Secure by Design’s Impact on In-Service Capabilities: What you need to know and how to prepare
Secure by Design (SbD) is bringing widespread changes to how Information Security is done within MoD and one of the biggest impacts will be on In-Service Capabilities. You may have heard that in-service capabilities aren’t part of the initial roll-out of Secure by Design last week – but what you probably won’t know is that many in-service capabilities will need to take some immediate action right now and almost all will need to have a plan in place.
This is because after the 31st July 2024 you will not be able to renew your ‘traditional’ accreditation for in-service systems – that’s only 12 months away.
If you do not currently have accreditation by this date (or your accreditation expires), then if you haven’t prepared for the transition, your capability will automatically crash into SbD without planning with all the cost and disruption that will bring.
There are essentially three options:
Option 1: Pushing through a successful accreditation / re-accreditation in the next 12 months. This will be a challenge in many cases – especially as there is likely to be a rush on, as many capabilities will be trying to do the same.
Option 2: Successfully preparing and transitioning to SbD before accreditation expires. This has its own challenges as carrying out the Prepare step for SbD needs skilful management to avoid additional cost and delay as it is non-trivial in terms of budget reallocation, SQEP, documentation and engagement.
Option 3: Delay Transition in Exceptional Circumstances. Where an SRO has a compelling case to continue with the current accreditation approach a delay in transitioning to SbD will be considered strictly on a case-by-case basis. Not only is this just a temporary measure that only delays eventual transition, but it will also be the exception not the norm and you’ll need to have amassed compelling evidence to support it – so not exactly attractive!
So what do you need to do right now?
1. Do an immediate ‘Stock Take’
Whether it’s one system or a portfolio of many, you need to understand your ‘as-is’ in relation to the SbD ‘to-be’, and you need to do that now. Carry out an immediate stock take of existing capability to determine their current accreditation/re-accreditation status, stakeholder landscape and the maturity of their security in relation to the requirements of the new ‘assurance’ based SbD approach.
Top Tip: We have found this to be an absolutely essential first step in helping our clients understand the business risk they are holding and decide how to address it in the most cost-effective manner (whether that’s Option 1, 2 or 3). When you do a stock take, make sure you fully understand what is required by the SbD Prepare step so you realistically balance the cost, risk and benefits of each option. This will allow you to take an informed decision that you can communicate clearly to stakeholders.
2. Understand the business risk and opportunities and decide the plan
Once you have completed your stock take, you will know when and where you need to take action (i.e. specific systems, budget, SQEP and governance). For example, depending on budget and available SQEP, it may be prudent to push some more mature systems that are approaching reaccreditation through Option 1, freeing up limited SbD trained SQEP to focus on higher priority systems where cost savings can be made. There is real risk that DART and the help desk will be very busy during this period, so if you are thinking of pursuing Option 1, make sure you have planned in enough time and have all the mandatory documents and detail ready. As part of all these activities, be sure to engage stakeholders as part of the decision-making process.
Top Tip: Remember that transitioning to SbD introduces many opportunities – so don’t just focus on the risks. Because SbD is no longer a ‘box ticking’ exercise, when planned for and implemented effectively, we have consistently been able to identify efficiency savings through optimising our clients’ SbD approach to allow scarce resources to be refocussed on ‘what actually matters’. This is particularly the case for systems that have previously been considered ‘uncreditable’, but can now be effectively and efficiently secured due to the ability to tailor SbD.
3. Secure the necessary Budget and Resources
Accelerating existing accreditation activities to hit the July deadline (Option 1) or transitioning to SbD (Option 2) will almost certainly require you to adapt or reallocate your budget and resources. This is particularly the case when transitioning to SbD, as it places new emphasis on the front end of the systems’ lifecycle. Therefore, in service capability will still need to ‘retrospectively’ meet the requirements of the ‘Prepare’ step. Where additional budget or resource is required, you will now have the necessary information (through your earlier stock take and subsequent analysis) to construct a robust and clear business case. If you need to construct a business case, make it a priority and do it as soon as possible as many others will be doing the same thing.
Top Tip 1: In our experience, having senior buy-in for your plan (and any business case) is critical, so engage early and clearly communicate your plan, the impact of doing nothing and the benefits that support your case.
Top Tip 2: SbD SQEP is currently scarce, but in our experience one of the key benefits of a well-constructed plan is that you can build in the ability to train others in SbD as part of ‘doing the job’. This will deliver a real ‘force multiplier’ and we routinely use this approach to upskill our clients’ in SbD – take it from us, it’s incredibly effective when done well!
4. Communicate and Implement the Plan
Engage with all your stakeholders and clearly communicate the plan so they understand the direction of travel and their role as this will be critical to success. Implement your plan and monitor progress carefully, ensure governance is in place so you can escalate risks and issues in a timely manner, as required – this is particularly important if you are trying to complete accreditation/reaccreditation before the July deadline.
Top Tip: In our experience, ensuring appropriate governance is key to success, but takes time to implement, so do it early. This is particularly important when transitioning your governance to align with SbD. Under SbD the responsibility for ensuring that correct information security is in place for in-service systems shifts to the system’s Senior Responsible Owner (SRO) and delivery teams. SbD explicitly emphasises their accountability in maintaining the system’s security posture and adhering to SbD principles.
As you can see, there’s a few key steps you need to do right now to get ahead of these changes and prevent your in-service capability(s) crashing into SbD by default after 31st July 2024. So don’t just sit on the sidelines and wait for SbD to hit you in the face next year. Instead be proactive, get in front of the changes to reduce cost/risk and take advantage of the transition to SbD while you still have time.
If you need support or have any questions, just reach out and contact us – our experts can help by talking though what works best in your particular circumstances and help you prepare. You can get in contact with us either through LinkedIn or through our website Cyber Security Services | Ebeni. You can also find our previous post on the main SbD process changes here and all our SbD posts here.