Cyber Security Frameworks Demystified Part 3 - The Sherwood Applied Business Security Architecture (SABSA) Framework

Show Notes

 In this episode, we break down what the Sherwood Applied Business Security Architecture (SABSA) Framework is, how it helps organisations design security architectures based on business needs and why it is widely used in enterprise cybersecurity.

Duration: 0:19:56

Visit https://www.wecyberyou.com for more cyber security education, resources and awareness content like this. 

Thank you for listening. 
WeCyberYou! Team

Like and follow us to be notified when a new episode is released on this channel.

Transcript

SPEAKER_01 0:00

Imagine for a second, right, that you decide you want the absolute best security for your home. You spare no expense at all.

SPEAKER_00 0:06

Oh yeah, you're going all out.

SPEAKER_01 0:07

Yeah. You go out and you buy this impenetrable, solid titanium vault door. You get like state-of-the-art biometric scanners, infrared cameras, just the whole nine yards. Sounds expensive. Very. And you drag this massive, incredibly heavy door home. You set it up, you lock it tight, and then you step back to admire your work.

SPEAKER_00 0:28

Right.

SPEAKER_01 0:28

Only to realize that you just attached a titanium vault door to a canvas camping tent.

SPEAKER_00 0:33

Yeah, which is, I mean, it's a perfect, flawless piece of technology, but completely divorced from the reality of the structure it's actually supposed to protect. Exactly it's technically secure, but you know, functionally useless and probably going to collapse the tent entirely.

SPEAKER_01 0:48

100%. And that ridiculous image, right, of a vault door on a camping tent, that is exactly what happens in the corporate world every single day when it comes to cybersecurity.

SPEAKER_00 0:57

So welcome everyone. You are listening to the We Cyber You Unlocked podcast.

SPEAKER_01 1:01

Glad to be here for this one. Yeah, in today's deep dive, our mission is to unpack a foundational document, a framework that completely flips the script on how organizations handle risk and system design. We are talking about the SABSA framework.

SPEAKER_00 1:18

Right, which stands for the Surewood Applied Business Security Architecture.

SPEAKER_01 1:21

Yes, that's the one. And the core premise here is about fundamentally changing the way organizations approach security. It's about putting the business first rather than, you know, putting the technology first. Let's unpack this.

SPEAKER_00 1:34

I am so glad we're starting with that specific analogy, by the way. Because whether you are listening to this deep dive as a deeply technical IT professional who configures firewalls all day, or uh, you know, as a business leader who is just worried about the bottom line, understanding Sabia SA is really about learning how to align your technology with what your organization actually wants to achieve.

SPEAKER_01 1:55

Aaron Powell It's the ultimate bridge, right? Yeah. Between the boardroom and the server room.

SPEAKER_00 1:58

Exactly.

SPEAKER_01 1:59

And it's a bridge that seems desperately needed. I mean, when we look at the historical context of how IT and cybersecurity usually operate, it feels incredibly reactionary.

SPEAKER_00 2:09

Oh, very much so.

SPEAKER_01 2:10

An organization hears about a new threat in the news, or, you know, maybe a competitor gets hacked, and the IT department just rushes out to buy a new software tool to block that specific attack. They start with the technology first.

SPEAKER_00 2:23

Aaron Powell What's fascinating here is how that reactionary approach creates a massive pervasive industry problem. Think about the reputation that security departments usually have in most corporate environments. Right. They are almost universally seen as the department of no.

SPEAKER_01 2:40

Oh, absolutely. It's always no, you can't use that software, or uh no, you can't share that file with that client.

SPEAKER_00 2:46

Exactly. They implement controls that accidentally block actual business processes. They lock down systems so tight that employees literally cannot do their jobs efficiently, or, and this is worse, they create so much friction that they make the customer experience totally miserable.

SPEAKER_01 3:02

Yeah, you're trying to check out online and it takes 15 steps.

SPEAKER_00 3:05

Right. And the SAB DSIA framework explicitly argues that you must start with the business needs first. By doing that, you guarantee that your security strategies actively support the business goals rather than hindering them.

SPEAKER_01 3:16

So security becomes an enabler.

SPEAKER_00 3:18

Yes, a facilitator rather than a roadblock.

