The Ministry of Defence (MOD) has recently released a document addressing the challenges surrounding “Secure by Design,” which offers a rare glimpse into the complexities of implementing cybersecurity measures from the foundational stages. This approach emphasizes the integration of security within systems right at the design phase, rather than retrofitting it as an addition later in the development process. After years of advocating for the significance of the human factor in security, this acknowledgment from the MOD is a commendable recognition that the efficacy of technical controls is heavily dependent on the personnel executing them.
### Addressing the Security Skills Challenge
A primary concern identified by the MOD is how to enhance the skills necessary for UK defense in adopting the “Secure by Design” approach. Their recognition that effective implementation requires a cohesive “one team” strategy throughout the defense sector reveals the reality that security is not merely confined to technical teams. This insight aligns well with observations made in organizations boasting mature security cultures, where security responsibilities are shared across all departments rather than siloed within a designated security team.
### Navigating Knowledge Distribution
The second challenge addresses the disparity in information and knowledge—what the MOD describes as the “Knowledge Distribution Problem.” The MOD astutely points out that information asymmetries can arise for numerous valid reasons. This perspective is particularly valuable in that it acknowledges that barriers to information sharing are not solely the product of a failing security culture; some are intentionally established for critical reasons.
To illustrate this concept, consider a family planning a surprise birthday party for their grandmother. Different family members possess specific pieces of information that they deliberately do not share with everyone else: a daughter knows the guest list, a son has organized the venue and catering, and the grandchildren are focused on decorations—all while ensuring that grandma is kept in the dark. These barriers to information sharing are not indicative of poor cooperation but are necessary to achieve the goal of creating a surprise.
Similarly, within the MOD’s security framework, certain intelligence may need to remain undisclosed to suppliers to protect intelligence-gathering capabilities. Suppliers, too, may limit the sharing of proprietary details, even with clients such as the MOD, to safeguard their competitive edge. Various security controls might also be kept confidential from general personnel to prevent potential circumvention. These issues are not failures of security culture; rather, they represent purposeful compartmentalization necessary for effective security measures.
### The Early Design Challenge
The third complication pertains to the challenge of incorporating security considerations during the initial phases of capability development, particularly when these capabilities are still vaguely defined. It resembles the task of designing an advanced security system for a home when the specifics of the home, such as the number of doors and windows or where valuables will be stored, remain undetermined. In this early stage, the MOD suggests that a capability might consist merely of a basic statement of user needs.
This scenario intersects with how individuals approach risk management. Often, primary objectives, such as delivering military capabilities, compete with ancillary concerns like security. The MOD’s candid acknowledgment that “cyber security will always be a secondary goal” reflects a realistic understanding of how priorities operate within complex organizations.
### Maintaining Security Throughout Lifecycle
The fourth challenge pertains to the ongoing necessity for security rationales and practices to remain relevant over decades of a capability’s lifespan. With defense platforms potentially in use for over 30 years, decisions made today regarding security must retain their relevance for future engineers. Continuous risk management becomes paramount as organizations face new threats throughout the long lifespan of these systems.
### Building a Collaborative Security Culture
The MOD acknowledges that executing “Secure by Design” is not merely a technical challenge; rather, it is fundamentally about fostering collaboration among people across various organizational, disciplinary, and national boundaries. This approach reflects a transition toward a more evolved security culture—one that recognizes limitations, seeks external expertise, and appreciates the intricate interplay between human factors and technical controls.
By acknowledging the need for assistance from academic and industrial sectors, the MOD showcases a collaborative mindset essential for tackling intricate security challenges. This stands in marked contrast to the traditional government inclination toward self-sufficiency. By openly inviting indeed, it becomes clear that diverse perspectives and shared knowledge can significantly strengthen security postures instead of undermining them. Ultimately, successful security is not about having definitive answers; it is about cultivating the conditions where teams can collaboratively develop effective responses to the ever-evolving landscape of threats.
For those interested in identity management solutions, a list of the leading software options has been compiled, available for exploration.
This article is part of TechRadarPro’s Expert Insights channel, showcasing timely contributions from prominent figures in the technology realm. The perspectives presented here belong to the author and do not necessarily reflect the views of TechRadarPro or Future plc. If you wish to contribute, further details can be found at the TechRadar website.
