Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Case study: How UK Export Finance (UKEF) implemented Secure by Design

Author: Government Digital Service (DSIT)

Last updated: 2025-09-19

Case study: How UK Export Finance (UKEF) implemented Secure by Design

UK Export Finance (UKEF), the nation’s export credit agency, plays a vital role in helping UK businesses reach new international markets. Strong cyber security is critical to its ability to deliver services effectively.

When Kapil Mehta was nominated to be UKEF’s Secure by Design champion, he quickly realised that although the approach was new to the organisation, in many ways it complemented their existing cyber security practices. “The Secure by Design policy and principles are well-structured and practical,” he says. “It was clearly going to be a case of strengthening what we already had.”

Kapil started by setting up a working group, which contained a mixture of delivery, security and operations colleagues as well as some user-centred design colleagues. “I cast a wide net,” he says. “Everybody was very keen and most of our meetings were a full house.”

Over time, a core team emerged from the working group, meeting more often to work through the practicalities of implementation. But to begin with, the larger group began working through the Secure by Design transition plan to evaluate how to build on their current ways of working to meet the mandatory principles.

Getting the word out

The team realised that an important step in implementing Secure by Design would involve raising awareness about the approach. Working with UKEF’s internal comms team, they used the communication toolkit from the Secure by Design website.

Following the toolkit’s guidance, Kapil used the example article template as a starting point to create and publish an intranet article explaining how and why UKEF was implementing the approach. He included a comment from Adrian Hudson, UKEF’s Chief Technology Officer (CTO), about why the Secure by Design was important for the organisation. They followed up with articles detailing the transition and providing updates on the journey so far.

Support from senior leadership was key. Dan Bowden, UKEF’s Director of Digital, Data and Technology, joined Adrian in keeping the focus on Secure by Design, regularly checking in and overseeing progress. Having the approach integrated into internal policies provided senior leadership with tangible evidence that the organisation was clearly committed to cyber security.

The team also put out communications targeted at specific groups, which included:

  • briefing and updating senior stakeholders, delivery managers and top-level committees
  • signposting useful webinars for senior responsible owners (SROs), project managers and service owners
  • providing training for delivery managers

“It highlighted to everyone that security should be front and centre right at the beginning of their planning,” adds Kapil.

With awareness growing across the organisation, the next challenge was making Secure by Design part of the delivery process.

Integrating Secure by Design into delivery

The team’s original project tracker was initially quite basic. “When we saw how effective the Secure by Design self assessment tracker could be, we realised we could integrate it into our existing delivery processes to create a one-stop checklist,” says Kapil.

Carly Pierzchala is the Head of Project Delivery at UKEF. “I was conscious of the fact that our teams were really flat out,” she says. “They already had a lot of governance to incorporate into their delivery plans and initially I was unsure how they’d feel about adding this to their busy workload. But Kapil handled it like an absolute pro.”

Kapil adds: “Our project management office (PMO) is excellent and very progressive. Their involvement was critical in getting us to the operational phase.”

By seamlessly integrating Secure by Design, the risk of additional pressure on delivery managers and product managers was reduced.

Sabina Malique, Head of PMO at UKEF, adds: “It’s been a privilege to work with the Secure by Design Working Group. With so many standards and guidelines to navigate, contributing to Secure by Design’s development and rollout has allowed us to shape how security is embedded in delivery. By aligning the approach with our frameworks, we’re helping teams build security in from the start, making it seamless and intuitive, and setting them up for success.”

Kapil strongly recommends involving policy teams, the PMO and delivery colleagues early. He adds: “They’ll help you navigate through controls and policies and get you there as quickly as possible.”

How UKEF benefitted from Secure by Design

With Secure by Design embedded in the delivery process, UKEF started to see benefits across its digital projects, including:

  • improved visibility of security posture across digital projects
  • stronger alignment between delivery and security teams
  • more structured engagement with the spend control process

“Before we implemented Secure by Design, as an organisation we were probably looking at the security side of things a bit late in the process, sometimes during project reviews or checkpoint assessments,” says Kapil. “This could result in some costly rework. But having Secure by Design integrated into the process has made project teams have those conversations early with the right people.”

UKEF CTO Adrian Hudson adds: “Secure by Design is more than a technical framework – it’s a cultural shift. By embedding security into every stage of our digital delivery, we’re not just protecting systems; we’re safeguarding trust.

“We’ve made Secure by Design a cornerstone of how we operate, ensuring that the security of our customers and their data is prioritised from the outset. This approach has strengthened our resilience, fostered collaboration across teams and positioned us to lead by example in government-wide cyber maturity.”

Secure from the start

By embracing Secure by Design from the beginning and integrating it into delivery, UKEF has reduced its exposure to risk, increased senior leaders’ confidence in digital delivery and laid the foundations for a stronger security culture.

“If we keep a focus on security right from the outset, we’ll be starting from a good place,” says Kapil. “And that will help keep our services secure and resilient as we move forward.“

Further information

We’ll be publishing more case studies soon. In the meantime, you can:

About Secure by Design
Secure by Design Policy
Secure by Design Principles
Secure by Design Activities

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now