SPEAKER_01 3:20

I really want to highlight that distinction security as an enabler. Because if the overarching business goal of a company is to make their service like as fast and frictionless for the user as possible, but the security team implements a mandatory 10-step login process with multiple authenticators.

SPEAKER_00 3:38

Then that security team is actively fighting the business goal.

SPEAKER_01 3:41

Exactly. The business wants speed, but the security team is providing friction. And SAVISO is designed to stop that exact scenario from happening.

SPEAKER_00 3:51

That is the core philosophy. It ensures that when you identify and manage security risks, the resulting controls actually support the business operations. The technology serves the business, the business never serves the technology.

SPEAKER_01 4:03

Which makes perfect logical sense on paper, obviously. But as we dive into the actual mechanics of CFSA, I have to admit, I'm struggling a bit with the execution part. Well, it's one thing for a CEO to stand up in a boardroom and say, you know, our business goal is to expand our digital footprint globally. Yeah. But the gap between that high-level executive vision and a systems administrator typing command line code into a router in a basement, that gap is massive.

SPEAKER_00 4:28

It is a massive gap, yeah.

SPEAKER_01 4:29

So how does SABI essay actually translate a boardroom vision into a technical reality without totally losing the plot?

SPEAKER_00 4:37

Well, it translates that vision through a very strict logical progression rather than just handing a list of goals to the IT department and hoping for the best. SABY essay uses a layered architecture model. Okay. Specifically, it breaks the organization down into six distinct architectural layers. And the golden rule here is that you cannot skip a layer.

SPEAKER_01 4:57

Not a single one.

SPEAKER_00 4:58

Not one. Each step directly dictates the requirements of the next step, moving from the most abstract, high-level business ideas all the way down to the granular technical reality.

SPEAKER_01 5:08

Aaron Ross Powell, you know, instead of just listing these layers out, which, let's be honest, can get incredibly dry, let's put this into a real-world scenario.

SPEAKER_00 5:15

I like that idea.

SPEAKER_01 5:16

Let's imagine a classic hundred-year-old traditional bank. They've got physical branches, paper ledgers, the works, but they realize they are bleeding customers to modern fintech startups.

SPEAKER_00 5:28

Right, the app-based banks.

SPEAKER_01 5:29

Yeah. So the board of directors decides we need to launch a cutting-edge mobile banking app where users can instantly transfer large sums of money to anyone in the world. If they are using the Savisei framework, how does that goal actually travel down these six layers?

SPEAKER_00 5:44

That is a perfect test case. So we start at layer one, which Savvy Say calls the contextual architecture.

SPEAKER_01 5:50

Contextual architecture. Got it.

SPEAKER_00 5:52

Think of this as the planner's view or the perspective of the business owner and the board of directors. And this layer, we are not talking about computers, firewalls, or passwords at all.

SPEAKER_01 6:02

Aaron Powell Wait, no technology at all in a cybersecurity framework.

SPEAKER_00 6:05

None whatsoever. We are asking purely business questions. What is the goal? To launch a mobile app for instant global transfers, what are the assets we need to protect? Our customers' money and our century-old reputation. And crucially, we have to define the business's risk appetite. Meaning, how much risk is this bank actually willing to accept to pursue this new app?

SPEAKER_01 6:27

Well, I would assume for a hundred-year-old bank, the risk appetite is incredibly low. Trust is their entire business model.

SPEAKER_00 6:36

Exactly.

SPEAKER_01 6:36

If a scrappy startup gets hacked, users might forgive them because they're new and fast. But if a legacy bank loses millions in an instant transfer exploit, they are completely ruined.

SPEAKER_00 6:47

Spot on. So at layer one, the contextual view, the business dictates, we want instant mobile transfers, but our risk appetite for fraudulent transactions is near zero. That business context completely changes the reality for the security team.

SPEAKER_01 7:01

Okay, that makes sense.

SPEAKER_00 7:02

So armed with that context, we move down the chain to layer two, the conceptual architecture.

SPEAKER_01 7:08

Okay, so the CEO has handed this low risk, high reward mandate down. Layer two, the conceptual architecture, that feels like it should be where the strategy is formed.

SPEAKER_00 7:16

Yes, this is the architect's view. We are still not buying specific software yet.

SPEAKER_01 7:20

Still no software.

