Secure by Design – Continual Risk Management

Secure by Design is changing the way the Ministry of Defence (MOD), UK Government and its departments implement cyber security, in a move away from traditional accreditation-based compliance. This new approach aims to deliver better systems that are more secure, trustworthy, and resilient to cyber-attack.

Here, we look why organisations should seek to go beyond traditional compliance and why adopting Secure by Design can provide multiple benefits.

What is compliance?

Compliance relates to the adherence to a standard, practise, or process so that it meets certain obligations. These may be internal obligations, external pressures, regulations, customers’ demands and legal constraints.

Building processes and management systems on internationally recognised standards helps to provide confidence that an organisation is investing in operations and managing risk appropriately. It also enables an organisation to be audited against these standards, allowing them to highlight areas of strength and weakness, whilst ensuring continual improvement processes are implemented. Compliance against specific standards can also be a mandatory requirement for many industries to ensure these minimum standards are achieved.

What are the security limitations of only seeking compliance?

Amidst the benefits, compliance can also be gained for the wrong reasons, and this can have security consequences. For example, if compliance is only completed to achieve a standard or meet minimum requirements, there’s a chance the associated processes and procedures only exist in policy or are given lip-service by the users.

Worse, we see the creation of a ‘security process’ that drives security into its own silo away from other business functions. In this example, the compliance certificates could provide a façade of good security that overlooks or ignores critical aspects of the business. As a consequence, whilst everyone is happy they are ‘compliant’, the lack of integrated security can result in poor decision making, security blind spots, a lack of engagement from leaders, unnecessary costs and a technology centric strategy.

Meanwhile, the scale and complexity of many modern information and operational systems means that no standard can provide the depth and scale of coverage needed to make these systems secure. The need to balance security, safety, functionality, usability, cost, and technology requirements drives a necessity for alignment across business functions and engineering processes. Ultimately, those that only gain compliance for the purposes of compliance and follow it as a checklist exercise may not fully understand how to secure their programmes which can lead to higher risk and potential security breaches that have greater business impact.

How can Secure by Design help?

Secure by Design is the new approach to cyber security being introduced by the UK Government and the MOD. It aims to ensure that cyber security and resilience is built into systems from the outset so that security is aligned to the organisations objectives and integrated and managed with the system design as it evolves, not bolted on as an afterthought.

It removes a singular focus on achieving accreditation and places responsibility and accountability for security on the organisation, plus the individual product teams, not the central security team. This gives the product team control and responsibility for their systems’ security, ensuring they ‘own’ the risk but also allowing them to explore opportunities to innovate and manage security risk better. It recognises the best people to manage system risks are those designing and building the system, since they understand it the best. But they will need support. Hence why Secure by Design emphases the role of the whole organisation in delivering better security including senior civil servants, programme managers, project managers, engineers, architects, and support teams.

Aligning security with business objectives drives teams to report security progress in line with existing business reporting, including major delivery milestones. This reduces the chance of security being missed or considered after key decisions have been made. After all, a security incident can be a consequence of many things, including commercial strategy, sub-contracts, technology selection, poor training, and lack of business alignment.

How is Secure by Design different from compliance?

Secure by Design isn’t just compliance by another name and can provide many benefits beyond those offered by a compliance only approach to security. Here we offer 10 thoughts on the differences between secure by design and compliance, and the benefits of the Secure by Design approach.

1. Proactive vs Reactive: Secure by design focuses on anticipating and mitigating security risks from the outset, as part of the system design process. Compliance-only tends to be reactive, applying controls to systems when already designed and addressing security issues only after they’ve been identified.
2. Comprehensive Risk Management: By placing continual risk management at the heart of its approach Secure by Design requires an organisation to consider a broader range of potential threats and vulnerabilities, including those from existing business processes and operations, such as procurement and commercial practises. It also recognises the need to manage security with other functions, such as safety, allowing all risks to be proactively managed and mitigated through the implementation of holistic and balanced solutions. This output is not explicitly supported by taking a compliance only view.
3. Future Proofing: Secure by design aims to build systems that are not just secure, but resilient and trustworthy, that can adapt to evolving threats and changes in technology. Compliance can lock organisations into specific, static requirements that may become outdated or not evolve as quickly as real-world scenarios.
4. Cost-effectiveness: Designing better, more secure, resilient, and trustworthy systems help to prevent security breaches and is often more cost-effective than dealing with the fallout from a breach, especially since the cost of impact is hard to measure but can include fines, the cost of recovery, legal action, damage to reputation and loss of customers.
5. Reduce Regulatory Risks: Building and integrating security from the outset enables regulatory requirements to be identified and implemented early. It also presents maximum opportunity for efficiencies by aligning multiple regulatory needs. Additionally, by adopting the proactive approach of Secure by Design it helps organisations exceed minimum requirements, reducing the risk of non-compliance with changing regulations.
6. Business Aligned Security: Secure by Design emphases the need to align security with business objectives. This ensures security is focussed on what the business needs to achieve, its mission and objectives, rather than implementing what a standard requires.
7. Agility and Innovation: Secure by Design supports innovation and agility by fostering a security culture based on continual risk management that help organisation adapt and respond quicker to changing business needs, emerging threats, and new technology.
8. Employee and Management Engagement: Making all employees, including Senior Managements, End Users, Project Managers, Engineers, Commercial Teams active participants in security can educate and empower them to own and be responsible for security risk. This helps to break down barriers, so everyone considers their role in making security better and more effective, not just the security teams!
9. Continuous Improvement: Secure by design encourages ongoing monitoring and improvement of security practices, for purposes of efficiency and better security, ensuring that cybersecurity remains a top priority and can adapt to evolving requirements.
10. It can still achieve compliance: Adopting Secure by Design and taking the proactive approach to security from the outset helps organisations achieve compliance and certification and meet regulatory requirements. It does so in a way that enables evidence and working practices from existing processes to be used to demonstrate compliance, rather than create new policy, processes, or information, just for the purpose of gaining compliance.

As stated, Secure by Design should be seen as complementary to compliance and the next stage in an organisations journey to being secure. It supports the attainment of compliance as required, but also clearly recognises the limitations of these approaches, and tries to enhance them so security works more effectively and efficiently for the business, rather than being seen as a blocker or a step to overcome.

How we can help

Here at Logiq, we have helped to define and develop Secure by Design as part of government working groups. As such, we are now positioned to help industry and government departments on their journey towards continual risk management.

To explore Secure by Design further, get in contact with us via email contact@logiqconsulting.co.uk or call 0117 457 7463.