The 3 critical answers that will take you…

From Zero to SABSA® Security Architecture—FAST!

Dear fellow Security Architect,

There’s one thing I’ve noticed over nearly 2 decades of doing security architecture. And I’ve found it’s one of the biggest things holding security architects like yourself from making a real difference in their security programs. In almost all cases, they struggle with answering 3 critical questions that – if left unanswered – prevents them from getting the clarity and action plan they need in order to move out of a role focused on providing purely technical expertise…

…to one that elevates them to a trusted advisor in their organizations—not just with their peers in security, but with the wider business and technology community as well.

Maybe you do too.

Because, even if you can answer any one of the following questions right now…

…if you can’t answer them all – and answer them consistently and with conviction – the results are going to be feeling like you’re blowing in the wind of an ever-growing security storm…

…and you’re going to struggle to not only explain the value of what you’re doing and what you want to do.

You’ll also struggle to make the difference in the daily lives of your security customers that gets you noticed…

…gets you respected…

…and gives you the solid foundation of credibility and trust necessary to catapult your career as a security architect to the next level.

Maybe that’s as a more senior security architect.

Maybe it’s as an independent consultant.

Or maybe…it’s even setting your sights on the CISO role.

No matter what path works for you…

…it’s still absolutely critical that you are able to answer the following three questions:

  1. What is security architecture and why does it matter?
  2. How do you package your security architecture so it gets appreciated—and actually used?
  3. How do you start taking a wider, enterprise perspective of security when it seems like you’re permanently stuck doing project-specific, after-the-fact security assessments that nobody actually cares about other than they’ve been done and a box has been ticked?

Now, your list of the 3 most critical questions in security architecture might be different than those…

…but once you strip away the ones about the latest technical details of some new product or service…

…and you set aside the intricacies of the threats and vulnerabilities that are on the top of today’s threat intelligence feeds…

…and you gloss over the individual motivations, politics and physical composition of any individual group of motivated threat actors…

…I think you’ll find that what’s left fits somewhere in those three questions.

However, you might think that by stripping away all the detail I just asked you to do fundamentally takes away the definition of security architecture or even…

…what makes it fun.

And I get that.

It’s easy to get caught up in the drama and the details—especially when the hits keep coming hot and heavy each and every day…

…your friends in the SOC are 20 pounds thinner…

…their hair is 3 shades grayer…

…and many of them are about to quit.

And then there’s all that stuff your CISO keeps asking you about. The latest tech. The latest frameworks and standards. The inevitable:

“What are we going to do about this?” questions driven by the headlines…

…and the sometimes uncomfortable questions they’re getting asked by their fellow executives and members of the Board.

But that’s the thing.

That’s the thing about architecture.

Because architecture isn’t about the details.

Architecture is about how the details fit together to give value to something bigger than any individual part.

It’s not about the networks, applications and systems.

It’s about what they do for people.

And not just the people inside the virtual “4 walls” of our organizations.

It’s also about what they do for the people who use the products and services your organization offers.

How all that stuff happens.

How customers come and go.

How they’re supported.

How things get built and packaged.

How the organization engages with its suppliers and partners.

How the money moves around.

All that depends entirely on the security architecture YOU have been asked to build and maintain as a security architect—even if you only get to see it one piece at a time.

That’s why those questions are so critical.

And that’s also why you can’t just answer one…or two of them at a time.

The first two questions are about what we’re doing and how we’re communicating it…

…but the last two is about the reality most of us face on a day-to-day basis:

We’re stuck in a “Groundhog Day” of Stage-Gate security reviews that will seemingly never end—and which don’t seem to be getting any better…

…any shorter…

…or any easier.

The problem is: if you try to fix any one of these things in isolation, you’re just going to end up chasing your tail.

However, precisely because we’re stuck in Stage-Gate Security Assessment Hell…

…we have endless opportunities to start building out our real, business-driven enterprise security architecture.

We just need to decide that’s what we should be doing.

And, in order to make that decision…

…we need to have the confidence that actually making those kinds of changes…

…are actually going to be worth it.