SPEAKER_00 7:21

Still no software. The architect looks at the layer one mandate and asks, what high-level security concepts do we need to satisfy that? If the goal is instant transfers from mobile phones, but the risk appetite for fraud is zero, the architect might decide we need to implement a zero trust environment.

SPEAKER_01 7:41

Let's pause there for a second, because zero trust is one of those terms that gets thrown around a lot in tech circles.

SPEAKER_00 7:47

It really does.

SPEAKER_01 7:48

For the listener who might not be deep into cybersecurity jargon, what does a zero trust environment actually mean in the context of our bank app?

SPEAKER_00 7:57

Let's use an analogy. In traditional security, once you got past the front door of the building, you were trusted. You could wander the halls, go into any room, because the system assumed if you were inside, you belonged there.

SPEAKER_01 8:07

Right, the old Moton Castle model.

SPEAKER_00 8:09

Exactly. But zero trust means the system trusts absolutely no one by default. It's like a hotel where you don't just need your key card to get in the front door. You need to swipe it to use the elevator, swipe it again to enter the hallway, and swipe it a third time to open your room door. Every single action requires verification, regardless of whether you are logging in from a random coffee shop or from the CEO's desk inside headquarters.

SPEAKER_01 8:34

That makes total sense. So we have our strategy. But a strategy isn't a working system. So I imagine the next step is actually writing the rules to enforce that strategy.

SPEAKER_00 8:49

Aaron Powell You've just deduced layer three, the logical architecture.

SPEAKER_01 8:52

Nice.

SPEAKER_00 8:53

We are moving from the architect's view to the designer's view. We know our overarching concept is zero trust. So the logical architecture defines the specific security services and policies required to make that concept a reality.

SPEAKER_01 9:05

Aaron Powell So this is where we establish the actual rules of the game.

SPEAKER_00 9:08

Yes.

SPEAKER_01 9:09

For our banking app, if the concept is trust no one, the logical policy might be uh any user attempting a transfer over $1,000 must verify their identity through two separate methods. Or maybe all financial data must be encrypted while it is traveling over the internet.

SPEAKER_00 9:25

Aaron Powell Exactly. We are building the logical blueprint. Notice how the rule verify identity through two methods directly supports the zero trust concept from layer two. Right. Which directly supports the low-risk appetite from layer one. The chain remains unbroken. Once the logical rules are set, we finally drop down to layer four, the physical architecture.

SPEAKER_01 9:48

Aaron Powell We finally get to talk about technology.

SPEAKER_00 9:51

We do. This is the builder's view. We have our logical policy. We need multi-factor authentication for large transfers. In the physical architecture layer, we decide what physical or virtual systems will actually perform that service.

SPEAKER_01 10:04

Aaron Powell Like where the servers actually live.

SPEAKER_00 10:05

Aaron Powell Exactly. Where does this live? Are we going to build our own dedicated authentication servers and put them in a data center in the basement of the bank? Or are we going to use a cloud-based identity provider?

SPEAKER_01 10:16

Aaron Powell And again, to demystify the jargon for a second, a cloud-based identity provider is essentially hiring a digital bouncer from an outside security firm, right?

SPEAKER_00 10:24

Trevor Burrus That's a great way to put it.

SPEAKER_01 10:26

Aaron Powell Instead of the bank building their own massive ID checking system from scratch, they subscribe to a massive tech company like Microsoft or Okta, who specializes in checking IDs and they let them handle the verification process in the cloud.

SPEAKER_00 10:39

Aaron Powell That is a perfect explanation. So the builder at layer four decides that building an in-house server is too slow for the new app. So they decide to use a cloud-based identity provider. Okay. We have mapped the logical rule to a physical IT reality, but we still have to actually turn it on. Which brings us to layer five, the component architecture.

SPEAKER_01 11:00

Aaron Powell The component architecture. This feels like the realm of the people actually typing on the keyboards.

SPEAKER_00 11:06

Yes. This is the tradesman's view. This is where the rubber meets the road. We know we are using a specific cloud identity or provider from layer four. Layer five is the actual granular configuration of that specific tool.

SPEAKER_01 11:17

So hitting the buttons.

SPEAKER_00 11:18

It's the IT engineer logging into the dashboard and setting the exact timeout limits for a user session. It is writing the specific firewall rules. It's purchasing the exact vendor products. This is the nuts and bolts.

SPEAKER_01 11:32

Which leaves us with the final piece of the puzzle, layer six, operational architecture.

