Is TOGAF Bringing the “S” to BAIT with SABSA?

Mike Walker's Blog: Is TOGAF Bringing the “S” to BAIT with SABSA?


In my last post I wrote about the Open Group TOGAF and SABSA integration announcement. This shows both a real sense of partnership with leading industry bodies and it seems like a step in the right direction to advance the TOGAF method, models and tools with security and risk management content.

But does this published whitepaper on the integration of SABSA’s Risk and Security Management practices really add Security and Risk Management to TOGAF? On the surface,  there are quite a few gaps SABSA is filling in maturing and frankly, documenting and applying guidance to address big gapping holes in the existing TOGAF specification.

When I say “on the surface”, it means that this material is in the form of guidance only. It is not as an official part of the TOGAF specification. Treated as an extension or an overlay at this point shows extensibility of TOGAF but it can also present unneeded complexity in the framework. 

So, this brings us to the to the question, Is TOGAF Brining the “S” to BAIT with SABSA? Yes and no. It really depends on how you look at it. Technically, no. The BAIT architecture domain model hasn’t been revised with TOGAF 9.1 and there are no press releases or announcements to state a modification to the core architecture domains that TOGAF addresses. 

However, I believe this is a net positive add to TOGAF. In the form of delivery guidance is one step in the right direction and provides some other benefits such as:

  • Rationalized – For existing SABSA practitioners it shows how to apply TOGAF and vice versa.
  • Applied – Since this is in the form of delivery guidance it shows how to apply it and not just what it is within a specification. There is a challenge with no having enough in the specification, but there is a practical need to fill this gap and this is better than nothing.
  • Intent – This shows real intent by The Open Group forum members to not let TOGAF get too stale with the additions linking of other practices.
  • Unification – Instead of reinventing yet another standard, clear industry leadership is demonstrated by The Open Group to reduce complexity in the Enterprise Architecture space.
  • Best of Breed –  Along with not reinventing a standard a best of breed addition was selected that has similar guiding principles and approaches that make this integration compatible.



Open Group Complements TOGAF with SABSA Integration

The Open Group announced last month the release of the TOGAF & SABSA Integration Whitepaper, a new guide developed in collaboration with The SABSA Institute to enable enterprise and security architects to integrate security and risk management approaches into enterprise-level architectures. Endorsed and developed by The Open Group Security and Architecture Forums and The SABSA Institute, the whitepaper aims to help architects align IT security decisions with critical business goals while reducing costs and improving interoperability across the enterprise.

 Mike Walker's Blog: Open Group Complements TOGAF with SABSA Integration

"For too long, security and risk management have been considered a discipline separate from enterprise architecture, which has led to increased costs, reduced interoperability and less productive organizations. This guide empowers enterprise architects to apply a holistic, business-driven approach to IT security decisions," said Jim Hietala, VP of Security for The Open Group. "Like TOGAF, the SABSA methodology provides guidance for aligning architecture with business value, in addition to addressing a critical need for greater integration between security and enterprise architectures within organizations."

Intended as a practical guide, the whitepaper views security architecture as an integral part of how enterprise architecture should be approached, a critical shift that is often overlooked in enterprise architecture frameworks but that encourages enterprise architects to focus attention on business processes rather than just technology solutions. To address security and risk management more effectively within enterprise architecture frameworks, the whitepaper also describes ways that TOGAF and SABSA can be seamlessly integrated for optimum security and business productivity. This includes detailed guidance on how to produce business and risk management-based security architectures, along with practical approaches to improve the integration of information security across the enterprise. Within this context, a main objective of the paper is to spark debate in the enterprise architecture community about the evolving role of enterprise architects in enabling the business to manage operational risk.

"In the past, security and enterprise architectures have been designed and acquired in silos, without common architecture languages that help tie both to broader business objectives," said John Sherwood, Head of the SABSA Academy, a division of The SABSA Institute. "We’re proud to integrate SABSA with TOGAF finally to provide structure for the relationship between enterprise and security architectures, and help create more efficient, cost effective and productive enterprises. Our hope is that the paper will fundamentally change the way enterprise architects think about enterprise architecture."

The SABSA methodology was chosen for integration with TOGAF based on its objective of developing security architectures that facilitate the business, much like TOGAF’s business driven approach and open methodology. Utilizing the SABSA Business Attributes Profiling method, the integrated methodology enables the creation of better architectures that drive tighter alignment between business and IT within enterprises. The whitepaper is the culmination of the TOGAF-SABSA Integration Project that began in May 2010 as a joint initiative of The Open Group Architecture Forum, Security Forum and The SABSA Institute.

The TOGAF SABSA Integration Whitepaper is available here: