Christine Maxwell, Director Cyber Defence, MOD explains why the government department has fundamentally changed the way it approaches cybersecurity.
With over 81% of large organisations in the UK reporting cyber-attacks last year (NCSC, 2023), the threat of cyber-attacks has never been more present and the potential impact of these threats has significantly changed the digital landscape and the way that businesses, corporations, individuals as well as Government departments have to deliver and manage cyber security.
All organisations now must continuously adapt their operations and associated cyber security measures to not just remain resilient in the current time, but to plan for future resilience to minimise vulnerabilities as attacks evolve in sophistication and the threat continues to change.
The MOD is no exception to this. Cyberspace is a key operating domain of modern warfare and digital technology is intrinsic to delivering capability. Subsequently, the operational imperative is to ensure that all MoD capabilities can operate securely in an environment where the threat of a cyber-attack is ever more present.
In response to this, in July this year, the MOD launched Secure by Design, the new approach to cyber security that ensures security is embedded into all our Defence capabilities and systems from the concept phase, through to delivery and throughout the operational lifecycle of any programme.
Secure by Design has fundamentally changed the way the MoD approaches cyber security, moving from accreditation-based compliance to a process of continual risk management that is embedded from the start of programmes. Secure by Design requires security and resilience to be built-in from the outset, increasing the speed and efficiency of delivering systems that are secure and modernises how assurance is delivered.
A key aspect of Secure by Design is ensuring the responsibility and accountability for cybersecurity sits with the programme and project teams who understand the systems and risks the best. It promotes a process of continual assessment and assurance, whereby project teams must consider the cyber risks from programme concept, through to delivery, taking a proactive approach to security. In doing so, it allows our delivery teams to better manage and mitigate cyber risks from the start of a programme and throughout the development and in-service lifecycle. Through a process of continual self-assessment, our programmes owners and leaders are now accountable for delivering systems that are cyber-secure.
Secure by Design is a major change to how cybersecurity was previously considered and brings multiple benefits to the UK Defence enterprise.
Secure by Design guides teams to build systems and processes that are designed to be resilient and can adapt to evolving threats and emerging technologies. By proactively identifying and addressing cyber security risks, Secure by Design helps reduce the likelihood of a security compromise, protecting sensitive information and delivering more robust systems to the end-users. In addition, by implementing cybersecurity as part of a design process, rather than retro-fitting it to a complete system, it is not only better from a security perspective, but also more resource-effective.
Secure by Design is a major transformation that brings with it multiple benefits including:
1. Improved Security Risk Management: By focusing on a broad range of security threats and risks from the outset, it allows MoD to better manage and mitigate risks.
2. Futureproofing: Building systems and processes that are designed to be secure and resilient, so they can adapt to evolving threats and technologies.
3. Reducing Security Compromise: By proactively identifying and addressing security risks, secure by design helps reduce the likelihood of security compromise, protecting sensitive information and delivering more secure systems to our end users.
4. Cost-Effectiveness: Proactively implementing security as part of a design process, rather than retro fitting security to a complete system is better from a security perspective and more cost effective.
5. Agility and Innovation: It allows new technology to be assessed, adopted and exploited, whereas compliance and accreditation is often unable to keep up with this rate of change.
6. Employee Awareness: Involves educating and empowering employees to be active participants in security, making them more involved, vigilant, and effective in identifying and responding to threats, through the design process and then through life.
The new initiative also means changes for our industry partners who work closely with the MOD to develop and deliver all programmes for UK Defence. These partners must also follow the Secure by Design principles. The continued support and expertise of our industry partners remains vital as Secure by Design beds in. Working with external partners is invaluable and enables us to take advantage of new and emerging technology which keeps us ahead of the curve, without increasing our cyber risk.
Secure by Design allows teams and partners to track and report progress and generate assurance reports for stakeholders, helping embed the principles of continual assurance. By using accurate and meaningful data we can drive improvements to the approach and continuously measure the effectiveness against outcomes.
It’s been four months since the official launch of Secure by Design and our focus is very much on building momentum and continuing to drive forward to establish true culture changes. This is just the start of the journey and everybody in Defence has a part to play.
We are already beginning to see change and improvements. The demand for security at the early stages of a lifecycle have made teams consider it earlier. Those that have embraced Secure by Design are starting to see the benefits not only through early risk identification, but it also means any gaps in the programme, can be captured and managed quickly. We now have over 200 projects that have registered on the Secure By Design Cyber Activity and Assurance Tracker (CAAT) as self-assessments start to be conducted. This is all very positive.
Secure by Design marks a pivotal moment in changing how the MOD approaches cyber security. This is directly leading the delivery of more secure systems through simplified processes, greater use of open standards, better guidance, more flexibility, and empowered decision-making for programme teams.
It will take time for the real benefits and value to be recognised, and there is still a lot to do, in Secure by Design, but so far, everything indicates we are on the right path.
Christine Maxwell has been the director of Cyber Defence and the Ministry of Defence (MOD) since 2019. She has been driving cyber security transformation and the new Cyber Resilience Strategy sets the vision and direction to support the UK’s Armed Forces to defend the nation and protect our interests.
