The work to develop and launch a cross-government Secure by Design approach featured prominently at the Government Cyber Security Conference held earlier this month. In his keynote speech on the 7 December, Oliver Dowden, the Deputy Prime Minister, commented on the importance of strengthening our cyber resilience.
“We’ve made our services “digital by default” and the challenge is to make those digital systems “secure by design”…and to embed effective cyber security practices into our digital delivery.”
He continued by announcing that Secure by Design will be mandatory for central government organisations. Read the speech in full.
Bringing together government’s security and digital leaders, the conference offered a great opportunity for CDDO - who lead the development of the Secure by Design approach as part of the Transforming for a digital future: 2022 to 2025 roadmap for digital and data - to discuss the approach, its rollout and implementation.
The conference followed hot on the heels of a series of awareness webinars with government Chief Digital Information Officers, Chief Technology Officers and Chief Information Security Officers. These senior digital leaders will play a vital role in implementing the approach within their organisations. We’ll be running similar awareness sessions for other professionals such as SROs and service owners early in the new year. Email us at email@example.com if you are interested in participating.
Making cyber security everyone’s responsibility
Although Secure by Design is not a new concept, it has gained increased emphasis within government in recent years in our effort to ensure that security is not a bolt-on, but incorporated within the design and build of new services. A number of departments, for example the Ministry of Defence and HMRC, already follow a Secure by Design approach.
The cross-government Secure by Design approach aims to create a common footing so teams won’t need to work from a blank canvas when it comes to considering security for a new or existing service. This brings consistency, clarity on expectations and improves trust and data sharing between government organisations. The approach is flexible and not designed to be one size fits all because every organisation is unique. It provides good practice guidance and will require you to tailor it based on the specifics to your organisation.
The approach includes Principles and Activities that cover the end-to-end project lifecycle. It encourages organisations to make security everyone’s responsibility in the project teams and to continuously manage security risks at the right level throughout the digital delivery lifecycle. Secure by Design is not only about technology and technical controls to protect services, but is also about cultural change - it’s about changing the way people in projects and delivery teams think about security.
It has been very rewarding to see digital and security colleagues from across government organisations and the private sector coming together with the Central Digital and Data Office to work on a common purpose and we are very grateful for the good support from colleagues and partners.
Find out more about Secure by Design
Security is not an optional extra. We wouldn’t build a car without brakes or seat belts. Why would we build a service that’s not secure? We encourage you to familiarise yourselves with the Secure by Design approach and to start internal conversations about how to move forward with Secure by Design in the new year. In the meantime, we are continuing to engage with our key stakeholders to discuss rollout and implementation.
Previous blogs on Secure by Design