Case study: HMRC’s adoption of Secure by Design
His Majesty's Revenue and Customs (HMRC) is one of the largest government departments in the UK, employing around 67,000 people. It’s responsible for collecting taxes, administering benefits, and enforcing customs and trade regulations.
First impressions of Secure by Design
HMRC’s cyber security function sits within the Chief Digital and Information Office (CDIO), specifically in the Security Consultancy Services (SCS) team, which was created and is led by Gez Jowers. This team has been working to establish itself as a centre of excellence, consolidating expertise and driving consistent security practices across the department.
When the organisation’s journey with Secure by Design began, there was already a strong alignment with existing strategic goals. Katie Nilson from HMRC Security was nominated to be the organisation’s Secure by Design champion.
“Secure by Design wasn’t something new and difficult – it was fuel to the fire,” she explains. “It carried more weight when it became a mandated approach across central government, but it was already something we wanted to do.”
The department had already been working to make security more of a consideration earlier into the delivery life cycle. Secure by Design provided a structured framework to formalise and scale that ambition.
“We were trying to shift security left,” says Katie. “Secure by Design gave us the language, the mandate and the tools to do that.”
Putting Secure by Design in place
Under the leadership and mentoring of Head of SCS Gez Jowers, HMRC had already began the implementation of what the organisation was calling the ‘HMRC security life cycle’, which was effectively Secure by Design under a different name.
“When I created SCS, I brought all my existing 20 years’ experience in cyber to develop an internal HMRC security consultancy that could provide the services and capabilities required to ensure HMRC could effectively manage its cyber risk,” says Gez.
“This also required the creation of a security change and governance framework to allow us to influence how solutions were designed, implemented and tested. Thus began our journey from HMRC security life cycle to our design and implementation of Secure by Design.”
HMRC began rolling out Secure by Design using existing resources. The team developed a 9-stage process, which they documented for stakeholders in an internal brochure. They also put in place Secure by Design business partners to lead engagements with delivery teams. These practitioners guide projects through the Secure by Design approach during the delivery life cycle, bringing in subject matter experts as needed.
“We’ve gone from having 5 security people on a project engagement to one lead practitioner who brings others in only when necessary,” says Katie. “It’s more cost-effective and more consistent.”
Facing up to challenges
One of the biggest challenges was scale. HMRC’s delivery environment is vast and federated, with hundreds of projects running across multiple programmes. “There’s no one person who has sight of the full pipeline,” says Katie. “You have to tap into lots of people across the estate.”
Another issue which is still being worked on has come from the need to align Secure by Design with existing governance and spend control processes. While HMRC manages spend controls at the programme level, the Secure by Design self assessment tracker is designed for projects going through the digital and technology spend control process.
The team also faced cultural challenges. Security teams were quick to embrace Secure by Design, but delivery teams needed more support. “We’ve had to shift the mindset so that security is seen as something you embed from the start, rather than bolt on at the end,” says Katie.
Using central guidance and DSIT support
HMRC has actively engaged with the central guidance and support provided by the cross-government Secure by Design team in the Department for Science, Innovation and Technology (DSIT). They cite monthly check-ins, regular webinars and the preparation checklist as valuable resources. “Everything the cross-government Secure by Design team has done has been really helpful,” says Katie. “The preparation checklist was clever and helped us do a proper gap analysis between our existing ways of working and the Secure by Design principles and activities.”
The department also contributed feedback to improve tools like the self assessment tracker and has worked closely with the team to align Secure by Design with HMRC’s operating model.
“We’ve tried to make Secure by Design our default way of doing security,” says Katie.
Better engagement, more consistency
HMRC has seen some early benefits. Engagement with security has increased and there’s greater consistency in how security is approached across the estate.
“We’re seeing more accountability for security across the organisation,” says Katie. “Business owners are now responsible for implementing controls, not just asking for a risk assessment at the end.”
The new engagement model is also more efficient. “We’re saving time and money by getting involved earlier,” she continues. “There are fewer surprises at the end of a project.”
Longer-term, HMRC expects to see improved resilience across its services. “We’re still early in the journey,” she says. “But we’re confident that Secure by Design will help us deliver more secure, more reliable services.”
The team is now focused on enhancing the user journey, automating artefacts and making more of the process self-serve. “We want to make it easier for our customers, that is, our internal teams, to engage with us,” says Katie. “And we’re building the tools to do that.”
Embracing the mindset
HMRC’s experience shows that successful implementation of Secure by Design depends on strong leadership, early engagement and a willingness to adapt the approach to fit the organisation.
“We’ve embraced Secure by Design not just as a framework, but as a mindset and way of working,” says Katie. “It’s very much embedded in how we do security now.”