1. David Lynas Consulting Limited 2017
Transform the Security Conversation
Enablement : Excellence : Value
eCrime Singapore, 4 May 2017
David Lynas
CEO David Lynas Consulting Ltd
CEO The SABSA Institute CIC
COSAC Chairman
2. David Lynas Consulting Limited 2017 1
Your Presenter – David Lynas
36th year in Information Security
Co-author of SABSA
CEO SABSA Institute
SABSA Accredited Education Provider
Co-author “Enterprise Security Architecture”
ISBN 1-57820-318-X
Architecture & strategy clients on every continent
Fellow BCS & CSI Lifetime Achievement Award
Founder and chair of COSAC
3. Agenda – Use SABSA to Transform
the Security Conversation
David Lynas Consulting Limited 2017 2
4. David Lynas Consulting Limited 2017 3
The World’s Leading ESA Method & Framework
Free-use Methodology & Framework
Certified Architects in 60+ Countries
Formal regulated Professional Institute
Official & de facto Standard
Government, Finance & Industry
Change the Landscape of Security & Risk
Management, Enable Business and Bring
Demonstrable Value to Your Security Program
5. 4
SABSA Top Ten Applications
Security Architecture
Enterprise Architecture
Traceability & Alignment of Solutions to Business Requirements
Enterprise Risk & Opportunity Management
Assurance, Compliance & Audit
Governance & Policy Architecture
Technical Solutions Design
Integration & Alignment of approaches, framework & standards
Security Service Management Framework
Critical National Infrastructure Strategy
David Lynas Consulting Limited 2017 4
7. The Security Language Barrier
David Lynas Consulting Limited 2017 6
What are your
security
requirements?
I don’t know
– that’s what
I pay you for!
8. The Security Language Barrier
David Lynas Consulting Limited 2017 7
I can give you
Confidentiality!
But I didn’t go
into Business
to achieve
confidentiality
9. The Security Language Barrier
David Lynas Consulting Limited 2017 8
Do you lose
sleep worrying
about scary
threats?
I lose sleep
worrying about
opportunities
I can’t grasp!
10. The Security Language Barrier
David Lynas Consulting Limited 2017 9
What about
DDOS, ZeroDay,
Bots, Phishing,
Malware and
RootKits?
¿Qué?
Huh?
Say what?
11. The Security Language Barrier
Requirements are lost in
translation
We ask the wrong question
We offer a non-business solution
to a business problem
We talk the wrong language
We sell negatives to
stakeholders who desire……
David Lynas Consulting Limited 2017 10
enablement, excellence & value
12. What Really Matters
David Lynas Consulting Limited 2017 11
Seraph to Neo – The Matrix Reloaded
“I protect that which matters most”
13. Transform Language of Requirements
David Lynas Consulting Limited 2017 12
SABSAAttributes Profiling Technique
Engineering technique for modelling Business
Requirements into normalised, measureable,
demonstrable, re-usable, reportable form
The “Things that matter most”
Instinctive to stakeholders at all levels
Measureable to define performance targets and risk
appetite
Populates the missing link between Business and Security
Delegates Risk Appetite & Performance Targets
14. Example: Values of an NHS Trust
David Lynas Consulting Limited 2017 13
Patient
Focussed
Respectful
Trusted
Clear
15. Example: Values of an NHS Trust
David Lynas Consulting Limited 2017 14
Prioritised
Responsible
Professional
Communicative
Innovative
16. Example: NHS Trust Strategic Plan
David Lynas Consulting Limited 2017 15
Quality
Effective
Error-Free
Financially
Sustainable
Available
Accessible
Mobile
Scaleable
Timely
Safe
Reliable
17. A Hierarchy of Systemic Understanding
David Lynas Consulting Limited 2017 16
Systemic Interactions
Vertically
Peer-to-peer
Delegation of risk appetite
Governance, Ownership & delegation of responsibility
Every subdomain contributes performance to
superdomain
Subdomains exist to serve the risk & performance
appetite of the superdomain
18. Transform the Language of Security
David Lynas Consulting Limited 2017 17
Patient
Focussed
Prioritised
Financially
Sustainable
Trusted Responsible Error Free
Culture
Sensitive
Available
Cost
Effective
Accountable Compliant Protected
Identified
Authenticated
Authorised
Access
Controlled
Reliable
Resilient
Recoverable
Standards
Compliant
Integrity
Assured
Educated &
Aware
Confidential
Auditable
Re-usable Monitored
Affordable
Accessible
Attributes for Two-Way Traceability
19. The Language of Horseshoe Nails
David Lynas Consulting Limited 2017 18
Risk Appetite Distribution, Policy Delegation & Systemic Risk
But HOW does the King check the horseshoe nails?
