Secure by design: lessons from the MoD on innovation and cultural change

As more serious public sector hacks hit the headlines, Hugh Tatton-Brown, head of cyber strategy and architecture at the Ministry of Defence, discusses the urgent need for businesses to take the government’s lead and stop embracing quick fixes

Mod Hugh Tatton Brown 1

The public sector can get a bad rap about innovation. “Move fast and break things” is a motto that cannot apply when spending taxpayers’ money. But, says Hugh Tatton-Brown, head of cyber strategy and architecture at the Ministry of Defence, this risk-averse attitude doesn’t extend to the department where he works. 

“The MoD is the ultimate fail-fast organisation,” he says. “When it tests real-world outcomes, it’s one of the few places which lets things be blown up.” 

And Tatton-Brown would know. His background in the Royal Navy and then at BT, eventually as the CISO of BT Defence, makes him well-placed to understand the threats both business and the country face and the best ways to combat them. And these threats are only getting more challenging. 

Earlier this year, cyber attacks on the police service of Northern Ireland and the UK’s electoral register had potentially devastating consequences. Can businesses in the private sector learn from instances like those? 

Can the private sector learn from public-sector hacks?

“Big public hacks are useful examples of what attackers can and will do,” says Tatton-Brown. “But the challenge is that we can overlearn or overfocus on them.” Broadly, he explains, attacks occur for the same three reasons: someone has not designed something in a secure way; someone has done something inadvertently; or someone has maliciously tried to break into something. 

“Cybercrime is a way to get information or disrupt operations. It’s the same as breaking a window to get into a house,” he says. “What’s different is the speed and the distances from where the attacks can be made.” 

Focusing on individual high-profile attacks to try to stop a similar event can take up too much time – and attackers will always find new techniques to smash glass or new windows to enter through. 

A better way to protect your business, Tatton-Brown believes, is to embrace an approach called secure by design. This is the principle of building security into any system or software so that it is embedded. 

The UK government has drawn up a framework of 10 principles for cyber security, which are based on National Cyber Security Centre (NCSC) recommendations. These include appointing a business-risk owner for every service throughout its life, designing flexible architectures that allow new security controls to be integrated, and ensuring that controls are simple to use. “You need to make the right thing to do the easy thing to do,” says Tatton-Brown. 

If you retroactively add anti-risk elements to a system, people will simply look for a way around them, he says. The best practice is to build in security in such a way that it can’t be bypassed and the software is easy and convenient to use. 

Can any organisation embrace secure by design?

This is all well and good when designing services from scratch, but how practical is it for those organisations who already have systems up and running and don’t have the time or budget to dismantle them? 

“This is why the digital world is so exciting,” says Tatton-Brown. “It’s constantly evolving, so you have to make changes. And when you do, you might not be replacing everything but when you deliver a new feature, you can make sure you have thought about securing it.” 

Businesses need to review how their capabilities are changing and this brings an opportunity to rethink systems – or even parts of systems – and build them better. “It’s about thinking about security upfront, in the same way as you think about cost, or health and safety, or your customers.”

This requires a significant cultural change. “Security doesn’t need to be your top priority,” he explains. “But you should make active decisions so that if you are not going to make something secure, you know why.” 

The key to this is to think like an attacker. Beyond designing tools that ought to be secure, security leaders need to work out what someone could do if they didn’t use a system or software correctly. 

For Tatton-Brown, this not only means considering those who are liable to make innocent mistakes using technology, but also those at the other end of the scale. “The innovative people who are trying to do things more efficiently and one of the best ways to do that is to hack the tools they’ve got to do things faster and more easily,” he says. These are often employees looking to do their best work, and so should be enabled, not discouraged, from streamlining processes.

“Is it easy? Straightforward? No. Cultural change never is. This is not about the technology itself – there’s no silver bullet. It’s about how you can change the way people think,” says Tatton-Brown. 

Hacking the UK’s cybersecurity skills gap

This may require overhauling how you train and improve staff skills. But it could also mean simply sticking to your guns. Cultural change can take years, notes Tatton-Brown. “Just continue to do it. Continue to change. Perhaps your training hasn’t landed yet,” he advises.

Tatton-Brown points to the enduring lack of cybersecurity skills in the UK. The first problem, he says, is that many candidates might be put off by a perception of the cybersecurity industry. “There’s an idea that you need to be like the supergeek character you see on TV. A white man, in his late-20s, who has no friends and sits with 14 screens around him. That’s not the reality,” he explains. He is clear that the industry needs more diversity. “We need people who think differently. We need people from different backgrounds and cultures.” 

He encourages businesses to look beyond tech solutions for cybersecurity, to the people and processes that can help make secure by design the default way of working. If organisations hire people with inquisitive minds and a readiness to learn, it’s easy to train them.

Most important of all, for Tatton-Brown, is that organisations continue to commit to improving from a cybersecurity perspective. “In 10 years’ time, we can’t still be talking about patching things,” he says, echoing NCSC chief Lindy Cameron from this year’s CyberUK event. “We can’t still be talking about vulnerabilities which were designed as features years ago. We’ve got to do something fundamentally different.” 

Making security, rather than cost, the first priority when considering a firm’s tech stack is certainly that.