Secure by Design is changing the way the UK Government and its departments implement cyber security, in a move away from traditional accreditation-based compliance. This new approach aims to deliver better systems that are more secure, trustworthy, and resilient to cyber-attack.
Here, we look why organisations should seek to go beyond traditional compliance and why adopting Secure by Design can provide multiple benefits.
What is compliance?
Compliance relates to the adherence to a standard, practise, or process so that it meets certain obligations. These may be internal obligations, external pressures, regulations, customers’ demands and legal constraints.
Building processes and management systems on internationally recognised standards helps to provide confidence that an organisation is investing in operations and managing risk appropriately. It also enables an organisation to be audited against these standards, allowing them to highlight areas of strength and weakness, whilst ensuring continual improvement processes are implemented. Compliance against specific standards can also be a mandatory requirement for many industries to ensure these minimum standards are achieved.
What are the security limitations of only seeking compliance?
Amidst the benefits, compliance can also be gained for the wrong reasons, and this can have security consequences. For example, if compliance is only completed to achieve a standard or meet minimum requirements, there’s a chance the associated processes and procedures only exist in policy or are given lip-service by the users.
Worse, we see the creation of a ‘security process’ that drives security into its own silo away from other business functions. In this example, the compliance certificates could provide a façade of good security that overlooks or ignores critical aspects of the business. As a consequence, whilst everyone is happy they are ‘compliant’, the lack of integrated security can result in poor decision making, security blind spots, a lack of engagement from leaders, unnecessary costs and a technology centric strategy.
Meanwhile, the scale and complexity of many modern information and operational systems means that no standard can provide the depth and scale of coverage needed to make these systems secure. The need to balance security, safety, functionality, usability, cost, and technology requirements drives a necessity for alignment across business functions and engineering processes. Ultimately, those that only gain compliance for the purposes of compliance and follow it as a checklist exercise may not fully understand how to secure their programmes which can lead to higher risk and potential security breaches that have greater business impact.
How can Secure by Design help?
Secure by Design is the new approach to cyber security being introduced by the UK Government. It aims to ensure that cyber security and resilience is built into systems from the outset so that security is aligned to the organisations objectives and integrated and managed with the system design as it evolves, not bolted on as an afterthought.
It removes a singular focus on achieving accreditation and places responsibility and accountability for security on the organisation, plus the individual product teams, not the central security team. This gives the product team control and responsibility for their systems’ security, ensuring they ‘own’ the risk but also allowing them to explore opportunities to innovate and manage security risk better. It recognises the best people to manage system risks are those designing and building the system, since they understand it the best. But they will need support. Hence why Secure by Design emphases the role of the whole organisation in delivering better security including senior civil servants, programme managers, project managers, engineers, architects, and support teams.
Aligning security with business objectives drives teams to report security progress in line with existing business reporting, including major delivery milestones. This reduces the chance of security being missed or considered after key decisions have been made. After all, a security incident can be a consequence of many things, including commercial strategy, sub-contracts, technology selection, poor training, and lack of business alignment.
How is it different from compliance?
Secure by Design isn’t just compliance by another name and can provide many benefits beyond those offered by a compliance only approach to security. Here we offer 10 thoughts on the differences between secure by design and compliance, and the benefits of the Secure by Design approach.
As stated, Secure by Design should be seen as complementary to compliance and the next stage in an organisations journey to being secure. It supports the attainment of compliance as required, but also clearly recognises the limitations of these approaches, and tries to enhance them so security works more effectively and efficiently for the business, rather than being seen as a blocker or a step to overcome.
How we can help
Here at Logiq, we have helped to define and develop Secure by Design as part of government working groups. As such, we are now positioned to help industry and government departments on their journey towards continual risk management.
To explore Secure by Design further, get in contact with us via email [email protected] or call 0117 457 7463.