Sea of Troubles

David Lynas on SABSA

I’m spending this week at a SABSA Foundation training course led by David Lynas. Along with John Sherwood and Andrew Clark, David literally wrote the book on SABSA, after the three of them invented the methodology. Yesterday’s session was a history lesson, followed by an explanation of the 6x6 matrix and a quick workshop on requirements elicitation (not his words) at the contextual layer.

Interesting factoids:

  • SABSA grew out of the SWIFT project to migrate to IP. They were each independent contractors and needed a way to organise their collective thinking in a way that allowed each to play to their strengths. SWIFT had one dominating security requirement - a US$1Bn message transaction guarantee.
  • The book just doesn’t seem important to them anymore. David keeps saying “so much has happened since the book”, but there doesn’t appear to be a new, canonical source of truth available publicly. I suspect that the training now fills that role, but AU$4000 is much less palatable than US$55.
  • The ‘Business Attributes’ taxonomy was hacked together while “[David] was in a *foul* mood”, and he’s consistently surprised by what gets done with it. That said, I’m surprised by a couple of applications, although the one of the better examples used the base idea but abandoned the details. I can see it being useful in encouraging BAs to provide more granular requirements, to replace the traditional non-functional requirement of “The system will be secure”.
  • I wasn’t aware of it, but there’s some (presumably ancient) research from Harvard Business School showing that organisations which outperform tend to have an even balance of operational, tactical, and strategic effort; weaker companies tend to live in operations.
  • David is squarely from the “the business can do whatever they want, you just have to secure it [afterwards?]” camp. He discounts both the “assurance” and “asset protection” alternative missions. I suspect he’d be really, really unimpressed with our SaaS thinking. That said, I haven’t yet seen any clear mechanism by which that approach is baked into the methodology - there’s lots of happy words, but no indication on how you actually operationalise it, yet.

Overall, I haven’t had my world-view shattered just yet, but I’m interested to see where this goes.