Secure by Design
‘Securing capabilities through continual risk management’
Government suppliers will need to follow the new approach to cyber security risk management, known as ‘Secure by Design’. Here at bee.net we want to help you understand this change and start to implement the new approach so you can successfully bid for, deliver and support government capabilities.
What is Secure by Design?
Secure by Design is a fundamentally different approach to cyber security for government capabilities, both new and already operational. It replaces accreditation with cyber security that is proportionate and effective. It enables organisations to be agile enough to respond to a rapidly changing environment.
‘Securing capabilities through continual risk management'
The definition of Secure by Design
Christine Maxwell, Director Cyber Security, UK MOD
Secure by Design helps capabilities to secure their outcomes, not because security says so but because the business need demands it.
Continual risk management means that capabilities will need to understand risks throughout the lifecycle, starting from project conception, to reduce the probability of breaches, expense or delay.
Risk management in Secure by Design emphasises that cyber risks are business risks. This requires new workforce skills, a different governance approach and a fresh cultural mindset.
Should I restructure my organisation for Secure by Design?
Many organisations find that making a success of Secure by Design requires a significant cultural change, requiring new cyber security direction and strategy.
Secure by Design also identifies the following key roles:
Organisational leaders
set the strategic direction for cyber security so that the organisation achieves a unified approach.
Senior Responsible Owners
make risk-based decisions that include cyber security based on their organisation’s strategic direction.
Capability Team Leaders
implement the decisions using a structure, whole-team approach and report capability risks to the organisation.
Cyber Security Specialists
identify the business impacts of cyber vulnerabilities to enable the effective management of cyber risks.
Learn how to assess your organisation’s readiness for Secure by Design.
How to get started with Secure by Design
Change starts with you
If you’re a leader responsible for the successful delivery or maintenance of government capabilities, you may need to take a more proactive role in cyber security than you have been used to.
A whole team approach
Secure by Design requires a whole team approach and cannot be just delegated to technical experts. Capability leaders will need to chair workshops where high-level risks to business outcomes, including cyber risks, are developed and prioritised holistically.
One governance
In Secure by Design, budgets and cyber security are approved together. If capabilities want to progress project, they will need to demonstrate robust cyber risk management embedded in business plans, at every stage.
Personnel
Secure by Design changes everything. Capabilities may need to change who they recruit, how they train the people they’ve already got, how they bid for or approach new work and manage their team’s approach to risk. This is a cultural shift from the older ways of working.
Structured approach
Capabilities can set themselves for success by first following a structured approach to cyber security tasks and secondly using a self-assessment tool.
Need more help getting started with Secure by Design?
What does Secure by Design mean for specialists?
As a cyber security expert or an engineer on a Secure by Design capability, you may find your role changes significantly.
Proper risk management
In Secure by Design, risks must include the impact on the objectives of your capability. Unlocking this will enable you to communicate better with senior leaders.
Collaborate
A great way of kick-starting collaboration is to hold a workshop with a diverse range of the capability’s stakeholders to identify risks.
Prepare
Preparation for good risk management sets the conditions for doing this successfully throughout the life of a capability. Work through these tasks - with business colleagues - with the objective of better understanding your high-level risks then measure how we you have done by using our version of the MOD self-assessment tool.
Need more specialist help with Secure by Design?
Should I sign-off this capability?
For Senior Responsible Owners in government or anybody responsible for ensuring money is well spent, Secure by Design will help them to make that decision.
Secure by Design gives capability owners greater confidence that risks have been properly identified and that they are approving a business case to manage them appropriately.
Capabilities can reduce the probability of unexpected or unexplained issues impacting outputs, costs and time.
Secure by Design gives capabilities a better understanding of the impact of other systems on the delivery of their own responsibilities.
Need independent advice on how well a capability has applied Secure by Design?
Contact us
Ask the experts a question on Secure by Design