as a speaker and/ or a participant with Simon early. Everyone who wishes to support the idea of SABSA World London and attend this event is highly encouraged to contact Simon for more details.
SABSA World Groups
The following are pages for SABSA World community groups which organise events and provide resources to security architects around the world. For more information on how to join, help, host or participate in SABSA World community groups, please visit:
Australia
SABSA World Australia is a community project focused on the Australian SABSA Community, but is open to all.
Links to SABSA World Australia pages, events, and resources can be found via the Linktree: https://linktr.ee/sabsaworldaustralia
Europe
For information on upcoming events in Europe, follow SABSA World Belgium.
Australian Cyber Conference 2024
Melbourne, Victoria
26th to 28th November 2024
Melbourne Convention and Exhibition Centre
SABSA Speakers at CyberCon Melbourne
Many members of the SABSA community presented talks at the Australian Cyber Conference 2024 in Melbourne last week and here is a list of the speakers along with their presentation titles.
Learning from insecure architectures: applying opposite thinking
The failure of cyber security investment (Co-presented with Robert Laurie, SCM)
The future of GRC is here – Just unevenly distributed
Bethany Victoria Sinclair-Giardini
Weaving archival threads into SABSA’s security fabric
The State of the Cyber Security Architecture Community in Australia
SOC200 and Threat Hunting with Kali Purple
Smooth seas do not a good architect make
A clockwork CISO
Team members of our Accredited Education Partner (AEP), David Lynas Consulting (DLC) were also on stand to discuss Accredited SABSA Training, including SABSA Co-author and Head of The SABSA Institute, David Lynas.
Appointment of Deputy Chair of the EMEA & NA Liaison Group
The SABSA Institute’s Board of Trustees would like to warmly welcome Gordon Jenkins as the new Deputy Chair of the EMEA & NA Liaison Group. We are delighted to announce Gordon’s new role, and look forward very much to having him participate in Board Meetings as a non-voting participant and an observer.
Message from Gordon, EMEA & NA LG Chair:
Hello. I’m Gordon Jenkins. I’ve recently volunteered to step in as Deputy Chair of the EMEA & NA Liaison Group.
I’ve been working in security for over 20 years. My career has been entirely in financial services, working across multiple sectors, and most recently in general insurance. I’ve been lucky to have roles with wide remits, covering many areas of security risk and control. Eventually I found my way into Security Architecture, and that’s where I’ve stayed.
Since I got involved in security in 2001, the threats and control technologies have changed massively. Despite all that change in the tech, I find that we’re still having the same conversations (and the same misunderstandings) about the same business risks, over and over. The security profession has really struggled to help the business understand what security means. This might be the most important problem we face in security these days. Our business colleagues need us to solve that problem now. SABSA is the best framework to help us do this.
I volunteered to join the Liaison Group because the world needs more SABSA practitioners. But when we get back to our desks after the Foundation training, a lot of us find it difficult to know where to start. Helping each other to take those first steps would be a great way to accelerate the use of SABSA and grow the number of active practitioners. If you have any ideas on how the Liaison Groups can help make this work, then I’d love to hear them.
Thanks.
Gordon
To contribute ideas towards the EMEA & NA LG, do email Gordon.
APAC LG Study Group
The APAC Liaison Group is establishing a study group for aspiring SABSA Practitioners. There is a growing need for more Practitioners in the industry, and we hope this initiative will lead to an increase in paper submissions and successful certifications. An initial post on social media has had interest from a few aspiring Practitioner Paper writers and our aim is to organise a study meeting early December.
For more details, please speak to Rahul Lobo.
Interested in joining a Liaison Group?
Both EMEA & NA and APAC LGs welcome expressions of interest from community members who are keen to join. TSI Members can join either group, based on their time zone, location or preference.
Members who would like to join an LG are encouraged to write in to:
EMEA & NA LG
LG-emea@sabsainstitute.org
APAC LG
LG-apac@sabsainstitute.org
SABSA Enhanced NIST Cybersecurity Framework (SENC) Working Group
October update from Glen Bruce, Leader of SENC:
The SENC project has made a lot of progress this month with a concentration on the NIST CSF Business Attributes component of the project. Two conference calls were held with SENC team members in early October to review the overall project and the facilities that support the project efforts. The two meetings were needed to accommodate the global distribution and respective time zones of the team members. These meetings were also used to focus on the Business Attributes component, which is one of the foundational components of the SENC project. Bruce Large was instrumental in setting up the task management structure for this component to have additional guidance and tools to focus the efforts of the team members. Bruce has provided much needed help in establishing and shepherding the processes required to manage this globally distributed project effort.
