Can society afford to rely on security by afterthought not design?

On 18th October, when the Government launched its security strategy, the Home Secretary, Theresa May argued that attacks on computer networks are among the biggest threats to the UK.  On 20th October the spending review announcement included an increase in the cybersecurity budget. Those attending the launch of the “Security by Design” report from the Information Society Alliance (EURIM) on this evening will be told that we have to make much better use of the funds available. We can no longer afford to treat security as an afterthought. Not only is it more expensive, it does not work.


The main points of the report are:


·         Society is increasingly reliant on complex online systems and vulnerable to online risks and threats.  Security has to be built in from the start if it is to be affordable and effective.

·         Government, regulators and professional bodies have important roles but the key to changing market behaviour is better practice in design and procurement. Government’s main contribution should be as a more intelligent customer.

·         Convergence, increased system complexity and the transition towards new online business models, such as cloud computing, present risks that cannot be resolved by security provided as an afterthought.

·         The UK Government, its security advisors and the providers of ICT services must play a leading role in agreeing common approaches that will change market behaviour.

·         The formation of government and regulatory policies should involve trade associations,  professional and academic bodies and should also be peer reviewed by practitioners including those with responsibility for delivery, operations and monitoring.


The Alliance is also due to announce plans to follow up the report with exercises on “good practice in security procurement, including the procurement of advice” and on “the supply of security skills, including training and accreditation, at all levels”. I trailed the latter exercise in my blog yesterday.


The report was produced by a working group chaired by Carlos Solari (CIO of The White House
2002-05, now with CSC).  The vice-chairmen included John Bullard (IdenTrust), Richard Goodall (EADS) and Paul Wilson (DeLaRue).  The contributors and reviewers included representatives from Alcatel-Lucent, BCS, EADS, Fujitsu, IBM, IET, IISP, ISACA, ISC2, ISSA, Jericho Forum, Logica and UK Payments.  The drafts were circulated to observers, including those in the Cabinet Office, CESG, CPNI and OGC.