That’s exactly why I’ve decided to package 3 separate things together, in one comprehensive offer, that addresses each of them in turn.

Not in isolation.

But as a way to change your practice of security architecture in a concrete and tangible way…

…in as little as a week.

However, even though I mention a week, in reality, if you take the 8 hours or so required to actually go through each of what I’ve put together…

…and you think about what’s been covered…

…and you build on the concrete examples presented in each one…

…I think you’ll be absolutely BLOWN AWAY by what you’ll be able to accomplish in 5 working days—let alone anything more than that.

Because if you apply what’s inside these resources to the very next security assessment you’ve been tasked to do…

…you’ll have likely built out more of an enterprise security architecture…

…than most people build in a year.

Oh, and you’ll also have done it using SABSA® too—which is a good thing, because SABSA’s the only actual approach out there to delivering security architecture that works.

Why do you think The Open Group® chose SABSA to “fill in the security gaps” in TOGAF® in the first place?

That’s right: because what they had wasn’t good enough.

And, whether you’re having to deal with TOGAF or not…

…you’re going to still end up with better, more focused, and more effective security architecture than most people have ever seen.


Because most people can’t even answer the first question the right way.

And if you start from the wrong conclusions…

…you’ve nowhere to go but…

…exactly in the WRONG direction!

So, while that might be good enough for everyone else out there claiming to be a security architect…

I don’t believe it’s good enough for you.

Because, if you’re still reading this, I believe you’re a different kind of security architect than most people out there. You’ve been around the block a few more times. You’ve got more experience…

…and you’ve realized that there’s a 40’ tall DEAD END to the alleyway of technical security.

Sure, it’s important.

But is it really worth it?

Because, I’m guessing, since you’ve been around a bit longer…

…and because you’re more aware of what architecture is really all about…

…you’ve started to see some patterns.

Maybe you haven’t consciously recognized them as yet, but you’ve got some kind of “spider sense” tingling in the back of your neck that something really just isn’t quite right.

You would be correct.

Because the thing of it is, that trite old adage earned the right to be around long enough to become a “trite old adage” simply because it’s true:

“The more things change…the more they stay the same.”

And if you haven’t seen this already in security as long as you’ve been around, I’d actually be quite shocked. It’s there, every single day in front of is…

…in 80’ tall, blinking pink neon letters bright enough to put all of the Las Vegas strip to shame.

Because, as I’m sure you’ve probably realized…

…we’re not chasing new problems in security.

We’re chasing new ways those problems can actually be caused.

That’s why brining the perspective of proper architecture to bear on the security challenges we face every day is so damn important.

We’re the only ones who can see this.

And, because of that…

…it’s our collective responsibility to do something about it.

But we’re not going to be able to do something about it with more technical, tactical security controls…

…more policies…

…more standards…

…and, God forbid, more utterly worthless security reviews.

It’s going to take something more.

It’s going to take focusing on the essential aspects of the problems we face…

…and not continually getting lost in the details.

And, to help you make the transition I believe you’ve already realized you need to make, I’ve put together…

The Security Architecture Solution Pack™

Inside, you’ll find 3 separate resources each focused on answering one of those critical security architecture questions I mentioned before.

#1 An actionable definition of Security Architecture you can start using TODAY to build out a clear conceptual model of how your organization works using SABSA

The first item in the goodie bag of the Solution Pack is a digital copy of my book, Getting Started with The Agile Security System™. This is the groundwork – a foundation – of understanding what architecture is all about, how security architecture enables everything in your organization, and how to take the essential subset of SABSA as the key building blocks you need to focus your work as a security architect on exactly the right things.

