Involve the right people
Your team is responsible for the security of your capability or service.
Agree who does what
Everyone in your team needs to keep your capability or service secure. Some people have specific roles. You need to decide who is responsible and accountable for Secure by Design activities.
For example, developers are responsible for writing secure code. A delivery lead makes sure developers have the skills and time to write secure code. The delivery lead is accountable.
You can check GOV.UK guidance on roles and responsibilities (opens in a new tab). The guidance includes a template.
Know who your stakeholders are
Make a list of the people and organisations you need to keep updated on security.
You need to include the Senior Responsible Owner (SRO) for your capability or service. This is often a high-ranking person.
Inside the Ministry of Defence, your stakeholders can include:
- top level budgets
- sponsors
- governance boards
- MOD stakeholders and reliant partners
Outside the Ministry of Defence, your stakeholders can include:
- suppliers
- customers
- other government departments
- regulatory bodies, for example the Information Commissioner's Office
Check the skills in your team
Consider what skills you need on the team to keep your capability or service secure. For example, you might need someone on your team who can:
- identify security risks
- suggest how to mitigate security risks
- advise on your team's approach to security
The kind of experience this person needs depends on your capability or service. For example, if you plan to use cloud technologies you need someone in your team who understands the risks of using cloud.
You can check how GOV.UK describes security roles (opens in a new tab).
Finding people
Talk to your commercial team about getting someone with security experience. Ask them if you can use services existing services, including:
Published August 2024