Do you want to know how your company can survive Cyber Security threats? And what can be an approach to stay compliant? Have you ever thought about security related opportunities and business enablers? Then continue reading this blog post! And find out how we can help you.
Digital Transformation takes place at an ever increasing pace and innovation by technology is going faster than most companies can handle. This also has a deep impact on Information Security. We have to deal with it internally (because of continuous changing requirements impacting corporate Information Systems) and externally (because of new legislation in a rapidly changing world). What could be an approach to stay compliant and respond to new Cyber Security threats? But also, are there any opportunities?
If you are familiar with Information Security you should have heard about ISO, NIST and COBIT frameworks to manage and mitigate risk. These frameworks are widely used to stay on track with security measures and proof compliancy to external auditors. But they lack the ability to quickly respond to Digital Transformation as these methods are not integrated with the Architecture competence! Traceability from Information Security requirements to Security Controls are difficult to achieve and managing rapid changing requirements can be horrible.
Another aspect these frameworks lack is they cannot handle the opportunities Digital Transformation offer. Be a front runner to make the most of it!
As of 2009, there is an Information Security Architecture Framework available that could be the answer to the questions raised above. This framework is called SABSA, which is part of the Open Group.
SABSA is a proven methodology for developing business-driven, risk and opportunity focused Security Architectures at both enterprise and solutions level that traceably support business objectives. It is also widely used for Information Assurance Architectures, Risk Management Frameworks, and to align and seamlessly integrate security and risk management into IT Architecture methods and frameworks.
For a brief description about SABSA, I recommend downloading the White Paper from http://www.sabsa.org (I am not going to copy this here). This blog is going about why it is the answer to deal with Digital Transformation.
The SABSA framework is a continued development of the Zachman Architecture Framework (https://en.wikipedia.org/wiki/Zachman_Framework) by applying it to Information Security. The Zachman Framework itself has proven to be an effective way for managing Information Architecture because of its holistic concept. That is why they use that framework for SABSA. Below you can find the so called SABSA Matrix.
SABSA has layers (from Contextual to Component) and columns (from What to When) and these are taken from Zachman. The columns are placed in a slightly different order because the Assets (What) are in the SABSA view the most important aspects and should be the first to be taken into account. From a risk perspective, this makes sense, because the valuable Assets should be protected. The holistic view of SABSA comes from joining all of the above in a matrix. SABSA also adds a new layer (which is at the bottom) for the architecture governance processes.
The colors relate to risk related aspects like: Risk Management Assets, Risk Management Processes, Risk Affecting Factors, Control/Enablement Objectives & Targets and Risk Treatment and Controle/Enablement Solutions. The control aspect of risk (to mitigate risk) as well as the enablement aspect of risk (opportunities) are an integrated part of the framework.
The impact of Digital Transformation starts at the business level (which is the Contextual layer of SABSA). The best approach to describe the business context is using a standardized modeling language like UML and/or ArchiMate (often a combination of both should be used). The impact of Digital Transformation can be seen first at the Conceptual layer. In the Assets (What) column and the Motivation (Why) column the translation from Business Requirements to Security Attributes is made. A Security Attribute is a conceptualization of a security aspect which is relevant for the business. These attributes are expressed in business terms and the performance of the currently implemented attributes are measured to determine the current security status of the company.
Digital Transformation impacts these Attributes. The impact can be negative (threats, weakness) or can be positive (opportunity, strength). You can apply Risk Assessment methods in order to rank the related risk impact (likelihood).
This is where the discussion at business level starts; which attributes should be added, extended, changed, removed, etc., in order to deal with the challenges from Digital Transformation. The picture below shows how all this is related.
The discussion at business level deals with the positive and negative outcomes. Companies who are able to apply the outcomes of the SAMSA matrix and create a Business and Risk Strategy are the companies that are successful in realizing their business goals and sustain and increase profit growth.
Of course determining and prioritizing the Security Attributes is not all it takes. Let’s have another look at the SABSA matrix. The Enterprise and Security Architectures need more work using the best practices given by the model itself. Firstly, in the horizontal direction (What, Why, How, How, Where, When layers) for the Contextual and Conceptual Layers. This comprises the Strategy & Planning phase of SABSA and will complete the holistic business view (and Security Roadmap) of the Enterprise. And secondly, further details need to be added in the vertical direction (from Logical to Component layer), which is part of the Design phase of SABSA.
SABSA is a framework that is integrated with the Architecture competence, so it is a differentiator! You are able to combine architecture designs with security architecture designs because of the layering of SABSA and because it maps to the commonly used architecture layering. For example the mapping to ArchiMate could look like the picture below.
Contextual, Conceptual, Logical en Physical layers of SABSA are mapped to the complete Business, Application and Technology layers of ArchiMate. For this, the Passive structure, Behavior as well as Active structure elements can be used.
Time (When) column of SABSA doesn’t have a good mapping to ArchiMate; the mapping to the Implementation & Migration layer fits the best when it is related to the implementation planning of the security initiative.
The components layer of SABSA maps to the Behavior and Active structure columns of ArchiMate for the Application Layer and the Technology layer only.
Because the mapping between Security and Architecture can be made traceable, we are able to quickly determine the impact of Digital Transformation from security related concepts to the architecture concepts and visa versa.
One last thing I would like to share, is that an iterative approach is very much recommended. Try to keep it as simple as possible! For example begin with the security aspect that is the most relevant. Implement it using all SABSA best practices, put the governance aspects in place and measure the performance of it. Learn, adapt and make your Business ready for every Digital Transformation challenge!
AMIS is making Digital Transformation possible for its customers by applying Oracle Technology and is recognized as a Thought Leader in the Netherlands. SABSA is recognized by AMIS as an Information Security and Risk Management Framework that enables this. Please contact us to find out how you can make Digital Transformation an opportunity for your business.