Inside this short, easy read you’ll find:

  • The 3 sentence paragraph that tells you all you need to do as a security architect (without a multi-level matrix model or a 200-page process manual). See Page 51.
  • Why most people miss the fundamental power of SABSA domains (and why it’s something you MUST stop doing if you want to be a successful security architect). See Page 33.
  • The 9 essential aspects of security architecture you will need to define – whether you use SABSA or not – if you want to prove you’re doing the right things to protect your organization. See Page 61.
  • Why it’s perfectly acceptable for two different architects to model the same system in entirely different ways (even though doing so might otherwise start some knock-down, drag-out arguments between said architects!). See Page 32.
  • The one, often overlooked aspect to architecture that is probably the single biggest cause of security failures in the entire history of security. See Page 66.
  • A powerful and “automatic” way to define SABSA attributes most people don’t know (unless you’ve either been through SABSA Foundation with me, gone through a BESA cohort or been part of the Archistry world for a while). See Page 37.
  • A “hidden” truth about the nature of the “deliverables” defined by SABSA (something that both gets unsuspecting architects in hot water and nearly assures the ultimate destruction of many SABSA adoption efforts). See Page 22.
  • Why not knowing all that much about SABSA might actually be the best way for you to start using SABSA both quickly and correctly. See Page 10.
  • The only tool you’ll ever need to clearly, easily and quickly define the scope of the security architecture you’re working on. See Page 54.
  • Why most people think of “top-down” as the only way to really do architecture—and why they’re wrong. See Page 64.
  • Along with a whole lot more…including: The only legitimate way to achieve – and maintain – true “business alignment” with a security program of any kind (Page 17); How the connection with our security customers helps us manage the one constant we can never escape (Page 20); Why it’s a really bad idea to conflate the concepts of value, price and cost when you’re talking about security architecture—or anything, for that matter (Page 49); How SABSA makes the RACI model “right” (and where it still leaves a few gaps that need to be addressed by ACS and The Agile Security System—Pages 43-46); How the “building block” approach to security architecture can quickly and easily build you the exact WRONG architecture to what your organization really needs (Page 64); and, at last, the definitive answer as to why it’s impossible to do SABSA “right” without linking attributes to your domain models (Page 40).

However, I can’t just keep telling you about all the cool and practical stuff you’ll get from the book, because there’s still two more parts to this package.

#2 How you can revolutionize, streamline and simplify your approach to security architecture—all while making it much more focused, relevant and easy to consume by everyone in your organization

A while back I launched the Archistry Club™ (the Club) because I recognized that architects like you – who understood there was more to this gig than just technology – really operate pretty-much in isolation. Sure, there may be local communities or pockets of people with similar ideas. However, the problem is that they’re often quickly dominated by just a few voices, and since everyone’s trying to figure it out on their own…they’re generally busy…and, let’s face it, most architects are introverts…it’s often not quite as rewarding as people hoped it would be.

So, in addition to focusing on solving that problem with the structure of the Club, I also wanted to work on giving practical and actionable guidance to our members in the form of monthly masterclasses. Now, you might be aware of the monthly Security Sanity™ print newsletter I write. However, the focus of that is primarily to help people think differently about architecture, and there’s not that many practical walkthroughs of how to do things.

Recognizing this too, I set out to make the balance of the monthly Club masterclasses the exact opposite of the print newsletter—which is also bundled in as part of your basic Club membership. The very first Club masterclass covered something I’ve been asked about often since 2019 when I introduced The Agile Security System™ in the second edition of the Security Sanity newsletter:

How do you actually build out lightweight security architecture documentation—especially using SABSA?

Fortunately, the masterclass isn’t only available to Club members. And now, I’m making it available to you as part of this very special bundle offer. Because inside this video, I talk about many things I’ve never talked about outside the confines of my high-end Effective Security Leadership Coaching and mentoring program (ESLC) with my private clients. And most people would never see this, because the minimum engagement for that program is $100,000 and takes at least 6 months.

