Now drop down to the row. The architect asks: What are we doing? Answer: “Implementing a data-centric encryption strategy.”
You may discover that your security model (row 2) assumes a “zero-trust network,” but your Physical reality (row 4) still has a shared switch in a broom closet. Or that your Motivation column (Why?) is full of heroic declarations (“to protect patient lives”), but your Operational row (Who?) has no names—just the phrase “To be determined.” sabsa architecture matrix
: Who wakes up at 3 AM when the key rotation fails? (The L3 engineer in Bangalore). Now drop down to the row
The matrix forces you to confront the gap between strategy and reality. It turns abstract risk into concrete accountability. And because it is a matrix, not a linear list, it exposes contradictions —the kind that compliance audits miss. For instance, your Process column might require dual approval for code deployment, but your People column might reveal that the only two approvers both take vacation in July. Most security architectures are boring because they are static. The SABSA Matrix is dynamic; it is a relationship , not a record. It understands that security is a system of layered interpretations. A firewall rule is the operational shadow of a boardroom’s risk appetite. A password policy is the physical incarnation of a motivational trust model. Or that your Motivation column (Why
Now drop down to the row. The architect asks: What are we doing? Answer: “Implementing a data-centric encryption strategy.”
You may discover that your security model (row 2) assumes a “zero-trust network,” but your Physical reality (row 4) still has a shared switch in a broom closet. Or that your Motivation column (Why?) is full of heroic declarations (“to protect patient lives”), but your Operational row (Who?) has no names—just the phrase “To be determined.”
: Who wakes up at 3 AM when the key rotation fails? (The L3 engineer in Bangalore).
The matrix forces you to confront the gap between strategy and reality. It turns abstract risk into concrete accountability. And because it is a matrix, not a linear list, it exposes contradictions —the kind that compliance audits miss. For instance, your Process column might require dual approval for code deployment, but your People column might reveal that the only two approvers both take vacation in July. Most security architectures are boring because they are static. The SABSA Matrix is dynamic; it is a relationship , not a record. It understands that security is a system of layered interpretations. A firewall rule is the operational shadow of a boardroom’s risk appetite. A password policy is the physical incarnation of a motivational trust model.