Case study: The Office for National Statistics (ONS) and Secure by Design

For some organisations, the Secure by Design approach is completely new. For others, it helps formalise and track existing cyber security practices. When the ONS began its Secure by Design journey, it was already ‘moderate to mature’ in terms of its cyber security, according to Leighton Osmond, the organisation’s Head of Cyber Security Risk and one of its Secure by Design champions.

“When Secure by Design came into the picture, we had established controls and governance already in place,” he says. “But Secure by Design felt like a natural progression. While some elements were new, overall, it complemented our existing risk management and governance frameworks. It helped us realise that we already had most of the pieces of the jigsaw on the table, we just needed to put them together.”

A game-changing checklist

Identifying gaps was made easier thanks to Secure by Design’s preparation checklist. “I can’t overstate how important that was,” says Leighton. “It helped us ask the right questions of ourselves and bring into focus what we already had in place.

“It also made us realise there were things that we didn’t do so well and things that we needed to smarten up on, for example, continuous assurance and security architecture.”

Putting strategy into action

The ONS’s Chief Digital and Information Officer (CDIO) Simon Sanford-Taylor sponsored the initiative, making sure it was embedded into strategic planning and delivery. Chris Penner, ONS’s Chief Architect, ensured that the architecture of new projects adhered to the Secure by Design principles and championed implementation. And Martin O’Brien, Deputy Director of Digital Delivery, used his teams to implement a proof of concept and took the learnings from that to help embed it into the organisation’s Digital Services ways of working.

Key actions the organisation took to implement Secure by Design included:

• raising awareness across teams with presentations and briefings
• mapping Secure by Design activities to existing delivery life cycle stages to show how security should fit in
• working with stakeholders to align governance and security assessment frameworks with Secure by Design principles
• collaborating with delivery teams on risk assessment, threat modelling and secure architecture
• embedding security into the commercial supply chain process

Getting delivery teams on board

As the organisation’s projects shifted from waterfall to agile, integrating security into workflows was essential.

“We understood that the agile approach was necessary because technology moves so quickly,” says Leighton. “But we had to get development and security to fit together. That’s where early engagement is so important, because otherwise it leads to retrospective work, which can become very expensive.”

But thanks to buy-in from the senior leadership, the ONS now has highly proactive delivery teams who are keen to involve cyber security colleagues early.

“It’s great, because now delivery teams chase us,” says Leighton. “They want to get it right because they don’t want to come back to do rework at the end of their projects. They know they’ve got to get us involved and that it’s in their best interest.”

Integrating Secure by Design into project delivery processes was a huge step forward, but that was only part of a bigger picture.

“Secure by Design is a lot more than that – it’s a culture,” he says. “Whether it’s financial, commercial or governance processes, conversations with people in the corridor, guidance to directors or reporting, you bake it into everything you’re doing, so that security is on the agenda. If you get to that stage, you’re winning.”

Reaping the benefits

As well as improved collaboration between cyber and delivery teams, the ONS has seen other benefits. These include:

• early engagement and understanding of security requirements among projects’ stakeholders
• fewer security risks being raised
• reduced average security risk score for the organisation
• earlier identification of risks and reduced rework
• greater confidence in the security posture of new services
• better supplier alignment with security expectations

And teams at the ONS are finding the work they did integrating Secure by Design into larger projects can now be replicated across others.

In the long term, it expects to see a further reduction in security incidents, cost savings from fewer remediation efforts and stronger internal and public trust in the services they deliver and protection of data.

Measuring success and celebrating the wins

As a data-driven organisation, the ONS knows how important it is to measure performance. A great example of this is the way the team has tailored the preparation checklist to include a maturity model. Introducing a scale of 1 to 5 has given it an incentive to re-assess its scores regularly and allows it to track improvements over time.

“Never get complacent,” says Leighton. “It’s like the service delivery cycle: you keep going round and round looking at ways to improve things. I think revisiting the preparation checklist is something organisations should do every year. You need to know what you’ve got to improve or where you might have slipped.”

He adds: “I’ve found reporting really important. The sooner you start gathering data, the sooner you know Secure by Design is working. We started with some high scoring risks, but we found over time these risk scores and the numbers of risks being created were decreasing.”

Using data is a great motivator as well, because teams can see where their work is having an impact.

“If you’ve got nothing to show for it, there’s a danger you don’t think you’re achieving anything,” says Leighton. “You need to be able to say to people: you were there and now you’re here. Even if it’s just a small movement, it’s still a step forward. The small wins should be celebrated as well as the big ones.”

More case studies

• Home Office
• HMRC
• UK Export Finance (UKEF)