Luckily for you, this information is now available as part of this highly focused and in-depth masterclass on managing architecture documentation. Some of the things you’ll discover inside include:

  • How to address the myriad of challenges of creating and managing useful architecture documentation across time, across teams and at different levels of detail
  • The power and leverage you get from splitting your approach to architecture documentation into to primary categories (and how you define and maintain that definition, regardless of the scope and pressure of the work you’re doing)
  • Why you as a security architect needs to be able to hold multiple views of the world in your head—at the same time, and even when they look like they’re incompatible!
  • Exactly what to do when you’re feeling overwhelmed by the detail of any given architecture—thanks to the Principles and Practices of The Agile Security System.
  • How to build SABSA security architecture artifacts by “filling in the blanks” and WITHOUT getting driven into the “tunnel vision” of typical architecture templates
  • What your security customers actually care about—and how to not only discover it, but validate it’s actually true too.
  • The surprising reason you can build “standards-compliant” architecture documentation using informal – and highly unorthodox – documentation techniques
  • How to figure out precisely what types of models you need to communicate your security architecture to your security customers
  • Why “proper” security architecture is all about facilitating our security customers to make risk-based decisions (even if they didn’t realize they were making them)
  • How to get our IT architects to adopt our approach to architecture thinking and documentation (even if they’re already using some kind of formalized methodology like TOGAF)
  • And a whole lot more, including…why “automagic” architecture discovery tools will never replace you as a security architect—at least until they can do what I describe in this video; Why most of the items in the SABSA Architecture Matrix don’t mean nearly as much as you think; The reason SABSA Attributes are only a small part of the story when it comes to documenting security requirements; How to deliver Architecture Vitality in a way that’s not going to be overwhelming; Why starting SABSA in a big and bold way is the best way to get people to understand and appreciate security architecture—at least if you do it right; and precisely why NOBODY can tell you what your security architecture documentation should look like—not even me!

With what I’ve described above – and only if you went that far – you’d still be ahead of the legions of security architects out there who are toiling away solely focused on security from a technology perspective…

…and you’d be CONTINENTS ahead of all the people who’ve learned SABSA and cast it aside because the just flat-out couldn’t figure out how to make it work.

It’s a shame, really, because it’s not quite as hard as it appears to be. But it does come down to a rather fundamental shift in seeing THROUGH the SABSA Architecture Matrix instead of focusing on the Matrix itself. However, that’s a different program for a different day. Because, right now, I want to introduce the 3rd and final piece of the Solution Pack.

#3 How to build true enterprise security architecture – using SABSA – without taking a “top down” view, getting lost in the weeds of doing “bottom up” architecture…and while doing the rather boring and unpleasant work many of us are inevitably forced to do much more than we’d like

According to recent surveys I covered in the October issue of the Security Sanity™ newsletter, “shifting left” is a priority item for many CISOs around the world. Of course, anyone who’s been doing this a while – probably yourself included – has realized that the only way to deliver truly “secure” solutions…

…was to not only get people thinking about security before they started buying products or writing code…

…but also, and probably more importantly, was about getting people to have the same understanding of what “security” actually meant.

And, if you’ve been forced to suffer through seemingly endless, mind-numbing and hyper-stressful security reviews thanks to some over-anxious and inexperienced project manager screaming in your ear to hurry up every 5 minutes…

…you’ll realize that this dream of “shifting security left” is often a far cry from the day-to-day reality.

In fact, when I put together the recent Supercharge Your Security Architecture Challenge™, I made a point of talking about what was required to “shift left” security—no matter where in the lifecycle you currently were. Based on the enormous amount of positive feedback from that program, I decide to dive deeper into the aspect most people were interested in.

And it was an aspect they were interested in…

…because a lot of the rest of what I talked about in the Masterclass…

…was so far away from their current reality, I might as well have been talking about the biochemistry required to invent a new flavor of chocolate!

However, I did listen to the feedback, and for the November Club masterclass, I decided I’d talk our members through exactly what was required in order to do what I’ve been recommending you do as a security architect now for many years:

“Start where you are—no matter where that is.”

You see, there’s an awful lot of people who end up using all kinds of excuses about the way their work and organization are structured for why they just can’t do any kind of “enterprise” or “business-driven” security architecture.

However, given the work I’ve done over the last few decades in organizations around the world…

…I know for a fact that this simply isn’t the show-stopper people believe it to be.

You really CAN start where you are—no matter where that is.

But you have to actually want to do it…

…AND you have to believe that it’s actually possible to make it happen if you try.

