The launch of the MOD Secure by Design initiative, and the soon to be launched Cabinet Office initiative of the same name, should give rise to significant discussion, and pause for thought for everyone who works in these areas. This is not yet another new approach to security accreditation; it is a fundamental change in how cyber security is managed across Government departments — a change needed to combat the increasing cyber threats faced by these departments and ensure the critical services we all rely on are secure now, and in the future. Here we offer our thoughts on these changes and what they mean.
Secure by Design – a habitual shift to improved cyber security
Government departments are consciously moving away from the previous accreditation-based model and moving to Secure by Design. This means moving away from certificates, blanket control set implementation, filling out template documents and one person responsible for security. Secure by Design advocates a whole team approach, using security design principles, grounded in continual risk management, secure systems engineering and continual improvement. The intent? To ensure the focus of security is designing and building systems from the ground up that are secure, usable, trustworthy, and resilient to cyber-attack; not treated as a bolt-on or afterthought or as a way of achieving an accreditation certificate.
It’s not about the certificate – integrated security is Secure by Design
Whilst the focus will undoubtedly be on the removal of the accreditation model, the changes are deeper and more fundamental. One change is aligning security activities with management and engineering processes. Whilst this may seem obvious, often security is siloed off and discussed only amongst those involved with security and accreditation. Change brought about by the introduction of Secure by Design will ensure security risk is aligned with existing risk management processes, identified early, and where necessary, explicitly accepted by stakeholders at business case authorisation stages and formal design reviews.
Additionally, integrating security with system development processes will see security recognised as an engineering challenge. It will require security risk to be analysed, designed out where possible using secure system engineering techniques, and managed with the myriad of other considerations. These include cost controls, legacy systems integration, system performance, user experience, safety, and logistics.
It is not simply a change for security professionals. It affects almost all aspects of a department including senior management, commercial teams, project managers, product teams and their suppliers. This will require a significant mindset change, but providing this occurs it will result in a more joined up approach that delivers across-the-board efficiencies.
For example, irrespective of how having refined an organisations security processes, methodologies, and tools are, they will only be effective in delivering a secure capability if sufficient funding has been allocated for them to be applied. Therefore, security risk needs to be considered from the outset so funding to manage the risk is included in the budget. Likewise, if a decision has been taken to procure equipment or services with no consideration of security, with the expectation being for the security professionals to simply ‘get it accredited’, the organisation is explicitly taking a security risk. Hence, the need for everyone to be invested and take an interest in cyber security from the outset.
What does it look like – frameworks and principles
The Central Digital & Data Office (CDDO) have developed a framework that allows Government departments to tailor Secure by Design to their own needs. The focus of this is largely on securing Digital Services. Departments such as the MoD, who build complex cyber-digital-physical systems, have tailored the CDDO approach to fit their precise needs.
The move away from an accreditor issuing certification to a principle based, ‘by design approach’, will require a range of evidence to provide assurance to stakeholders. Security Consultants being employed to write documents for the sole purposes of accreditation will no longer be the default approach. Instead, teams will need to develop assurance cases based on evidence generated throughout the project and capability lifecycle, which demonstrate how security objectives have been agreed and achieved and how security can be maintained through-life.
The use of security design principles and advocating the use of secure system engineering techniques should create a greater focus on establishing security as an engineering problem to solve and manage, rather than focussing solely on attaining compliance. This will provide greater transparency of the trade-offs and compromises that always need to be made, and better traceability of decision making, ultimately supporting delivery of capabilities which are functionally rich and inherently secure.
The challenge and risk of change
Change is always difficult, and changing mindsets around cyber security will be no different. The major challenges will be removing the comfort blanket that is taken from an accreditation certificate to recognising that the security of a system needs to be integrated into a system design, continually managed, and reported regularly.
Additionally, balancing a principles-based approach with the set standards required by certain industries, especially nuclear, aviation and safety, will be challenging. Especially since many of these standards currently require an accreditation certificate or similar.
Change will not be quick, and a big risk to Secure by Design is that demand for “someone to issue a certificate” becomes too big to ignore, and a pseudo-accreditation model is created that undermines the change.
For Government departments, and the owners of systems or capability in these departments, recognition they are responsible and accountable for cyber security, as well as for safety, finance and commercial compliance is fundamental to effective risk management. This will present a challenge for these system owners since they may not have previously had to consider security risk through life. It will also be challenging for security professionals who may struggle with translating technical security information into language understandable by non-security or IT professionals.
A further challenge is the shortage of cyber security professionals, not just in the UK but Worldwide. This is an issue today, but it is likely Secure by Design will further highlight the resource gaps, not just in security, but in all STEM subjects. This is why it is important others are included in security, whilst it will not resolve the resource shortages it will expand the number of people who are involved in security analysis. This will also broaden security views and challenge long standing opinions, resulting in a debate that should lead to better solutions.
Finally, there is a need to balance Secure by Design with recognised standards such as ISO 27001 and Gov Assure. Secure by Design is not intended to replace these standards. Instead, Secure by Design will help departments leverage these standards effectively within the context of how the department operates. This will help to achieve these standards together with the resulting security, delivery, and operational benefits.
Early investment for long term benefit
The primary benefit is the delivery of better, more secure systems, that are trustworthy, and more resilient to cyber-attacks. Designing security into a system from the outset will allow more functionally rich and usable systems to be delivered, rather than taking such systems and then ‘locking them down’ once the design is finalised. Additionally, by integrating security with existing business and engineering processes, stakeholders will have a clearer and more accurate picture of risk, aligned to the business or mission objectives, offering better, more timely information upon which they can make decisions.
It will also ensure the responsibility and accountability is sat firmly with those who deliver products, rather than the accreditation teams. However, it will also provide clarity for the assurance role, with greater focus on them facilitating and enabling good security in product teams. By providing better guidance, tooling, access to experts, and engaging with stakeholders across departments, assurance teams can enable better security by helping departments do the right thing, rather than telling them where they have gone wrong.
Evidently there is no such thing as absolute security, and no-one can guarantee this. One inherent problem with accreditation being the lack of evaluation of advancements, perhaps, even more simply, the lack of motivation to do much else until the time of re-certification. Secure by Design changes that and if implemented correctly will provide assurance that a product has been designed correctly and is maintained as designed through-life.
Is it a good thing?
Evidently anything that aims to improve security and make systems more resilient and trustworthy should be seen as a good thing. Secure by Design is ambitious, but we need to be ambitious to take on the challenges we face today, and those we will face in the future.
Secure by Design is looking to resolve many of the fundamental issues that affect good cyber security, especially in government departments, and change on this scale is never easy. Undoubtedly there will be missteps along the way, and it will take time to embed and deliver its benefits. But it signals a desire to change, to do better, and to make security a topic that everyone needs to think about, and this can only be seen as a very positive step.
Logiq are Secure by Design experts, founded by Engineers. Our team combines Security Consultants, Security Engineers, System Engineers and Developers who understand how to work with organisations and product teams to help implement security from top to bottom, through-life. We have helped to develop Secure by Design with government departments, ranging from organisational change to adopt Secure by Design, to helping develop secure applications. All based around our core concepts innovate, collaborate, deliver.
Contact us today to discuss your security challenges and requirements and start your journey to Secure by Design.