Security by Design Subgroup
Back to main
CAN SOCIETY AFFORD TO RELY ON SECURITY BY AFTERTHOUGHT NOT DESIGN?
“The main benefit of investing in
better security technology is to force the enemy to concentrate on corrupting
your people instead of trying to break your systems.”
Professor Richard Walton, former Director, CESG
The Security by Design Subgroup emerged from issues raised at
Round Table on Information Governance: related to the
need to change market behaviour so that security is built into information
systems from the outset.
The Group produced a report making the case for a fundamental
change in market behaviour so that the complex IT systems, on which society
increasingly depends, have security embedded from the start rather than added as
A Summary four page report is available for those without
time to read the full length version, as well as a one page version of key
increasingly reliant on complex online systems and vulnerable to online risks
and threats. Many reports recommend retrofitting privacy and security, but much
more needs to be done to ensure it is built in the design stage.
regulators and professional bodies have important roles but the key to changing
market behaviour is better practice in design and procurement. Government’s main
contribution should be as a more intelligent customer.
Convergence, increased system complexity and the transition
towards new online business models, such as cloud computing, present
risk-management challenges that cannot be resolved by security provided as an
afterthought. Action is also urgently needed at service, system and product
levels to reduce the threats from criminals, terrorists and cyberwarfare to the
systems on which society depends.
The UK Government, its security advisors and the providers of
ICT services must play a leading role in agreeing common approaches that will
change market behaviour. These must include common terminologies and shared
processes for practical co-operation, focusing on frameworks for assessment and
of government and regulatory policies should not only involve the relevant trade
associations and professional and academic bodies but should also be peer
reviewed by practitioners, both public and private sector, including those with
responsibility for delivery, operations and monitoring.
Forthcoming Subgroup Meetings
Recent Subgroup Meetings
Back to top