David Lynas Consulting Limited 2017
Transform the Security ConversationEnablement : Excellence : Value
eCrime Singapore, 4 May 2017
David Lynas
CEO David Lynas Consulting Ltd
CEO The SABSA Institute CIC
COSAC Chairman
David Lynas Consulting Limited 2017 1
Your Presenter – David Lynas
36th year in Information Security
Co-author of SABSA
CEO SABSA Institute
SABSA Accredited Education Provider
Co-author “Enterprise Security Architecture”
ISBN 1-57820-318-X
Architecture & strategy clients on every continent
Fellow BCS & CSI Lifetime Achievement Award
Founder and chair of COSAC
Agenda – Use SABSA to Transform
the Security Conversation
David Lynas Consulting Limited 2017 2
David Lynas Consulting Limited 2017 3
The World’s Leading ESA Method & Framework
Free-use Methodology & Framework
Certified Architects in 60+ Countries
Formal regulated Professional Institute
Official & de facto Standard
Government, Finance & Industry
Change the Landscape of Security & Risk
Management, Enable Business and Bring
Demonstrable Value to Your Security Program
4
SABSA Top Ten Applications
Security Architecture
Enterprise Architecture
Traceability & Alignment of Solutions to Business Requirements
Enterprise Risk & Opportunity Management
Assurance, Compliance & Audit
Governance & Policy Architecture
Technical Solutions Design
Integration & Alignment of approaches, framework & standards
Security Service Management Framework
Critical National Infrastructure Strategy
David Lynas Consulting Limited 2017 4
The Security Language Barrier
David Lynas Consulting Limited 2017 5
The Security Language Barrier
David Lynas Consulting Limited 2017 6
What are your
security
requirements?
I don’t know
– that’s what
I pay you for!
The Security Language Barrier
David Lynas Consulting Limited 2017 7
I can give you
Confidentiality!
But I didn’t go
into Business
to achieve
confidentiality
The Security Language Barrier
David Lynas Consulting Limited 2017 8
Do you lose
sleep worrying
about scary
threats?
I lose sleep
worrying about
opportunities
I can’t grasp!
The Security Language Barrier
David Lynas Consulting Limited 2017 9
What about
DDOS, ZeroDay,
Bots, Phishing,
Malware and
RootKits?
¿Qué?
Huh?
Say what?
The Security Language Barrier
Requirements are lost in
translation
We ask the wrong question
We offer a non-business solution
to a business problem
We talk the wrong language
We sell negatives to
stakeholders who desire……
David Lynas Consulting Limited 2017 10
enablement, excellence & value
What Really Matters
David Lynas Consulting Limited 2017 11
Seraph to Neo – The Matrix Reloaded
“I protect that which matters most”
Transform Language of Requirements
David Lynas Consulting Limited 2017 12
SABSA Attributes Profiling Technique
Engineering technique for modelling Business
Requirements into normalised, measureable,
demonstrable, re-usable, reportable form
The “Things that matter most”
Instinctive to stakeholders at all levels
Measureable to define performance targets and risk
appetite
Populates the missing link between Business and Security
Delegates Risk Appetite & Performance Targets
Example: Values of an NHS Trust
David Lynas Consulting Limited 2017 13
Patient
Focussed
Respectful
Trusted
Clear
Example: Values of an NHS Trust
David Lynas Consulting Limited 2017 14
Prioritised
ResponsibleProfessional
Communicative
Innovative
Example: NHS Trust Strategic Plan
David Lynas Consulting Limited 2017 15
Quality
Effective
Error-Free
Financially
Sustainable
Available
Accessible
Mobile
Scaleable
Timely
Safe
Reliable
A Hierarchy of Systemic Understanding
David Lynas Consulting Limited 2017 16
Systemic Interactions
Vertically
Peer-to-peer
Delegation of risk appetite
Governance, Ownership & delegation of responsibility
Every subdomain contributes performance to
superdomain
Subdomains exist to serve the risk & performance
appetite of the superdomain
Transform the Language of Security
David Lynas Consulting Limited 2017 17
Patient
FocussedPrioritised
Financially
SustainableTrusted Responsible Error Free
Culture
SensitiveAvailable
Cost
EffectiveAccountable Compliant Protected
Identified
Authenticated
Authorised
Access
Controlled
Reliable
Resilient
Recoverable
Standards
Compliant
Integrity
Assured
Educated &
Aware
Confidential
Auditable
Re-usable Monitored
Affordable
Accessible
Attributes for Two-Way Traceability
The Language of Horseshoe Nails
David Lynas Consulting Limited 2017 18
Risk Appetite Distribution, Policy Delegation & Systemic Risk
But HOW does the King check the horseshoe nails?
