What is Secure by Design
Secure by Design (SbD) is an approach that puts cyber security at the heart of every stage of a capability’s lifecycle.
The Ministry of Defence is implementing Secure by Design in all top-level budgets and arm’s length bodies.
All capabilities and services that handle Defence data must follow Secure by Design. This includes capabilities delivered by suppliers.
It is used throughout government departments to implement and manage cyber security, guided by the Cabinet Office and National Cyber Security Centre.
The Ministry of Defence is implementing Secure by Design in all top-level budgets and arm’s length bodies.
All capabilities and services that handle Defence data must follow Secure by Design. This includes capabilities delivered by suppliers.
It is used throughout government departments to implement and manage cyber security, guided by the Cabinet Office and National Cyber Security Centre.
The MOD Secure by Design approach
By 'shifting security to the left' the MOD is designing security into capabilities from the start. So that teams can meet evolving threats, making sure risks are proactively and proportionately mitigated.
Security is no longer a one-time checkbox or isolated activity but is an ongoing, integral part of capability development and operation.
Just like any other business risk, capabilities must continually assess and manage their security risk throughout the Concept Assessment Demonstration Manufacture In-Service Disposal/Termination (CADMID/T) lifecycle.
In MOD, the Secure by Design approach is mandated in JSP440 Leaflet 5C.
Security is no longer a one-time checkbox or isolated activity but is an ongoing, integral part of capability development and operation.
Just like any other business risk, capabilities must continually assess and manage their security risk throughout the Concept Assessment Demonstration Manufacture In-Service Disposal/Termination (CADMID/T) lifecycle.
In MOD, the Secure by Design approach is mandated in JSP440 Leaflet 5C.
One size does not fit all
There are many differences between capabilities, such as operational output, requirements and risks.
Capabilities are different and this should be considered when developing a cyber security strategy.
The Secure by Design approach needs to be applied and adapted to the context, complexity, and criticality of what is being delivered. As such, there is no 'one size fits all' approach to Secure by Design.
The selection of controls should be proportionate depending on the criticality, scale and complexity of your capability:
Capabilities are different and this should be considered when developing a cyber security strategy.
The Secure by Design approach needs to be applied and adapted to the context, complexity, and criticality of what is being delivered. As such, there is no 'one size fits all' approach to Secure by Design.
The selection of controls should be proportionate depending on the criticality, scale and complexity of your capability:
Choosing the right controls depends on the criticality, scale and complexity of your capability:
Too much security can be prohibitively expensive and is usually too difficult to maintain.
Too little security could mean a system being compromised, with devastating consequences.
Too much security can be prohibitively expensive and is usually too difficult to maintain.
Too little security could mean a system being compromised, with devastating consequences.
Treating cyber security as continual risk management rather than as an obstacle, means a capability can better respond to emerging cyber threats, technology changes and evolving operational requirements.
The UK Government SbD information can be found on GOV.UK.
The UK Government SbD information can be found on GOV.UK.