Everyone agrees that cybersecurity is important: no one wants to be the next organisation that is the victim of an attack or breach. The ‘Secure by Design’ approach aims to reduce this risk by building security considerations into every product, service and system, ensuring resilience and protection are the default settings.
There are several sources of ‘Secure by Design’ guidance, including from the National Cyber Security Centre, and the Ministry of Defence, though the main one which government departments and arm's length bodies need to consider is from the Government Security Group. Each set of guidance comes with a slightly different lens, with a focus on products and suppliers, system design, or organisational culture. Across all the guidance, there are several core principles: anticipating threats early; designing processes and technology to minimise overall risk; and finally, developing an organisational culture where everyone understands their role in keeping systems safe from harm.
Yet public sector organisations have many different priorities, and trying to build cyber security into every part of an organisation can be incredibly challenging. Secure by Design can feel aspirational, rather than an everyday practice, as resource and operational pressures vie for leadership attention.
Watch: Cybersecurity leaders from Palo Alto Networks and IBM Consulting discuss the practicalities of 'Secure by Design'
At a recent Civil Service World roundtable, supported by Palo Alto Networks and IBM, attendees found there is no single path to perfection, but that practical progress is possible and urgent. Secure by Design should not just be another compliance exercise, but a way of thinking that infuses leadership, procurement, governance and day-to-day decision-making.
Below are four ways public sector organisations can begin putting these principles into practice.
1. Leadership and culture: Securing everyone’s interest
The roundtable participants agreed that one of the biggest hurdles is not technology but instead leadership. Cybersecurity is often seen as a problem for the IT team, but if an organisation wants to be Secure by Design, this must be a shared responsibility across the organisation. Leaders must treat security as a part of the everyday job; it must be a thread intertwined throughout all decision-making processes, not just something thought about at the end.
One way to secure engagement from senior leaders is to translate the issue into the tangible. One attendee suggested Data Protection Impact Assessments, exercises which identify vital weaknesses and not only how these could be exploited by the impact if something goes wrong. Linking these exercises with other priorities, like service delivery, can also help secure more buy-in. Framing the conversation around service continuity and the cost of disruption helps move the issue from technical language to tangible impact.
Secure by Design is not something that requires just leadership buy-in, but also the whole organisation. Attendees agreed that the goal is to have cybersecurity awareness as part of an organisation’s cultural foundation. Training, internal communication, and even shared exercises can help raise awareness about cyber. The more it is done, the more it becomes like putting on a seatbelt – something automatic.
2. Addressing legacy systems: one step at a time
Every conversation about cybersecurity in government includes a conversation about the challenge of legacy systems. Many public sector organisations still depend on outdated systems that cannot be easily updated to modern standards. The temptation can be to wait for a replacement before implementing Secure by Design principles; however, the consensus from the roundtable was that even small progress is better than nothing at all.
For systems that are already in place, take a risk-based approach. Identify and prioritise securing the most important services, where failure would cause real-world harm.
To do this, one attendee suggested identifying your organisation’s minimum viable operations: looking at what processes must keep running during a cyber incident and how they interact with each other. Mapping those dependencies helps make decisions on where investment would have the best possible value. Over time, this can allow even teams that are struggling with resources to strengthen their security foundations, one step at a time.
3. Assured procurement
As well as discussing legacy challenges, the table explored the procurement of new platforms and services, which they agreed should have Secure by Design principles built in from the very beginning. One of the key challenges raised was the cost and complexity of verifying suppliers to ensure they adhere to these principles, especially for smaller organisations. There was support at the discussion for a more centralised system of assurance. This would create a trusted baseline that buyers can rely on when procuring technology.
Other ideas put forward included a standard or certification that suppliers can use to show that they meet Secure by Design principles, and building stronger checks into existing frameworks run by bodies like the Crown Commercial Service. This would reduce some duplication of effort across departments and provide smaller organisations with confidence that the products or services they are procuring are meeting a consistent standard. The aim, however, is not to completely outsource checking but to help supplement a smaller organisation's procurement process.
4. Governance and resilience: make improvement measurable
Creating good governance is what can turn Secure by Design from an aspiration into a habit. Several organisations have started using models to measure their maturity, scoring themselves from early awareness through to embedded practices. These goals are not necessarily about chasing the perfect scorecard but recognising where an organisation is and how it can progress.
Tabletop exercises that highlight capability gaps are another effective tool. They can help show where there are gaps and also highlight the extent of the risk presented by cybersecurity breaches. They can also help identify gaps in communication and coordination between teams and highlight how standard everyday processes, like payroll or communications, might operate in crisis.
Building trust and resilience – one step at a time
Secure by Design should not just be about compliance, forms or audits. Instead, it is about protecting public services, and most importantly, maintaining trust. To achieve this, organisations should focus on continual improvement. As one of the roundtable participants said, “don’t let perfection be the enemy of improvement”. Secure by Design is not just a line in the sand. Little changes, like integrating security checks into project and their lifecycles or raising cybersecurity risks in leadership meetings, will help to make government more secure and resilient tomorrow than it is today.
For more info on Secure by Design, click here