Case study: Embracing Secure by Design at the Home Office

A new initiative with familiar goals

In recent years, the Home Office has taken significant steps to strengthen its cyber posture. One of the most impactful initiatives has been the adoption of the Secure by Design approach, a framework that makes cyber security everybody’s responsibility – not just that of the cyber security team.

David Haworth, Head of Cybersecurity Architecture and programme Senior Responsible Officer (SRO), immediately recognised the value in this initiative to set in motion a wholesale improvement in cyber security and drive consistency in approach across the department.

When Secure by Design was introduced across government, the Home Office saw it as a fresh opportunity to further grow its cyber maturity. David Coffey, the Secure by Design Programme Delivery Manager, who has played a central role in the department’s journey, describes it as “definitely something worth embracing”.

He adds: “We felt that it was complementary to our developing cyber security environments and ways of working, especially in conjunction with the Cyber Assessment Framework (CAF) and GovAssure.”

This alignment with existing strategies has helped the department build momentum early on. Secure by Design wasn’t seen as a bolt-on or a tick-box exercise, it was a natural continuation of the Home Office’s commitment to secure, resilient services.

Building the foundations

Implementing Secure by Design in a department as federated and diverse as the Home Office was never going to be simple. The Home Office operates across several delivery environments, each with its own governance and service models, creating real complexity and dynamics. The challenge was to develop a unified approach that could flex to local needs and individual projects, to make adoption and adaptation easier.

“The journey has been a significant challenge to embed the necessary cultural change,” says David. “But we’ve embraced it in the way we’ve tackled the problem, created a delivery team to embed Secure by Design, driven full collaboration across the Home Office, and encouraged innovation.”

Securing buy-in from senior leadership was key to success. The department’s head of digital and chief information security officer (CISO) were both supportive from the outset, openly describing Secure by Design as one of their top 5 priorities and helping to drive engagement across portfolios and governance forums.

The Home Office’s Head of Digital, Rob Thompson, reinforces the importance of Secure by Design. “Our Permanent Secretary has been very clear that she is keen for us to go further and faster, to be more responsive and build on our leading edge in digital, data and technology capabilities to get ahead of trends and prepare now for the challenges facing us tomorrow,” he says.

“So I’m really pleased that we are one of the leading departments in our adoption of Secure by Design, as a cross-government approach that will help streamline our digital projects and create a culture where cyber security is a common responsibility for everyone.”

Cultural change, not just compliance

One of the most important aspects of the implementation was treating Secure by Design as more than just a technical fix. David explains: “Our key objective was to get all the delivery environments to treat this as a cultural change, to build a culture in which Secure by Design is considered from the very start of every project, with the project functional leads being responsible for owning and complying with the Secure by Design approach.”

This has meant permanently embedding Secure by Design into business-as-usual delivery processes, not just cyber security workflows. The organisation engaged portfolio directors across all 9 delivery environments and functional areas across the wider department, and re-evaluated governance functions to ensure Secure by Design was considered at every stage of service delivery.

Overcoming challenges

The journey was not without its challenges. Governance, senior leadership buy-in and funding for a dedicated Secure by Design team were issues that needed to be managed. Aligning Secure by Design with how the Home Office interacts with other relevant frameworks, such as the digital and technology spend control process, the service model and service assessments, required careful co-ordination.

David Haworth says: “There were myriad policy and standards changes with which we needed to align the Home Office’s adoption of Secure by Design, not least the cross-government spend controls changes, AI playbook, and the updated Procurement Act.”

Defining what constituted ‘high risk and importance’ in a cyber context was another sticking point. Making sense of the cross-government policy in conjunction with delivery capability frameworks was a priority task, along with understanding evolving processes like Get approval to spend.

To support implementation, the team tailored the key tool – the self assessment tracker – for Home Office use. This compliance assessment product helps projects track and evidence their cyber security resilience levels, by reporting a security confidence profile.

“Adoption of the tracker has increased, and projects are now actively contacting the Secure by Design team rather than us having to chase them,” notes David Coffey.

Support from the centre

Central guidance, resources and support from the Government Digital Service (GDS) played a vital role.

“We have actively used the resources provided by GDS and where necessary we have created our own variants,” says David. “Ongoing collaboration with GDS and other departments implementing Secure by Design has also been key. We’ve worked hand-in-hand with GDS to proactively influence the cross-government Secure by Design approach, and sought to bring all the centrally-delivered webinars and guidance to all parts of the Home Office.”

Communication and engagement were built in from the start, helping to demystify Secure by Design and make it accessible to teams across the department and its arm’s length bodies (ALBs) and non-ministerial departments.

The road to success

The Home Office went into the going-live stage of Secure by Design in April 2025, and formally went live within the department on 1 October as it synchronised with spend controls.

Although it is still maturing, the benefits of Secure by Design are already becoming clear. Within portfolios, Secure by Design is being adopted as the default approach, and it is embedding well. Governance processes are aligning more closely with frameworks like the Investment Committee and Get approval to spend, and the department now has a functioning ‘spend control front door’, a streamlined way to assess and approve spending with cyber resilience an important consideration.

Looking ahead

Longer-term, the Home Office expects Secure by Design to deliver increased cyber resilience across all its products and services, greater efficiency in delivery environments, and stronger collaboration both internally and across government.

The Home Office’s experience shows that embedding the Secure by Design approach is about more than sharing a policy and a set of mandatory principles – it’s about engendering a mindset. By embedding cyber resilience into the fabric of service delivery, the department is not only protecting its systems, but also building a culture of security that will serve it well in future.

David sums it up: “We’ve embraced the challenge, built the right team, and created space to innovate, so that people and delivery teams can work together to improve cyber security. That’s what Secure by Design is all about.”