Will it Work? Exploring the Benefits and Challenges of Implementing Secure by Design
Previously, we’ve discussed the key changes Secure by Design (SbD) will generate for Ministry of Defence (MoD) systems. Leading on from this, we explore in more detail what some of the benefits and challenges of implementing SbD are.
What are the Some of the Benefits of Secure by Design?
1. Enhanced Operational Effectiveness.
The enduring principle of SbD is that it integrates security from the outset which is key to the MoD’s aim of driving down security risk as much as possible. This enhances the resilience of the system throughout its lifecycle, protecting it from evolving threats and reducing vulnerabilities.
So what? In the past, security was an afterthought and could often impact on or delay the systems operational output whilst security measures were installed. With security integral to the system from the start, it will allow for the system to dynamically adapt to the changing cyber threat environment whilst still maintaining full operational capabilities with no security after-thought to impact it.
2. Effort and Budget can be Focussed on What Matters.
SbD means an end to box ticking and the start of a more useful approach to security risk management. Yes, we used useful and security in the same sentence! Any professional outside of the security sphere knows how security can sometimes be a hinderance and even a barrier in operational output and delivery. MoD’s implementation of SbD puts the security management of the system firmly in the delivery team’s and the Senior Responsible Owner’s (SRO) hands. With the SRO directly involved and accountable, there should be a closer link to both MoD policy and capability objectives. This should allow for systems to tailor their approach to different circumstances.
So What? Security approaches can be tailored to the job in hand, leading to flexible and focussed risk management decisions that direct budget and effort to where it is most needed.
3. Significantly Reduced Through Life Costs.
Although there are no figures or facts about SbD cost saving yet, an article[1] about a similar security initiative known as ‘Secured by Design’ (buildings that are secured whilst being built), stated that the average cost of burglary to homes on an estate built with ‘Secured by Design’ is almost halved compared to an estate built without it. Although not the strongest causation link, this scenario shows that by implementing security during the design phase, systems can be better protected from costly threats, saving organisations money.
So What? Although the example is not cyber related, it does highlight that by embracing security from the start, UK Defence and its IT systems can potentially save significant costs through-life by protecting their system from cyber threats. At the same time, protecting (and even positively increasing) UK MOD reputation both at home and with allies.
What are the Some of the Challenges of Implementing Secure by Design?
1. Lack of SbD SQEP and Extra Short-Term Costs.
Primarily applicable to projects that are towards the later stages of the MoD’s CADMID lifecycle. These projects will likely need to allocate additional resources and expertise to ensure the successful implementation of SbD.
So what? A need to improve SQEP and possibly security measures will put a strain on budgets and resource allocations for in-service systems. An interesting point from the article above is the cost saving over the buildings lifetime from retrospectively implementing Secured by Design. If that scenario does translate to Cyber Security, then those short-term costs should benefit longer term.
2. The Immediate Need to Reallocate Budget.
Historically, Operating Centres and Delivery Teams have not had to manage and resource the full end-to-end security process. With SbD this has changed. With the need to continually assure their own systems, budgets will need to be reallocated to ensure effort can be directed to these activities.
So What? Whether at Operating Centre or Delivery Level, reallocation of budgets will be essential, but this needs to be carefully planned and implemented in order that it does not introduce disruption and delays to other delivery areas.
3. Effective Change Management.
The MoD operates a vast and intricate ecosystem of interconnected systems and technologies, in addition to employing hundreds of thousands of personnel and operating at an extremely high tempo. Implementing a framework like Secure by Design requires large-scale change management and a vast communication network.
So what? Implementing a new framework that intrinsically changes MoD and security processes, whilst still minimising operational impact, will be a significant test. This could result in some delays implementing throughout the MoD and initially, some confusion regarding the correct processes that need to be followed.
4. The Weakest Link.
The MoD’s implementation of SbD signifies the end of traditional system accreditors and constant oversight. Individual systems SRO and delivery teams will have exclusive accountability for ensuring the safety and security of the system.
So what? If each system is responsible for ensuring they have implemented SbD correctly, then each interconnected system is reliant on their neighbour doing the same thing. Although there will be second line assurance, it remains to be seen how effective this will be. Using the example about housing security above, the cost saving is based on all houses on the estate being ‘Secured by Design’, meaning the more that aren’t, the higher the cost of crime (breaches) becomes. So, the challenge becomes how do MoD convince each budget holder/SRO that although their budget may increase initially, it will drive wider MOD efficiencies, so it’s a great thing to do?
To unlock the benefits and meet the challenges that SbD brings to IT systems, Ebeni have the capability, training, and the experience to help. If you need support or have any questions, please contact us and we will put you in touch with one of our cyber subject matter experts or visit our website at Cyber Security Services | Ebeni.
What do you see as the biggest benefit or challenge of SbD? Let us know in the comments below!