Embedding cyber security in digital delivery from the start
During a Chief Information Security Officer (CISO) forum back in 2021, government CISOs shared security challenges in digital delivery, underlining the need for clarity on what Secure by Design means for government organisations. And, from here the cross-Government approach to Secure by Design was born.
Now, two years on, Secure by Design has been cemented as a necessity in both the Government Cyber Security Strategy and the Transforming for a Digital Future: 2022 to 2025 roadmap for digital and data. Both strategies reinforce the need of embedding cyber security into the delivery of digital services - at every stage. This includes when organisations are developing their business cases, through service design and build, and decommissioning of services at the end of their operational lives.
The cross-Government Secure by Design approach will be mandatory for central government and arm's-length bodies (ALBs). The Cabinet Office will be reviewing organisations’ adherence to the approach via digital performance assurance processes and GovAssure (gov.uk email address needed to access).
Building Secure by Design
The Central Digital and Data Office have been collaborating with a cross-government working group formed by a diverse group of cyber security and Digital, Data and Technology (DDaT) professionals who have a special interest in secure-by-design in their respective departments, or ALBs. We’ve also been getting expert input from the National Cyber Security Centre and consulting with the Government Security Group. Finally, we’ve been discussing our work with an industry panel of experts from some of the biggest suppliers to government.
Some organisations, like MoD, Defra, DWP and ONS have been using local versions of Secure by Design. We have been working closely with them to learn from their work and leverage insights in the cross-government approach.
Our approach incorporates principles, practical guidance and tools designed to ensure that risk-driven cyber security is built into new government systems and services at every stage.
Further pilots are now underway with organisations including Cabinet Office, Defra, DWP, GDS, Home Office and MoJ. These will show how the draft Secure by Design approach fares when applied to digital service development. We’re already getting some invaluable insights from these.
Alongside the pilots we’ll be organising further user research sessions with colleagues drawn from key roles across government who will be expected to apply Secure by Design in practice.
In the Summer, we expect to make the draft Secure by Design approach more widely available for comment so we can get further feedback from wider stakeholders before we baseline it for implementation nationally in Autumn 2023.
Will Secure by Design affect you?
If you are involved in the delivery of digital services and technology, then yes!
Secure by Design is primarily aimed at the project teams delivering digital services, but is equally relevant to the security professionals and Governance, Risk and Compliance (GRC) specialists who direct projects with their security and assurance activities. Secure by Design is very much about guiding colleagues from these areas to work collaboratively to ensure risks are managed continuously by selecting and implementing security controls as new systems and services come together.
While our approach for Secure by Design is intended for use across government, it’s not “one size fits all” or a completely off-the-shelf solution. It will provide a framework of good practice guidance and tools that need to be adapted to your own organisation. How you implement it will be influenced by your structure, processes, governance, culture, resources, and other factors.
Secure by Design will work best as part of a holistic approach to improving your organisation's security. This includes building a culture where security is seen positively, and is supported by employees in all roles and at all levels - because security helps them to deliver the organisation's mission, rather than getting in the way.
In future blogs, we’ll explain the cross-Government Secure by Design approach in more detail and how it may impact your work. In the coming months you’ll also have an opportunity to review and comment on the draft approach and help us ensure it’s fit-for-purpose before we launch it later in the year.
We’re establishing a regular stakeholder email for Secure for Design. If you’d like to sign up for these please email us at firstname.lastname@example.org.