The objective of the Business Attributes component of the project is to generate a comprehensive collection of business attributes inspired by the NIST CSF 2.0 and create the corresponding Attribute Profiles including the definitions, attribute measurements and metrics, performance targets and industry sector applicability. Several of the project members have taken up the challenge of creating and documenting a set of business attributes for the CSF categories that they have assigned themselves. By the end of October, we had a good working collection of attributes derived from the majority of the NIST CSF subcategories.
The next step is to fill in the additional profile information for the attributes to make them into a fully formed NIST CSF 2.0 Business Attributes Repository. The current plan is to then create a document to include this attribute repository and guidance for the use of the attributes in the TSI SABSA Business Attributes for NIST CSF 2.0 document. This document will provide guidance on aligning and integrating the NIST CSF 2.0 CSF into the security architecture to front-end the use of the CSF. We will also include example Business Attribute Profiles for selected business or industry sectors in this document. The short-term goal is to have a draft document for this SENC project component available for review by the end of 2024.
To contribute to the SENC WG, please write to Glen.
TSI Training and Certification
SABSA training is available through the TSI network of Accredited Education Partners (AEPs). Our training covers all levels in the SABSA training continuum from Foundation to Practitioner.
Certification by TSI is competency-based and requires candidates to demonstrate the knowledge, skills and abilities required to use the SABSA method in the real world. SABSA Certification Examinations can only be taken after completion of training provided by a TSI AEP.
For more details, please refer to the TSI AEP website.
Upcoming Courses
A schedule of all upcoming SABSA-approved (non-certification based) and SABSA official (certification-based) courses can be found on our website here.
Recommended Reading
A monthly selection of material assembled by the Publications Team for the SABSA community.
How to Ace Your SABSA Advanced Architecture Exam
This two-part post from Esther Schagen-van Luit discusses her approach to passing SABSA Advanced (Practitioner) course examinations. It can be challenging to complete and submit the examination work for many reasons. Hopefully this writing will help a few more members across the line.
SABSA at Work
TSI SW101 SABSA Applied to Top-Secret Classified Information
SABSA-at-Work is a series of case studies, either fictitious or from real enterprise made available to TSI members. The authors of the work are presenting their own interpretations of SABSA and as such, there may be variations from what you may find in more formal publications such as white papers.
SABSA Webinar
Using Wardley Mapping for Situational Awareness and Decision Making
Mario Platt provides an introduction to Wardley mapping as a strategy development framework and how it can help inform decisions at different layers of the SABSA matrix. He discusses the concepts of climatic patterns and doctrine, which can help the Security Architect in identifying risks and opportunities to the delivery and management of our enterprise security architecture.
SABSA Publishing
The pen is mightier than the sword and as such we would like to sincerely request and call for expressions of interest to join the SABSA Publications Team in the following roles:
Author of
SABSA Practitioner exam papers
SABSA Master exam papers
University papers
Team members
Technical Writer
LaTeX software typesetter
Editor/ Reviewer
Technical document translator
Graphic designer
Video editor
If you feel prompted to step forward and are interested to contribute in ways that you can, please be advised to contact Kirk Nicholls via email.
Thank you.
COSAC APAC 2025
The COSAC APAC 2025 Information Security Conference will take place in Melbourne from 25th to 27th February. The agenda includes a full SABSA Stream across three days. Early-booking prices for delegate registration will remain available until 30th November 2024.
For anyone looking to apply for sponsorship, The SABSA Founders Bursary aims to award at least one fully funded place at COSAC APAC in Melbourne annually. For more information on the bursary, please refer here.
Individuals and industry organisations who are interested in donating to the SABSA Founders Bursary may also do so here.
A special achievement and major milestone of The SABSA Institute will be announced and highlighted in next month’s December issue.
Until then, best wishes and take care.
The SABSA Institute