Home  ›   Blog   ›   sabsa architecture matrix   ›  sabsa architecture matrix

Sabsa Architecture Matrix (2027)

Consider the top row: . Here, the business asks: Why are we securing this asset? The answer might be: “To protect customer credit card data so we don’t lose trust or face fines.”

You may discover that your security model (row 2) assumes a “zero-trust network,” but your Physical reality (row 4) still has a shared switch in a broom closet. Or that your Motivation column (Why?) is full of heroic declarations (“to protect patient lives”), but your Operational row (Who?) has no names—just the phrase “To be determined.”

To the uninitiated, the SABSA (Sherwood Applied Business Security Architecture) Matrix appears as a rigid taxonomy: six columns (Assets, Motivation, Process, People, Location, Time) intersecting with six rows (Contextual, Conceptual, Logical, Physical, Component, Operational). But this is not a table; it is a of an organization’s soul. It is the only security tool I know that forces a CEO and a network engineer to ask the exact same question in six different languages. The Vertical Truth: From Dreams to Dust The true genius of the SABSA Matrix lies in its vertical integration. Most security frameworks operate on a single horizontal layer. Governance documents live in the stratosphere; firewall rules live in the basement; they never meet. SABSA forces a vertical cascade of accountability. sabsa architecture matrix

Now drop down to the row. The architect asks: What are we doing? Answer: “Implementing a data-centric encryption strategy.”

Descend to : How is the system structured? (Encryption key management system, access control lists). Consider the top row:

The matrix forces you to confront the gap between strategy and reality. It turns abstract risk into concrete accountability. And because it is a matrix, not a linear list, it exposes contradictions —the kind that compliance audits miss. For instance, your Process column might require dual approval for code deployment, but your People column might reveal that the only two approvers both take vacation in July. Most security architectures are boring because they are static. The SABSA Matrix is dynamic; it is a relationship , not a record. It understands that security is a system of layered interpretations. A firewall rule is the operational shadow of a boardroom’s risk appetite. A password policy is the physical incarnation of a motivational trust model.

In a field obsessed with AI, zero-day exploits, and blockchain, the SABSA Matrix offers a radical return to first principles: It is the Rosetta Stone of cybersecurity—and like the real Rosetta Stone, most people walk past it to look at the shinier artifacts. Their loss. The matrix, quietly, holds the keys to the kingdom. “The devil is in the gaps,” SABSA seems to whisper. “And I have drawn you a map of every single one.” Or that your Motivation column (Why

: Where do the actual machines sit? (HSMs in a locked data center).