Introduction
Secure by Design (SbD) was launched in July 2023 and its already transforming the way government departments and the MOD are implementing security. Perhaps one of the biggest changes to UK Cyber Security processes in the last 15 years, Secure by Design aims to ensure all of your systems, processes and data are secure from concept to its launch and then throughout its full lifecycle.
Before we delve deeper into the blog, it’s important to note that MOD Secure by Design and Governmental Secure by design are different. Despite having the same name, the same premise and the same objectives, their execution, delivery and assurance processes are different. They have different principles, different timelines and different maturity levels, with at present MOD Secure by Design being almost fully introduced into MOD programmes and projects. UK Government Secure by design is following suit and is ready to secure projects and systems with its 10 principles. This article will be looking at the first and most transformative principle, Principle 1: Create responsibility for Cyber Risk.
For the first time, strategic leaders and leadership throughout projects/programmes will be empowered to be responsible and accountable for Cyber Security risk. Some of these positions will have never encountered Cyber Security before. But by spreading the risk ownership and the understanding across the business/program/project, these projects/programmes will be able to deliver far more secure products and processes, with a far greater security lifespan.
Addressing the elephant in the room – businesses have never been the biggest lovers of major change. To understand these large scale governmental Secure by Design changes it’s important to know why these changes are being implemented, and to understand the benefits of Secure by Design.
Unlocking the Benefits of Secure by Design Principle 1 – Create responsibility for Cyber Risk
A key benefit of Secure by Design is how it affects leadership. Leaders at every level are decision makers and greater understanding of Cyber Security and its risks will ensure that leaders make better decisions. By implementing Secure by Design principles leaders are able to make informed decisions, and better decisions will be made when leaders understand cyber risks. This empowerment towards leadership is not just at the executive level, it cascades down, resulting in leaders at all levels having an understanding of cyber risk and ensuring it is understood and mitigated. This creates a much more comprehensive risk understanding and security controls that are better informed, and therefore far more fitting.
Too often there is a disconnect between executive leadership and the technical teams responsible for securing systems. This gap can result in poorly informed decision-making, lack of investment, and incorrect prioritisation of risk mitigation. By clearly assigning cyber security responsibilities to stakeholders, such as CEOs, COO’s as well as Chief Risk Officers and Board Members, organisations ensure that cyber risk is treated alongside financial, legal, and operational risks.
Another major benefit of Secure by Design is that it aims to stop Cyber Security work being siloed, or existing in isolation. Cyber Security attackers will normally attack a wide surface, not just the security function, and so security needs to be in the forefront of everyone’s minds. By empowering security to staff throughout the business, rather than just the security team it not only spreads awareness but deepens the security scrutiny and allows security to be looked at from subject matter experts, potentially highlighting weaknesses that a cyber security team member would not be able to see.
A case study of where specific expertise has been siloed can be seen within NASA in the 1970’s, specifically during the challenger builds. Engineering teams identified that the ‘O rings’, a component of the lower rockets could fail, which could in turn lead to the entire failure of the launch. This severe risk was not fully understood by senior stakeholders’, and their findings were siloed within the rocket engineering team, unable to get their extreme risk findings correctly communicated or mitigated. This tragically led to the destruction of Challenger on launch and the loss of her entire crew.
By having all teams empowered to not just understand security risks but have influence over them gives the opportunity for projects and programmes to be more secure. Most organisations already do this for safety, and so security will now be no different.
The key challenges organisations must overcome
Of course, as with any organisational change there are challenges. The largest challenge so far observed in the Secure by Design rollout is leaders who are newly empowered to be responsible or accountable for cyber security being unwilling or unable to fully immerse themselves into the new role.
Many leaders face busy days, heavy workloads and hold a lot of responsibility already. With the changes being made some are being informed that they must take on more responsibility in an area they may be unfamiliar with. They may not welcome the changes and therefore will not commit to them as intended. A potential sign of this may be them trying to delegate this responsibility to another team member or someone within their team, pushing work deadlines back indefinitely or openly stating that they are going to refuse to partake. This unfortunately will mean that the delegation of security accountability at all levels will not be being implemented correctly, and that person is not only creating risk but a risk themselves.
The best way to remedy this so far has been to educate these leaders in the importance of the security work and the new responsibility they hold, and to ensure that their workload is balanced well enough that they can correctly adapt to the changes.
Final Thoughts
The first principle of Secure by Design sets the tone for the entire framework: security begins with leadership. When executives take ownership of cyber risk, they signal its importance throughout the organisation. They unlock the necessary resources, drive cultural change, and support the technical teams in making security a core part of every decision, and creating programmes, systems and projects that are secure, by their design.
As cyber threats continue to evolve in scale and sophistication, especially with AI and quantum threats on the horizon, creating clear responsibility for cyber security risk is not just good practice, it’s now an essential pillar of resilience.
How Cyberfort can help?
At Cyberfort we specialise in helping organisations understand their comprehensive cyber risk landscape and put the best governance in place. We ensure cyber security and resilience is built into systems, processes and policies from the start of a product or service lifecycle. This enables organisations to align security with business objectives, existing systems, and industry regulations consistently.
Our teams are experienced in aligning business strategy with Secure by Design principles, starting with clear responsibility at the top. If you’re ready to take a proactive approach to cyber resilience, contact us at [email protected] or visit our website here.
