Contributed by Andy Corbett
Andy is a Principal Consultant at Team Defence Information, specialising in cyber security and supply chain resilience. He advises on modernising security frameworks across the UK defence sector and has particular expertise in helping innovative companies scale securely, having guided a defence R&D startup through its growth from 30 to 450 people across six countries while maintaining rigorous security standards.
As UK defence spending rises towards an ambitious target of 2.5% of GDP by 2030, and amid growing pressure on NATO members to increase their defence commitments potentially up to 3%, the UK Government's pledge to direct 33% of procurement to SMEs could represent an unprecedented £20 billion annual opportunity for smaller firms. This is set in the context of an ever more complex geopolitical climate that is driving increased investment in innovation and an urgent need for innovation.
The war in Ukraine has dramatically demonstrated two critical truths: the need to get innovative capabilities into users' hands quickly, whilst maintaining an appropriate level of testing and evaluation of these systems to ensure safety and security before deployment. While Britain's defence innovation legacy was built on transformative government-industry partnerships that delivered game-changing innovations such as the radar and the jet engine, today's battlefield advantages increasingly come from more nimble sources. The challenge is no longer just about breakthrough technology – it's about getting proven innovations into service quickly and securely while maintaining the high standards that complex defence systems demand.
The Secure by Design (SbD) promises to underpin this transition in a world where digitally enabled products must reach users quickly but the information systems must be appropriately protected. By replacing rigid accreditation processes with proportionate, risk-based security assessments, SbD is designed to enable more agile collaboration across the defence enterprise chain while driving more robust and continuously evolving security standards.
This evolution in security thinking concerns more than efficiency, operational advantage, and sovereign flexibility. In an era where technological edge can come from rapid innovation rather than just scale, defence must protect the whole enterprise across the traditional prime contractors, new entrants and their extended supply chains. The core challenge is to harness this innovation while ensuring security remains fundamental rather than becoming a barrier to entry.
Understanding Secure by Design
The concept of SbD is relatively simple. It posits that security requirements are assessed and evaluated from the very start of a project, ideally pre-concept. They are defined to be appropriate and proportionate relative to the project's demands, and they are continually assessed and amended pragmatically throughout life until disposal or destruction.
This differs radically from the accreditation approach that it replaces, where a set of pre-defined requirements must be achieved, often irrespective of their relevance to the project. The traditional approach provided a snapshot in time that takes limited account of system-accredited changes or project requirement changes. The rigid and process-heavy nature of ‘tick-box’ accreditation can also make it very difficult and costly to police.
By opting for a process of proportionate risk assessment, SbD allows the Senior Responsible Office (SRO) to ensure that the security requirements are being considered from the very start of the project, whereas, in the current world, security risks becoming an afterthought or considered in isolation rather than as an integral part of the whole project management piece. Even more critical is that any project or supply chain changes can be identified and responded to ensure that the balance between cost and risk is always known and can be factored into the decision-making process. A ‘one size fits all’ accreditation process can be overly proscriptive, leading to unnecessary costs and still not covering areas of security beyond the scope of the accreditation.
The early stages SbD have been largely well-received by the Defence Supply Chain; it is almost universally recognised that this is the right approach and that the previous accreditation regime hasn’t worked as intended. Inevitably, a cultural shift such as this has presented challenges, not least due to the sheer size of the customer and its supply chain, so a program of orientation and numerous support systems have been put in place to help all parties to transition to a new way of ensuring security throughout the life of a project. As SbD has commenced with new projects, it is also fair to say that we are in the early stages of rolling it out across the Defence Supply Chain. Continuous monitoring and support of MOD teams and suppliers will make the required processes and procedures routine. They will, therefore, make subsequent projects easier to manage, more agile and incur less cost.
Technology as an Enabler
In Ukraine's current situation, the rapid deployment of capabilities has led to significant impacts during the conflict. The sinking of the Russian patrol ship Sergei Kotov by Ukrainian maritime drones offers a stark illustration. A relatively simple innovation – the Magura V5 maritime drone – could strike and sink a 1,300-ton warship near the Kerch Strait. Such asymmetric successes demonstrate how rapidly deploying innovative capabilities can transform modern warfare's dynamics.
Where defence projects once moved at the pace of courier deliveries and physical document transfers, recognised platforms such as Kahootz enable real-time secure collaboration. Teams across multiple organisations can develop, test, and refine capabilities simultaneously – all within pre-assured secure environments that embody Secure by Design principles. A modification that took months to iterate, review, test and implement now can be coordinated across distributed stakeholders in a single space. This is a crucial time as the impacts of technology innovation drives the rate of change to be in days, not years.
