Key Secure by Design Changes to Look Out For... An Evolution or a Revolution?
With Secure by Design (SbD) fast approaching, here are some of the high-level, significant changes that you are likely to see.
Over the last 18 months, we have had numerous discussions, both internally and externally, regarding the implementation of SbD by the MoD and what that means for the delivery and management of cyber secure systems. We have even applied it in anger to systems and capability (even in-service capability) to road test the principles and approach. From this, we have learnt an awful lot about what works and what doesn’t, as well as the key changes to MoD processes that are just around the corner.
So, what are some of the key changes to the MoD process that you need to know about:
What this means: Security must be planned into the capability at the start (e.g. Concept phase) and budgeted for throughout its lifecycle.
What this means: If a system does not have the correct security in place, it may fail to pass its next financing review. ?
What this means: A manual registration process will likely lead to delays, so it’s better to get systems signed up sooner.
领英推荐
What this means: A breach on an improperly secured system could have a much more significant impact on the system SRO.
What this means: Systems need to be able to conduct regular security assurance on their systems.
What this means: You need the correct SQEP security personnel on your team to deliver NIST Risk Management Framework.
It’s clear that SbD is a massive overhaul in UK Defence thinking. Previously, security was treated as an afterthought, but SbD brings it straight to the forefront. It requires system delivery teams to prioritize security throughout the entire system lifecycle, including budget, personnel, assurance, and governance.
Delivery teams and SROs are now solely accountable for the safe and secure delivery of the systems. Departing from the past, where security was often treated as a separate concern. SbD signifies a transformative change in defence’s approach to Cyber Security.
Our team of Cyber Subject Matter Experts are ready to assist you. We recognise the significant benefits but also the challenges that SbD brings, and we are here to support you in leveraging those advantages. Don't hesitate to reach out to us for support and guidance.
Take a look at the next article in the series, now live here: https://www.dhirubhai.net/feed/update/urn:li:activity:7082725308373557249
Principal Consultant at System Safety & Sustainability Ltd
1 年Stating the obvious, but back in the day SbD stood for 'Silent but Deadly'. Sorry to inject a little immaturity here. ??
Security, Resilience and Transformation Expert and Business Leader
1 年A capability that can be taken out (or worse subverted) by a cyber attack within the first seconds of an offensive is undoubtedly worse than having no capability at all. However, historically functionality often wins out over the costs of appropriate security. So will this now slowly change? Or is the need for more functionality just too deeply embedded in human nature?
Cyber Security Leader @ DXC Technology | CISM
1 年I can’t help but feel MOD’s SbD proposition is missing a fundamental point. IT is the lesser of the evils & should have been secured eons ago. It’s the digitalisation of the OT/ICS that form key components of the core platforms where the focus needs to shift. The ‘one size fits all’ approach will not yield the results - systems must be SbD within the context of how that system is used/operated, the deep supply chain of the components it comprises and using a risk-based approach. No point in securing a supporting system (i.e. a mission planning system) if it costs more than the platform itself.
Security and resilience manager | ISO 27001 lead auditor | Business continuity | Data protection (GDPR) practitioner | Incident management
1 年It will be really interesting to see how SbD develops and is implemented for defence industry, especially those that may sit further down the supply chain.