Secure by Design: where we are now – the requirement for evidence

• by Olivia Lawlor-Blackburn
• Advent IM Blog

Secure by Design is growing up. Quietly. Relentlessly.

A couple of years ago, “Secure by Design” was often treated like a well-meaning poster on the wall. Useful, yes. Enforced, not always. That has changed.

Across the UK government, Secure by Design is increasingly how teams are expected to show that security is built into the design, delivery, and change of services. In Defence, Secure by Design is a through-life requirement that treats cyber risk as operational risk, with consequences that are not just financial or reputational. In policing, Secure by Design is becoming the difference between a service that supports public safety and one that becomes a liability during a major incident, investigation, or disclosure process.

Same phrase. Different operating environments. Same core idea. Security is not a phase at the end. It is a property of the whole system.

What Secure by Design really means now

The most important shift is not the wording of the principles. It is the mechanism around them.

Secure by Design is increasingly tied to how public sector organisations justify decisions, obtain approvals, buy technology and onboard suppliers. That matters because it moves security from “recommended” to “evidenced”. If you have ever watched a programme team scramble to explain logging, admin access, supplier connectivity, or where the data actually lives, you will understand why this shift is welcome. It forces the uncomfortable questions to be answered early, when they are still cheaper to fix.

This also changes the posture of assurance. Not everything becomes a full audit. Instead, the expectation becomes something more grown up and more persistent: show your working. Show your decisions, your trade-offs, your residual risk, your ownership, and the evidence that your controls exist and are used.

That is GRC in its natural habitat. Not paperwork for its own sake. Traceability for real-world decisions.

One label, two realities: cross-government and Defence

In central government, Secure by Design is designed to make security normal. The focus is on building and changing digital services safely and doing it in a way that is repeatable across departments and arm’s length bodies. The biggest practical impact is that Secure by Design becomes part of how teams demonstrate readiness during spend controls and procurement. That means design choices, supplier choices and architecture choices increasingly have to be defensible, not just technically plausible.

In Defence, Secure by Design is closer to engineering discipline than compliance exercise. It assumes systems will be targeted, that supply chains will be pressured, and that operational requirements do not pause for patching windows. It also assumes that cyber risk can translate into mission risk. The result is a stronger emphasis on through-life security, assurance throughout delivery, and supply chain engagement that goes beyond a questionnaire.

These approaches are aligned, but they are not identical. Treating them as identical is where people get hurt, metaphorically and sometimes literally.

Where police fits into this story

Policing sits in a particularly awkward intersection.

Police forces operate essential services, handle highly sensitive data, and rely on a complex ecosystem of partners. They also work under intense scrutiny. A government department might recover from a service outage with political embarrassment. A police force might recover with a live investigation compromised, officer safety impacted, or public trust damaged.

Policing technology is also a patchwork. Legacy systems, specialist platforms, outsourced services, third-party hosting, mobile devices, body-worn video, case management, digital forensics, control rooms, and collaboration tooling. Add the Criminal Justice ecosystem and you get a large, interdependent landscape where one weak integration can become the pathway into something far more sensitive.

Secure by Design in policing therefore tends to be less about producing a pristine set of design documents and more about establishing control where complexity has piled up over time. Identity and privileged access, device hardening, supplier connectivity, segregation of sensitive environments, robust logging, incident response that works at 3am, and change control that does not rely on one heroic individual.

It is not glamorous. It is what keeps the wheels on.

The supply chain angle: where Secure by Design becomes real

If there is one area where Secure by Design stops being theory and starts being reality, it is third-party risk.

Public sector delivery today is delivery through suppliers. Platforms, hosting, support, integration partners, niche specialists, managed services, software vendors, even “tiny” providers that have admin access. A single supplier relationship can quietly become a high-trust connection into a high-impact environment.

Secure by Design pushes organisations to treat supplier access as part of the system, not something bolted on. It asks questions like: what access do they have, how is it controlled, how is it monitored, how quickly can it be removed, how is data separated, what evidence exists that the controls work, and what happens when their controls fail.

For MoD suppliers, this is the heart of the matter. You are not only protecting your own organisation. You are protecting the Defence ecosystem that you plug into. For policing, the same principle applies. A supplier that is “only providing a service desk” may also hold the keys to remote access, admin accounts, or log pipelines. Those are not minor details.

Secure by Design makes these relationships explicit, and that is exactly why it is uncomfortable. It removes the fog where risk likes to hide.

Common failure modes we see in the wild

Most Secure by Design problems are not caused by a lack of security tools. They are caused by uncertainty and assumptions.

Teams assume they know where data is stored, until a supplier changes sub-processors. Teams assume logging is in place, until they need it and discover it was never enabled for the right systems, or retained long enough, or accessible during an incident. Teams assume privileged access is controlled, until they find shared admin accounts and undocumented “break glass” shortcuts. Teams assume risk acceptance is a formal decision, until they discover nobody is comfortable owning it.

Secure by Design is, in practice, a programme of reducing “assume” and increasing “evidence”.

How we support police, MoD suppliers and government organisations

Support needs to match the environment. The trick is to be rigorous without slowing delivery into paralysis.

For government teams delivering digital services, we typically focus on building a practical evidence pack that maps to Secure by Design expectations while staying integrated with delivery. That usually includes a clear ownership model, threat modelling that is actually used, architecture and data flow clarity, and a set of security “non-negotiables” for identity, logging, secure configuration, vulnerability management, and incident response. We also help translate Secure by Design into procurement language so that supplier bids include meaningful commitments rather than generic reassurance.

For MoD suppliers, the emphasis is on through-life assurance and supply chain control. That means building security into the delivery lifecycle, making security testing continuous, and ensuring the organisation can demonstrate control of its own suppliers. We also support teams in designing governance that works in Defence reality, where programmes evolve, interfaces change, and security must remain valid over time. The goal is not only compliance with Defence expectations. It is operational resilience under pressure.

For police and policing partners, the priority is usually rapid risk reduction across complex estates. That can mean tightening privileged access and remote connectivity, improving detection and response capability, and reducing exposure from third-party integrations. It can also mean designing practical decision trails that stand up to scrutiny, particularly where data handling and disclosure obligations are in play. The objective is to support frontline outcomes by making the underlying systems more trustworthy, more predictable, and easier to defend.

Across all three, our role is often to act as the translator between “security intent” and “delivery reality”. We help teams turn principles into implementable controls, and controls into evidence that can survive assurance and procurement pressure.

Secure by Design as a capability, not a project

The temptation is to treat Secure by Design like a one-off initiative: write the documents, pass the gate, move on. That does not hold up anymore, not with modern threat actors and not with modern supply chains.

Secure by Design works best when it becomes a capability. A normal way of working that persists through change, staff turnover, supplier churn, and new programmes.

The weird truth of 2026 is that the organisations that do this well will move faster, not slower. They will spend less time arguing about ambiguity, less time responding to preventable incidents, and less time doing emergency retrofits that cost ten times what they would have cost at design stage.

Security is not a tax on delivery. In the public sector, it is part of service reliability, public trust, and national resilience.

And yes, sometimes it is the thing that stops a bad day becoming a national headline.

Ellie Hurst, Commercial Director, Advent IM