SPEAKER_00 11:36

The facility manager's view. You've built the house, you've installed the locks according to the floor plan, the banking app is live. But who is watching the security cameras? Right. How do we manage the system day-to-day? Layer six focuses on monitoring the logs, patching the software when vulnerabilities are found, and continuously managing the operations.

SPEAKER_01 11:58

Okay, looking at this whole journey from the boardroom context all the way down to the operational management, I have to push back a little here.

SPEAKER_00 12:05

Go for it.

SPEAKER_01 12:06

Going through six distinct, rigorously documented layers just to configure a security tool, it sounds like an agonizing amount of red tape.

SPEAKER_00 12:14

It does sound heavy at first.

SPEAKER_01 12:16

Doesn't this highly structured, layered approach risk slowing an organization down to a crawl? I mean, if an engineer just needs to block a malicious IP address or update a software tool, do they really need to trace that action all the way back up to the board of directors' conceptual risk appetite? It feels incredibly heavy for a business world that demands agility.

SPEAKER_00 12:35

If we connect this to the bigger picture, it actually does the exact opposite of slowing you down in the long run. Really? Yes. Establishing the sub-ESA framework initially is a meticulous heavy lift. There's no getting around that. But the framework is specifically designed to build scalable architectures. It gives you something that most companies completely lack.

SPEAKER_01 12:58

Traceability. Traceability. Break that down for me.

SPEAKER_00 13:01

Think about what happens in an organization that does not use this structure. They just buy security tools randomly as problems pop up over the years.

SPEAKER_01 13:08

Which is most companies, let's be honest.

SPEAKER_00 13:10

Right. So five years later, you open the proverbial IT closet, and there are 50 different software platforms running. Half of them overlap in what they do. They cost an absolute fortune in subscription fees, and nobody in the building remembers why half of them were purchased in the first place.

SPEAKER_01 13:24

Because there's no blueprint, it's just a pile of titanium vault doors.

SPEAKER_00 13:28

Exactly. And when that unstructured company wants to upgrade a system or change their business model, it takes months to untangle the mess because nobody knows what relies on what.

SPEAKER_01 13:38

That sounds like a nightmare.

SPEAKER_00 13:39

It is. Sabe essay provides absolute traceability. Imagine a string connecting every single technical component back up to a business goal. Every single firewall rule at the component layer, every single daily process at the operational layer traces directly back up the chain to a real business requirement at layer one.

SPEAKER_01 13:59

Okay. I am seeing the profound impact of this. If the tool doesn't have a string connecting it back to a business goal, you don't buy it.

SPEAKER_00 14:07

Or even more powerfully, think about what happens when the business needs to pivot. Let's say our hundred-year-old bank decides actually the instant transfer feature is too costly to maintain. We are killing that feature entirely. Oh well.

SPEAKER_01 14:19

Okay.

SPEAKER_00 14:19

Because they use Sabesse, the IT department doesn't have to guess what systems to turn off. They look at the framework, follow the string down from that specific business goal, and they know immediately which policies to delete, which servers to spin down, and which 15 software vendor subscriptions they can cancel tomorrow morning.

SPEAKER_01 14:36

Wow. That is an incredible aha moment. You are paying a complexity tax up front to build a clean, traceable architecture rather than paying a chaos tax every single day in operational confusion later on.

SPEAKER_00 14:50

Exactly.

SPEAKER_01 14:51

You are building a system that can grow, shrink, and adapt without collapsing under its own weight.

SPEAKER_00 14:56

It saves massive amounts of time and prevents incredible amounts of wasted budget.

SPEAKER_01 15:01

Having seen this rigorous structure play out in our bank scenario, it becomes incredibly clear why certain types of organizations rely so heavily on this framework. The source materials note that Sabesa is overwhelmingly used by large enterprises, major financial institutions, and complex government organizations.

SPEAKER_00 15:18

It's pretty standard in those sectors, yeah.

SPEAKER_01 15:20

If you are a global entity or a federal agency, you have incredibly complex business goals and absolutely critical security requirements. You simply cannot afford to wing it with your technology investments.

SPEAKER_00 15:30

No, you really can't. For those massive entities, the primary benefits of Sabi Sai are vital to their very survival. It builds consistent security architectures across global operations, ensuring the branch in Tokyo operates under the same logical rules as the branch in London.

