
A recent letter sent to all defence industry CEOs focused on driving cyber resilience in supply chains, is a stark reminder that in challenging times it is of upmost importance that the systems we rely on remain safe and secure.
Within the letter, Ministry of Defence officials—the Second Permanent Secretary, DG Chief Information Officer and DG Commercial—outline the benefits of the NCSC CAF as well the need for all organisations to adopt and apply a Secure by Design approach.
Here we explore exactly what it means to be Secure by Design and thoughts on simple changes that can help organisations in the defence supply chain and beyond get started.
Key Questions to Enhance Cyber Security Strategy
To truly embrace Secure by Design, it is important to shift the focus from procedural checklists to a more holistic understanding of security needs. Instead of asking, “What do I need to do to be Secure by Design?”—which implies a predefined set of steps or certifications—organisations should ask, “What do I need to do to be secure?”
The Power of Asking the Right Questions
This subtle yet significant change in questioning leads to a deeper exploration of cyber security requirements. By asking, “What do I need to do to be secure?” the conversation naturally progresses to, “How secure do I need to be?” This follow-up question is essential because it acknowledges that cyber security is not a one-size-fits-all solution. The level of security required varies depending on the organisations specific context, its objectives, and how the systems it uses supports those objectives.
How Secure Do You Need to Be?
To answer, “How secure do I need to be?” organisations need to think about its mission and the purpose of the systems it uses in support of this mission. Whilst ‘a mission’ may sound like corporate management speak it is important, as it puts into context why the organisation exists and what it seeks to achieve through use of a specific system or service. Security is there to help organisations achieve their objectives. It cannot live a vacuum. So, by understanding the purpose of a particular system, and how this contributes to an organisations mission, everyone, including security teams, can begin to consider the importance of that system.
Once the purpose of the system is understood, we can then look at things that, if they were to occur, could cause the mission to fail. This is called Loss, or unacceptable Loss, and it is anything that is unacceptable to the organisation since it could result in mission failure. This could be anything, a loss of life, a loss of IPR, loss of revenue, customer confidence etc.
Understanding the organisations mission and then identifying and agreeing the losses that could result in that mission failing creates a useful reference point, not only for security, but for other teams within the organisation. It is a reference point that is also consistent through life, since loss is unlikely to vary if the mission remains the same. It can also help communication between different teams as well as with Senior Management, as loss focuses on organisational outcomes not just security.
Loss helps us understand ‘how secure we need to be’, since it identifies negative outcomes, the organisation is not prepared to tolerate. From this we can identify system ‘states’ or ‘hazards’ that if realised could cause the loss to occur. This in turn enables system designers, including security professionals, to develop strategies and tactics to control these states through the system design. By doing this we can focus on integrating security into a system to deliver a series of objectives, and thus a mission, as opposed to simply applying a series of security controls listed in a standard.
Outcome Focused Security
By focusing on loss and fostering cross-functional dialogue, organisations can develop a comprehensive understanding of their security requirements. This approach ensures that security measures are not only technically sound but are aligned with the organisation’s overall objectives and are considered with other functional aspects including safety, usability, supportability etc. resulting in system security is easy to use, easy to maintain and easy to update.
In essence, asking the right questions transforms Secure by Design from a procedural exercise into a dynamic, context-driven approach. It encourages organisations to think critically about their security needs and to implement measures that are both effective and relevant to their needs. This shift in perspective is key to delivering systems that are secure, trustworthy, resilient and, therefore, Secure by Design.
About Logiq:
Logiq is a NCSC-assured cyber security consultancy and secure managed services provider focused on safeguarding critical organisational data. Our clients are amongst the most demanding in the world and have some of the most stringent and complex security needs. We help to design and develop innovative solutions that enable them to focus on delivering their business securely.