There again, one without the other doesn’t get you very far.

But both?

Well…now, that’s another thing entirely. Which is exactly why some of what you’ll learn in this masterclass is:

  • Why you truly can build reusable, enterprise security architecture out of individual security assessments—even if it seems like the world is conspiring against you at each and every step
  • The fundamental relationship between “shift left” and the amount of actionable security architecture you just happen to have lying around the place
  • How the rather backwards and broken process of “(almost) after the fact” security assessments are actually one of the biggest opportunities ever given a security architect
  • Why you don’t have to really “add more work” to get more leverage as part of your security assessments—because you can “move it around” and end up working faster
  • The often-overlooked importance of classification in building successful architectures
  • How to overcome the downward-spiral inertia that prevents anything from actually getting any better when it comes to the security assessments you do
  • Overcoming the 3 biggest challenges you face in building true architecture as you transition from a “throw away” mindset to building your ESA “brick by brick”
  • The 5 critical things you’ll need to put in place to truly build the foundation for “shifting left” with your security architecture work
  • What’s really missing from the security assessment process—and why it’s probably not anywhere close to what you think
  • Why you’re really not happy with the kinds of security assessments you’re doing, and exactly what to do to take the next steps to making things better
  • And, you guessed it: a whole lot more than that, including…how the “real job” of a security architect actually works against us doing the very thing we need to do; how we can work with – not against – the real value of the security review for most people to do the work we want to do; how our current approach to security assessments keeps us not only stuck where we are, but often even moves us backwards; how to re-frame the “deliverables” of our security assessments into something truly useful; and how even the slightest shift in seeing our organizations differently gives us more clarity and leverage than most “more experienced” architects will ever achieve.

But, before I give you the opportunity to get your copy of the Solution Pack, I do want to mention that even with all the guidance and experience I’ve managed to pack into these products made available to you in an easy-to-consume-and-apply bundle, there could still be lots of ways you might still find it hard to implement yourself.

Maybe you don’t believe it’s possible.

Maybe your CISO got a bad taste of “business-driven security architecture” or SABSA in the past.

Or maybe you literally don’t have 5 minutes to turn around and scratch your backside because you’re so busy running around day-in and day-out putting out tactical and operational dumpster fires.

Yes, what I’m describing is straightforward, and it’s relatively easy to do—based on not only my own experience in using it daily with clients, but also from their own feedback.

However, it does require you to be prepared to set aside – and even downright challenge or eliminate – some of the assumptions you might have about the work you do as a security architect…

…and the limits of the potential value you can bring to the organization.

It isn’t a magic wand.

It won’t “architect itself” out of thin air—even though, with some of the templates helping you along, it might seem like it’s damn near close at times.

And, I also have to tell you that each of these pieces are – or will be – available to purchase separately. In fact, if you bought them all at the regular price…

You also might already have one or more of the pieces available to you in your pocket inside the Archistry Learning mobile app, so I’d urge you to consider carefully if the value you’ll get out of this is worth it to get the bundle, or if you’d prefer to pay more later, and get each piece individually. Sometimes, from a budgeting and approval perspective…

…I know it can make a difference.

However, if you’ve been beating your head against the wall for quite a while trying to figure out how to make a difference with security architecture…

…how to get your head around actually making SABSA work…

…how to stop doing the same work over and over and over and over again with mind-numbing security assessments…

…how to create architecture documentation that actually gets read…

…how to understand what the business actually does, how it makes money, and how you can really add value as a security architect…

…how to better connect with your CISO because you’re giving them tools they can use to make themselves look better…

…and even just how to get more done, with less effort, with more consistency and much higher quality…

…then I’ve never put together a more focused…more actionable…and more affordable bundle than this one.

So, if you’re ready to start building business-driven security architectures that make a difference…

…and you’re ready to start as early as today…

…then go ahead and click the button below, and get instant access to all 3 parts of the Security Architecture Solution Pack right now.

Stay safe,

Andrew S. Townley

Andrew S. Townley
Archistry Chief Executive