Refreshing the Security Architecture Professional BoK

There is an important question to which security professionals need an answer: What is Cyber Security Architecture? There is some confusion about the answer. For many, if not most, the phrase refers only to technology structure. Others will inlcude people and processes. For another group, security architecture incudes high level governance structures. SABSA Practitioners fall into the latter category.

SABSA is the de facto global standard methodology for developing security architecture. One of the key characteristics of SABSA is its ability to act as an overarching framework, allowing all other security standards and methods to be integrated into a holistic architecture. Establishing a common set of concepts and terms is therefore an important pre-requisite for inter-operability between SABSA and other methods.

It is 2019 and there are many cyber security development programmes in progress around the world, many sponsored and funded by national governments. Most of the current national and international work is aimed at filling a skills gap in the cyber security profession, something that we at The SABSA Institute wholly support. The modern world needs more cyber security expertise. We at The SABSA Institute are engaged in educating, training and certifying professionally competent cyber security architects.

In my role as Chief Architect at The SABSA Institute I have some concerns that, although these nationally funded professional development programmes focus on some highly sophisticated technological aspects of cyber defence[1], there is a general lack of understanding of the need for holistic security architecture. I therefore want to publish a description of security architecture that can be used as a reference for defining the knowledge and competencies for professional cyber security professional architects. I believe that The SABSA Institute has an important role to play in leading the way to assist these other programmes to develop a body of knowledge (BoK) that includes a holistic end-to-end and wall-to-wall approach to cyber security architecture.

I’ve looked at a variety of ways to achieve this and it seems likely the best approach will be a series of documents exploring a range of topics, including: basic concepts and terminology, advanced concepts, principles, and the practice of security architecture using SABSA.

These documents will revisit much of the SABSA Body of Knowledge and republish the materials in updated forms. The objectives of the exercise are:

  • To ensure consistency of language and terminology throughout the BoK;
  • To provide an opportunity to update the BoK to match current SABSA Thinking;
  • To ensure that the material that has been developed over many years in multiple streams now has a consistency and logical flow;
  • To enable the SABSA Community members to check that their knowledge and understanding of the SABSA framework is up to date;
  • To identify gaps where further development work might be needed;
  • And, perhaps most of all, to provide a resource that will feed the other knowledge development programmes around the world.

The SABSA Insitute envisions a global business world of the future, leveraging the power of digital technologies, enabled in the management of cyber risk, information risk, information assurance and information security through the adoption of SABSA as the framework and methodology of first choice for commercial, industrial, educational, government, military and charitable enterprises, regardless of industry sector, nationality, size or socio-economic status, and leading to enhancements in social well-being and economic success.

By refreshing the published body of knowledge we can best achieve this outside of our own direct education programme. Look out for the first of these publications in the next few months.

[1] For example, the UK CyBOK project: https://www.cybok.org

Chief Architect

2 thoughts on “Refreshing the Security Architecture Professional BoK

I am looking forward to reading and using the BoK. Have you closely reviewed NIST’s National Initiative for Cybersecurity Education? https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework

I think a security architecture BoK would be very welcome. Keeping it agnostic keeps it powerful, and flexible.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.