“For want of a nail the shoe was lost.
For want of a shoe the horse was lost.
For want of a horse the rider was lost.
For want of a rider the message was lost.
For want of a message the battle was lost.
For want of a battle the kingdom was lost.
And all for the want of a nail.”
— George Herbert, Jacula Prudentum, 1651
20. Transform the Language of Governance
David Lynas Consulting Limited 2017 19
Accountable
Responsible
Performance Target /
Risk Appetite
Distributed
Downwards
Contributing
Risk
Performance
Aggregated
Upwards
The Secret to Measures & Metrics: “What Have you Done for me Lately?”
21. Transform the Language of Governance
David Lynas Consulting Limited 2017 20
Customer
Focussed
User Centric Profitable Reputable Trusted Crime Free
Culture
Sensitive
Available
Cost
Effective
Accountable Compliant Protected
Identified
Authenticated
Authorised
Access
Controlled
Reliable
Resilient
Recoverable
Standards
Compliant
Integrity
Assured
Educated &
Aware
Confidential
Auditable
Re-usable Monitored
Affordable
Accessible
Attributes for Reporting: Governance & Compliance
22. Balanced Risk Theory
David Lynas Consulting Limited 2017 21
Two Sides of the Same (Attribute) Coin
Measurable
Performance target
Risk Appetite
Risk v Reward
23. The Language of Risk Balance
David Lynas Consulting Limited 2017 22
Protect Enhance
Control Enablement
Maintain
Prevent Damage
Stop
Etc
Increase
Enable
Go
Etc
24. The Language of Risk Balance
David Lynas Consulting Limited 2017 23
Protect life Prevent Crash Go Faster Increase Trust
Control
Objective
Enablement
Objective
Control Enabler
26. Transform the Language of Risk
David Lynas Consulting Limited 2017 25
Patient
Focussed
Prioritised
Financially
Sustainable
Trusted Responsible Error Free
Culture
Sensitive
Available
Cost
Effective
Accountable Compliant Protected
Identified
Authenticated
Authorised
Access
Controlled
Reliable
Resilient
Recoverable
Standards
Compliant
Integrity
Assured
Educated &
Aware
Confidential
Auditable
Re-usable Monitored
Affordable
Accessible
Attributes for Risk & Opportunity Management
27. The Language of “The Boss”
David Lynas Consulting Limited 2017 26
“Either you demonstrate support for my business objectives or
you are a business prevention department getting in my way!”
28. Transform the Language of Strategy
David Lynas Consulting Limited 2017 27
Patient
Focussed
Prioritised
Financially
Sustainable
Trusted Responsible Error Free
Culture
Sensitive
Available
Cost
Effective
Accountable Compliant Protected
Identified
Authenticated
Authorised
Access
Controlled
Reliable
Resilient
Recoverable
Standards
Compliant
Integrity
Assured
Educated &
Aware
Confidential
Auditable
Re-usable Monitored
Affordable
Accessible
Attribute for Strategic Road Mapping
Current-state Target-state
29. More Information
David Lynas Consulting Limited 2017 28
The World’s most experienced
SABSA Delivery Team
Contact info@davidlynas.com
30. More Information
Visit David Lynas Consulting / SABSAcourses in the Exhibition
Hall and enter draw for a free place on our next Singapore course
David Lynas Consulting Limited 2017 29
Singapore Official Training
12 – 16 June 2017
Sabsacourses.com
31. David Lynas Consulting Limited 2017 30
THANK YOU
David Lynas
David@davidlynas.com
www.sabsacourses.com