Building confidence and resilience – the principles of our Secure by Design approach

by Chris Taylor - Business Information Security Officer
| minute read

As we continue to push computers to “the edge”; it is becoming increasingly necessary for us to protect the processing, storage, and accessibility of sensitive data. The increased complexity of hardware, software, firmware, and systems across geographical boundaries exposes them to significant risks posed by cyber-attacks. Threats include equipment failure, human and/or machine error and environmental disruptions, all of which can negatively impact business operations. It's important to recognise that supply chains can also be exploited to breach systems, compromise essential components, and gain unauthorised access to critical assets.

Now more than ever, the need to design, build, secure and continually improve the resilience of our systems, products, and services is imminent. By considering security as a fundamental aspect in the design and operation of services, it is possible to minimize security fallouts. Following a Security by Design (SbD) framework is key to embedding security into every step of the System Development Lifecycle (SDLC).

Our business leaders and operational teams are aware of the cyber threats and understand their responsibility in mitigating them. They are charged with implementing pragmatic security controls to manage the associated risks. At Sopra Steria, we have adopted a risk-based approach to protecting our platforms, predicated on an assurance model that is designed to ensure disruption to business operations is minimised and compliance with our commercial, legal, and regulatory obligations endures.

Key principles of Secure by Design 

Our SbD principles are designed to improve business resilience, provide leaders with an awareness of information security risk, and enable our practitioners to take pragmatic decisions to improving the security posture on a continual basis. 

Our principles are aligned to industry best practice and can be applied to any system, no matter where it sits in the SDLC.

Our five key principles are:

  • Categorise: informs the wider risk management process by capturing the business, operational, and technical details likely to impact the Confidentiality, Integrity, Availability (CIA) of a system, or interconnected systems.
  • Select: allows practitioners to tailor security controls needed to protect the system, designed to mitigate risk, in accordance with the defined risk appetite, or other commercial restrictions.
  • Implement: ensures controls are implemented at the earliest point of the SDLC. Some controls may already exist, but where they don’t, our professionals determine where to implement them.
  • Assess: determines whether controls have been implemented correctly, operate as intended, and producing the desired outcome. This in turn gives business confidence that resilience is where it needs to be.
  • Monitor: maintains situational awareness of a systems security posture, which in turn supports informed risk management decisions. Continuous monitoring is essential to determine whether existing controls remain effective if the systemic and operating environment changes.

Our approach provides a disciplined, structured, and flexible mechanism to manage risk at the appropriate level, at the appropriate time. It provides business leaders and senior managers with the information they need to make efficient and cost-effective decisions about systems that support our business and customer’s mission areas. In doing so, accountability and responsibility is established from the practitioner to the executive level. 

The benefits of our approach to SbD:

  • Enables effective communication between senior executives and business leaders at the strategic level, and system owners and/or practitioners at the operational level.
  • Provides a common set of controls and development of tailored controls designed to reduce the workload on system owners and cost of system development and asset protection.
  • Minimises complexity of the IT estate, using enterprise architecture concepts to consolidate, optimise and standardise the approach to risk management.
  • Reduces system complexity by eliminating unnecessary functions or capabilities that do not address specific security risks.
  • Identifies, prioritises, and focuses resources on high value assets that require an increased level of protection and to target specific measures proportionate with the risk to such assets.

SbD is system agnostic, allowing it to be applied to almost any system without modification. While the controls, control implementation and control assessment decisions may vary depending on the business requirement, there is no need to alter the approach to accommodate specific technologies. SbD is applied iteratively for any type of development approach (e.g., AGILE, DevSecOps) with security controls implemented, verified, and validated on a continual basis. This flexibility allows SbD to support rapid technology cycles, innovation, and use of best practice for simple or complex system deployments. 

SbD is designed to move away from traditional “security management” and towards a risk-based approach that seeks assurance through continual assessment, an understanding of risk, and how to best manage it. Our approach is designed to improve our resilience and minimise the risk to our business, our customers, and our people.

For more information about our Secure by Design approach, please contact us.