Information and cyber security consultancy, Logiq Consulting has shed light on Secure by Design, the Ministry of Defence's (MOD) fresh approach to cyber risk management. The forthcoming initiative from the Cabinet Office, also titled Secure by Design, represents a "fundamental change" in the execution of cyber security across Government departments. The aim is to counter the rising cyber threats to these departments to ensure the critical services are secure now and in the future.
The idea behind Secure by Design is a pivot towards improved cyber security, moving away from an accreditation-based model. It suggests a team-based approach, integrating security design principles based on continuous risk management, secure systems engineering, and ongoing improvement. The initiative's motive is to focus on crafting systems from scratch that are secure, beneficial, reliable, and resistant to cyber-attacks, instead of treating security as an afterthought.
While the new initiative does mean an end to the previous accreditation model, it also signifies deeper and more foundational shifts within cyber security. Aligning security activities with management and engineering processes, the new method means security is no longer a siloed concern. Instead, the Secure by Design approach aligns security risk with existing risk management processes, acknowledges it early on, and balances it against other system considerations like cost controls, system integration, user experience, safety, and logistics. This makes cyber security everyone’s responsibility and calls for a collective revamp of the mindset at various levels, such as senior management, commercial teams, project managers, product teams and their suppliers.
The Central Digital & Data Office (CDDO) has developed a framework that permits Government departments to customise Secure by Design. Departments like the MOD, which work on complex cyber-digital-physical systems, have adapted the general approach to fit their specific requirements. Rather than seeking an accreditation certificate, the new principle-based approach requires a set of evidence that provides stakeholders with reassurance. Teams will, therefore, need to develop assurance cases based on evidence produced throughout the project, showing that security goals have been agreed and accomplished, and that security can be maintained throughout product lifecycle.
Despite the challenges associated with altering mindsets around cyber security, Secure by Design is predicted to offer long-term benefits. The primary advantage is the delivery of superior, more secure systems that are reliable and better equipped to resist cyber-attacks. Designing security from the outset will ensure these systems are functionally enriched, usable, and also aligned with business or mission objectives. Secure by Design initiative will also mean responsibility and accountability for security sit solely with product delivery teams rather than accreditation teams.