“For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the message was lost.
For want of a message the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a nail.”
— George Herbert, Jacula Prudentum, 1651
Transform the Language of Governance
David Lynas Consulting Limited 2017 19
Accountable
Responsible
Performance Target /
Risk Appetite
Distributed
Downwards
Contributing
Risk
Performance
Aggregated
Upwards
The Secret to Measures & Metrics: “What Have you Done for me Lately?”
Transform the Language of Governance
David Lynas Consulting Limited 2017 20
Customer
FocussedUser Centric Profitable Reputable Trusted Crime Free
Culture
SensitiveAvailable
Cost
EffectiveAccountable Compliant Protected
Identified
Authenticated
Authorised
Access
Controlled
Reliable
Resilient
Recoverable
Standards
Compliant
Integrity
Assured
Educated &
Aware
Confidential
Auditable
Re-usable Monitored
Affordable
Accessible
Attributes for Reporting: Governance & Compliance
Balanced Risk Theory
David Lynas Consulting Limited 2017 21
Two Sides of the Same (Attribute) Coin
Measurable
Performance target
Risk Appetite
Risk v Reward
The Language of Risk Balance
David Lynas Consulting Limited 2017 22
Protect Enhance
Control Enablement
Maintain
Prevent Damage
Stop
Etc
Increase
Enable
Go
Etc
The Language of Risk Balance
David Lynas Consulting Limited 2017 23
Protect life Prevent Crash Go Faster Increase Trust
Control
Objective
Enablement
Objective
Control Enabler
SABSA Risk Balance Model
David Lynas Consulting Limited 2017 24
Transform the Language of Risk
David Lynas Consulting Limited 2017 25
Patient
FocussedPrioritised
Financially
SustainableTrusted Responsible Error Free
Culture
SensitiveAvailable
Cost
EffectiveAccountable Compliant Protected
Identified
Authenticated
Authorised
Access
Controlled
Reliable
Resilient
Recoverable
Standards
Compliant
Integrity
Assured
Educated &
Aware
Confidential
Auditable
Re-usable Monitored
Affordable
Accessible
Attributes for Risk & Opportunity Management
The Language of “The Boss”
David Lynas Consulting Limited 2017 26
“Either you demonstrate support for my business objectives or
you are a business prevention department getting in my way!”
Transform the Language of Strategy
David Lynas Consulting Limited 2017 27
Patient
FocussedPrioritised
Financially
SustainableTrusted Responsible Error Free
Culture
SensitiveAvailable
Cost
EffectiveAccountable Compliant Protected
Identified
Authenticated
Authorised
Access
Controlled
Reliable
Resilient
Recoverable
Standards
Compliant
Integrity
Assured
Educated &
Aware
Confidential
Auditable
Re-usable Monitored
Affordable
Accessible
Attribute for Strategic Road Mapping
Current-state Target-state
More Information
David Lynas Consulting Limited 2017 28
The World’s most experienced
SABSA Delivery Team
Contact [email protected]
More Information
Visit David Lynas Consulting / SABSAcourses in the Exhibition
Hall and enter draw for a free place on our next Singapore course
David Lynas Consulting Limited 2017 29
Singapore Official Training
12 – 16 June 2017
Sabsacourses.com
Top Related