The world has moved beyond simple document sharing. By templating workspaces with appropriate security permissions and access controls automatically configured to match project requirements, the administration overhead of innovation can be reduced. Multi-party collaboration that once required months of security arrangements can begin almost immediately, which is critical when responding to urgent operational needs.
The economic implications reinforce this operational agility. For smaller firms with promising capabilities, the traditional approach required significant upfront investment in security infrastructure and accreditation, often delaying vital innovations from reaching the front line. Under Secure by Design principles, using approved collaboration platforms, these barriers virtually disappear.
This value proposition creates a virtuous circle: prime contractors can onboard innovative partners more quickly, SMEs can participate without prohibitive security overhead, and – most crucially – operators and end users get capabilities when needed, not months after the requirement has evolved. Adopting Secure by Design principles across technology and process enables the agile collaboration modern warfare demands while enhancing security assurance.
The Shift From Certification To Assurance
The regime that Secure by Design has replaced was, it is generally recognised, providing levels of security that were inconsistent whilst being resource hungry and allowing for exposure to considerable risk. The process whereby suppliers’ systems had to be registered on DART (Defence Assurance Risk Assessment Tool) had become less effective. A system where every supplier network handling classified MOD Identifiable Information had to be registered by submitting an RMADS (Risk Management Accredited Document Set) which typically ran to 100 or more pages and had to be submitted either through a secure link or by post resulted in an excessive workload for the MOD’s accreditors. Furthermore, the nature of the RMADS as a ‘single point in time’ record of a network meant that it was frequently out of date as soon as it was submitted, due to inevitable upgrades, updates and other changes that the supplier made to their network.
The other significant shortcoming in any accreditation regime is that it sets out a number of clearly defined controls which must be met. These controls may or may not be relevant to a particular project, but under an accreditation regime, they must still be met, adding cost into the contract that may be unnecessary. Furthermore, there may be areas of security that a particular project needs which aren’t covered within the scope of the accreditation, so the exposure to risk is significantly increased. Finally, with the issue of a certificate, there is a danger that an attitude of ‘job done’ is taken and security falls off the agenda. With Secure by Design, security is tailored to the needs of the project and continually assessed, reducing both risk and un-necessary resource time and expense.
Typically, the need to meet requirements as a result of Secure by Design – or any other security requirements on a business – has a greater impact on resource and cost for smaller businesses. As a result, it is possible that Small and Medium Enterprises (SME’s) may find that the additional costs and demands on employee time when meeting the needs of Secure by Design present a significant challenge. It will be important for SME’s to ensure that the requirements of meeting Secure by Design are factored in at the bid stage of any contract, and that they are confident that they will be able to meet the requirements as a result. Typically, however, with the right systems, policies and processes in place, they will be better equipped to bid on and deliver subsequent contracts as a result of this initial activity.
Overall, it is thought that Secure by Design – although having the potential to require greater financial and resource demands up front – will, over the period of the contract, deliver better value and greater security at a lower overall cost. The aim is to deliver greater efficiency, and better value to the UK taxpayer while improving security to ensure the UK’s assets are protected.
Creating New Partnership Models
The success of innovative systems against conventional forces is rarely about technology in isolation, it is about the surrounding processes and infrastructure that accelerate that technology to where it is needed. Britain's defence industrial base is rising to the challenge, the Secure by Design principles are one example of how innovations in process can enable new forms of collaboration between organisations and the MOD.
These new partnership models are transforming how defence capability is delivered. A small innovator can now directly collaborate with multiple prime contractors on sensitive projects without first investing in extensive security infrastructure. Instead, innovative toolsets like Kahootz, where security controls are designed in from the start and scaled according to each project's specific needs, enable organisations to focus on their areas of expertise. What once required months of security audits and accreditation can now be achieved in weeks through pre-approved secure collaboration environments.
This ultimately means access to a wider pool of innovation and expertise for those that require it. For SMEs and larger organisations alike, it accelerates opportunities to contribute to defence capabilities without prohibitive overhead costs. Most importantly, for defence users, it means faster access to the capabilities they need to maintain an operational advantage in an increasingly contested world.
Conclusion
As Britain's defence budget moves to meet the growing threat, the successful acceleration of innovation to the end user will be crucial to maintaining operational advantage. The Secure by Design approach offers a template for achieving this by replacing rigid security barriers with proportionate, risk-based controls that enable rapid yet secure collaboration.
Britain's defence establishment appears to be absorbing the lessons hard learned by our allies. Embracing Secure by Design principles and modern collaborative working environments (CWEs) forms a small but critical enabler for innovative solution to contribute to national security while maintaining essential security standards. The race is now on to maximise the UK’s ability to turn innovation potential into deployed capability.
