The Ministry of Defence (MOD) recently published a document on 'Secure by Design' challenges that represents something we rarely see in government cybersecurity: a transparent acknowledgment of the complexities involved in implementing security from first principles.
Secure by design is a fundamental approach that embeds security into systems from the very beginning of the design process as opposed to treating it as a bolt-on feature later in development.
Having spent years advocating for the human element in security, it's refreshing to see an official recognition that technical controls are only as effective as the people implementing them.
Lead security awareness advocate at KnowBe4.
Addressing the Security Skills Challenge
The MOD's first identified problem is "How do we up-skill UK defense in 'Secure by Design'?"
Their acknowledgment that effective implementation requires a "one team" approach across UK defense reflects the reality that security cannot be siloed within technical teams.
This aligns perfectly with what I've observed in organizations with mature security cultures—security becomes everyone's responsibility, not just the security department's concern.
The Knowledge Distribution Problem
Perhaps most intriguing is problem two: "How does 'Secure by Design' account for unevenly distributed information and knowledge?"
The MOD correctly identifies that information asymmetry exists for various legitimate reasons. What makes this assessment valuable is the recognition that not all information-sharing barriers stem from poor security culture; some exist by design and necessity.
Imagine a family planning a surprise birthday party for their grandmother. Different family members have different pieces of information that they intentionally don't share with everyone:
The daughter knows the guest list and has sent invitations directly to each person, asking them not to discuss it openly on family group chats,
The son has arranged the venue and catering, with specific dietary requirements for certain guests,
The grandchildren are handling decorations and have a theme they're working on,
And most importantly—nobody tells grandmother anything about any of this.
This isn't because the family has poor communication skills or doesn't trust each other. These information barriers exist by design and necessity to achieve the goal of surprising grandmother. If everyone shared everything with everyone else, the surprise would be ruined.
The MOD's approach
In the MOD's security context, this is similar to how:
Certain threat intelligence can't be shared with all suppliers because doing so might reveal intelligence-gathering capabilities,
Suppliers can't share all their proprietary technology details even with clients like the MOD, as they need to protect their competitive advantage,
Specific security controls might be kept confidential from general staff to prevent those controls from being circumvented.
These aren't failures of security culture—they're intentional compartmentalization that sometimes make security work possible in the first place. The challenge isn't eliminating these barriers but designing systems that can function effectively despite them.
This reflects the nuanced reality of human behavior in security contexts. People don't withhold security information solely due to territoriality or negligence; often, legitimate constraints prevent the ideal level of transparency. The challenge becomes developing systems and practices that can function effectively despite these inherent limitations.
The Early Design Challenge
The third problem addresses a familiar paradox: how to implement security at the earliest stages of capability acquisition when the capability itself is barely defined.
In other words, it's like trying to build a high-tech security system for a house when you only have a rough sketch of what the house might eventually look like - you know you need protection, but it's difficult to plan specific security measures when you're still deciding how many doors and windows there will be, what valuables will be stored inside, or even where the house will be located. As the MOD puts it, at this stage a capability might be "little more than a single statement of user need."
This connects directly to how humans approach risk management. When primary objectives (delivering military capability) compete with secondary concerns (security), practical compromises inevitably emerge. The MOD's candid acknowledgment that "cyber security will always be a secondary goal" reflects a pragmatic understanding of how priorities function in complex organizations.
Through-Life Security
Problem four addresses perhaps the most demanding human aspect of security: maintaining security rationale and practice across decades of a capability's lifespan. With defense platforms potentially remaining operational for 30+ years, today's security decisions must make sense to tomorrow's engineers.
The question of continuous risk management becomes particularly relevant as organizations encounter new threats over their extended lifespans. How human operators interpret and respond to evolving risk landscapes determines the long-term security posture of these systems.
Building a Collaborative Security Culture
The MOD recognizes that 'Secure by Design' implementation isn't merely a technical challenge but fundamentally about collaboration among people across organizational, disciplinary, and national boundaries.
The MOD's approach suggests a shift toward a more mature security culture — one that acknowledges limitations, seeks external expertise, and recognizes the complex interplay between human factors and technical controls. Their openness about needing help from academia and industry demonstrates a collaborative mindset essential for addressing complex security challenges.
This collaborative approach to security culture stands in stark contrast to the traditional government tendency toward self-sufficiency. By explicitly inviting external perspectives, the MOD demonstrates an understanding that diverse viewpoints strengthen security posture rather than compromising it.
Security isn't about having all the answers—it's about creating the conditions where people can collaboratively develop appropriate responses to ever-changing threats.
We've compiled a list of the best identity management software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.