SPEAKER_01 15:47

That consistency is key.

SPEAKER_00 15:48

It is. It fundamentally improves risk management because risk is defined at the business level, not just the IT level. And it provides a rock solid guarantee to the executives, the taxpayers, or the shareholders that the massive multimillion dollar security investments are supporting real, tangible business needs.

SPEAKER_01 16:07

So what does this all mean? We have talked about global banks, government agencies, and tracing strings through six layers of architectural models. But what if you, the listener, aren't running a massive government agency or a Fortune 500 company?

SPEAKER_00 16:20

Right. What if you're not the CEO?

SPEAKER_01 16:21

Yeah, maybe you are a mid-level IT manager or a small business owner or just a professional trying to understand how technology fits into your corporate world. The SABSA mindset is still an incredibly powerful mental model for you to adopt. Because it trains you to evaluate any tool, any software platform, or any new project by asking one simple foundational question: what business goal is this actually serving?

SPEAKER_00 16:48

This raises an important question for everyone listening. Think about your own workplace right now. Think about the security measures, the daily software platforms, the hoops you have to jump through just to send an email or access a file.

SPEAKER_01 17:00

We'll all have those hoops.

SPEAKER_00 17:01

Are those technologies genuinely supporting the overarching strategy of your business? Or are they entirely disconnected from your operational reality? Have you ever had to use a piece of corporate software that was so highly secured, so locked down, that it made your actual job nearly impossible to do?

SPEAKER_01 17:18

I know I have.

SPEAKER_00 17:19

That friction you feel is what happens when organizations forget layer one.

SPEAKER_01 17:23

It is the titanium vault door on the canvas tent.

SPEAKER_00 17:26

Yes.

SPEAKER_01 17:26

The technology is working flawlessly, the door is locked tight, but the business context is completely ignored. By adopting the SABSA philosophy, even just informally in your daily work, you become the person in the room who bridges that gap.

SPEAKER_00 17:39

You really do.

SPEAKER_01 17:40

When someone on your team suggests buying a shiny new software tool because it has great features, you become the one asking, okay, but how does this align with our actual operational goals? That is a tremendously valuable perspective to bring to any organization.

SPEAKER_00 17:56

It is the difference between being a mechanic who only knows how to turn a wrench when told to, and an engineer who actually understands why the engine was built in the first place. You move from just executing tasks to understanding value.

SPEAKER_01 18:08

Here's where it gets really interesting. If the SAP UCSA framework requires security to be perfectly mapped to business goals across six dense, rigorous layers of architecture. What happens to an organization's security posture when a massive market disruption forces the business to completely change the strategy overnight?

SPEAKER_00 18:27

Oh man, that is the ultimate stress test for any framework.

SPEAKER_01 18:30

It really is. Think about a sudden global event like, say, a pandemic that forces an entire workforce to go remote in 48 hours? Right. Or an overnight technological revolution, like the sudden drop of generative AI. If layer one, the foundational business context, changes in a matter of days, how agile can a deeply layered security architecture truly be when the ground shifts in an instant?

SPEAKER_00 18:56

That's a tough question.

SPEAKER_01 18:57

Does the meticulous structure of SabyT save you because you know exactly what to change? Or does the strict adherence to those six layers become a heavy liability when breakneck speed is the only thing that matters?

SPEAKER_00 19:09

It forces you to ask if your architecture is a map that guides you out of the crisis or an anchor that drags you down.

SPEAKER_01 19:16

Absolutely. It is a fascinating tension between structure and agility.

SPEAKER_00 19:20

Yeah.

SPEAKER_01 19:20

That is something to chew on the next time your company announces a major unexpected pivot.

SPEAKER_00 19:25

Definitely something to keep in mind.

SPEAKER_01 19:26

Well, we want to thank you for joining us on this exploration of the Seb EC framework. If you want to keep expanding your mental models, learning how to connect the server room to the boardroom, and unpacking the frameworks that silently run our digital world, make sure you hit follow on the channel right now so you never miss a deep dive.

SPEAKER_00 19:41

And there is always more to learn and unpack.

SPEAKER_01 19:43

There certainly is. For more in-depth content, exclusive resources, and insights just like this, be sure to visit WeSiber You.com. Thank you for listening. Thank you for learning with us, and we will see you on the next deep dive.