An interesting week, Lockdown 2.0 ‘The Sequel’ started and I spent the week back in school, virtually. One of our clients is proposing to use the SABSA framework to better develop the security within their organisation. This is a framework I have previously come across and given the clients we are now engaging with, I took the time to attend a week long SABSA Foundation training course with SABSAcourses. This is not a review of the specific course, which was excellent and our tutor, Maurice Smit, is one of the SABSA Board of Trustees so I can confirm the content, case studies and examples were brilliant. This is more to start a conversation around the benefits that SABSA can bring to an organisation.
Solving Business Problems
One of the biggest reasons for pushback within an organisation when implementing new security policies and controls is that they do not actually work for the business. I have long advocated that when done correctly, security can provide operational benefit, and that when done badly just leads to informal practices and workarounds that adds to the risks the organisation is exposed to. My favourite example being a large organisation that had a blanket ban on USB memory sticks, which ‘generally’ is a good idea, but the person drafting the policy had no idea that within one department their business practices meant that they received about a dozen USB memory sticks a week, and this was in order to reduce the workload within the department and to avoid duplication of effort, sorry for the vagueness but you know how it is, security and all that. The result was there was some Grey IT, an informal process and the business had no idea that this was going on, so had no means by which to manage the risk associated with it.
By starting with the business, and putting that at the forefront of the security piece, it provides a means by which all the controls, and by that I mean all the shiny new technological baubles, align with the business processes, rather than what is the traditional way, IT procure a new system and then force the business to bend to its way of doing things.
One of the other true benefits I see with SABSA is that it brings the whole lifecycle into the process, including the service management element, right from the outset. This means all the great ITIL best practices are built in, rather than added at the end, which is what tends to happen.
It is a first world problem that due to the restrictions associated with managing Covid-19 the proctored exam for the SABSA Chartered Architect – Foundation Level (SCF) which would normally be taken on completion of the course is going to have to happen sometime in 2021. This is a double-edged sword; I already have experience using the framework, and am continuing to use it, so my knowledge of the subject is continually being increased, but as we all know, exams are about answering the question in the way in which the examiner thinks, and having spent a week getting my head filled with ‘the SABSA way’ that is the best time to take the exam – the good news for those of us who attended the virtual course, there will be an exam refresh session prior to the exam. So, watch this space and I will update once I have sat the exam.