What is Secure by Design?

Secure by Design is an approach that embeds security from the outset of any digital transformation programme. At Logiq, we integrate cyber security principles across architecture, system delivery, assurance, and training to help organisations build and operate secure, resilient systems.

Who is Secure by Design for?

Our Secure by Design service is tailored for government departments, defence contractors, and organisations operating within the UK’s critical national infrastructure. It supports any environment where security, assurance, and compliance are essential from day one.

What does the service include?

Secure by Design includes organisational transformation, secure system delivery and assurance, and training to build in-house capability. Each element can be delivered independently or as part of a broader transformation or assurance programme.

How does Secure by Design support compliance?

The service aligns with key standards and frameworks including NCSC guidance, ISO 27001, Cyber Essentials Plus, and MOD assurance requirements such as DEFSTAN 05-138. We help organisations demonstrate cyber maturity and meet governance expectations.

Can you deliver Secure by Design alongside other services?

Yes. Secure by Design integrates seamlessly with our broader cyber security, technical programme support, and solution delivery services. We often deliver it as part of larger programmes where security must be embedded throughout the lifecycle.

Secure by Design vs. Security Control Sets

Rob Guegan

20/02/2025

Editor’s note: This article was updated in June 2026 to reflect the growing adoption of Secure by Design across defence and government programmes.

A Comparison through Simon Sinek’s ‘Start with Why’ Philosophy

In cyber security, discussions often focus on frameworks, standards and control sets. These provide valuable guidance, but they can sometimes obscure a more fundamental question: why are specific security measures needed in the first place? This distinction sits at the heart of the Secure by Design approach.

Using Simon Sinek’s well-known ‘Start with Why’ philosophy, it is possible to view traditional security control sets and Secure by Design as complementary rather than competing approaches. One helps define what should be done. The other helps organisations understand why it matters and how security should be integrated into the design of systems, services and business processes from the outset.

Note: For a complete overview of the Secure by Design approach, principles and implementation considerations, read our Secure by Design guide.

Security Control Sets: The ‘What’

Security control sets like NIST SP 800-53 are comprehensive frameworks that outline specific actions organisations should take to protect their information systems. These control sets are detailed and prescriptive. For example, NIST SP 800-53 includes controls for access control, incident response, and system and communications protection, among others. These controls are essential for establishing a baseline of security practices and ensuring compliance with regulatory requirements.

However, while these control sets are invaluable for defining the “what” of cyber security, they often lack context regarding the underlying reasons for these actions. This can lead to a checkbox mentality, where organisations implement controls without fully understanding their significance or how they contribute to the overall security posture.

Secure by Design: The ‘Why’ and ‘How’

In contrast, the Secure by Design approach aligns more closely with Sinek’s “Start with Why” philosophy. Secure by Design emphasises the importance of understanding the purpose behind security measures and integrating security principles from the outset of system development. This approach encourages organisations to ask why a particular security measure is necessary and how it can be effectively implemented.

By focusing on the “why” and “how,” Secure by Design fosters a deeper understanding of security principles and promotes a culture of proactive security. For instance, instead of merely implementing access controls because they are mandated by a control set, Secure by Design would encourage organisations to understand the risks associated with unauthorised access and design systems that inherently mitigate these risks.

Bridging the Gap

Just as Sinek’s “Start with Why” inspires individuals and organisations to act with purpose, Secure by Design encourages a thoughtful and intentional approach to cyber security.

Security control sets remain an essential part of modern cyber security. They provide structure, consistency and a recognised baseline for good practice. However, on their own they cannot explain the context, priorities and design decisions that determine whether a system is genuinely secure.

This is where Secure by Design adds value. By encouraging organisations to understand the purpose behind security decisions, the risks they are trying to manage and the outcomes they are seeking to protect, it helps transform security from a compliance activity into an engineering and business discipline.

The strongest security outcomes are rarely achieved through controls alone. They emerge when organisations combine the guidance provided by established frameworks with a clear understanding of why security matters, how risks affect the mission, and how security can be integrated throughout the lifecycle of a system. That is ultimately the difference between implementing controls and designing for security.

About Logiq:

Logiq is a NCSC-assured cyber security consultancy and secure solutions provider focused on safeguarding critical organisational data. Our clients are amongst the most demanding in the world and have some of the most stringent and complex security needs. We help to design and develop innovative solutions that enable them to focus on delivering their business securely.