Does your team have the skills to implement Secure by Design? Here’s how to find out.

Secure by Design is more than a single concept; it’s a comprehensive approach that requires a broad set of general and specialised skills applied across the entire product development lifecycle.

Here are some of the key activities involved, with an outline of the skills needed to execute each successfully.

–

01 – Threat assessment

To defend against potential attacks, your team must first understand the threat landscape. This requires skills in researching possible threat actors, such as cybercriminals or internal risks, and analysing their motivations and capabilities. Proficiency here supports the proactive approach needed for Secure by Design, helping your team gauge the severity of various threats and prioritise security efforts effectively.

Can your team:

• Research and identify potential threat actors relevant to your product or service.
• Understand the motivations, intentions, and capabilities of these threat actors.
• Analyse the threat landscape and stay up to date with emerging threats.
• Classify and prioritise threats based on their severity.

02 – Threat modelling

This technique, which involves identifying vulnerabilities in your service and anticipating potential exploitation methods, requires technical expertise and knowledge of potential attack vectors, as well as familiarity with specific tools like OWASP Threat Dragon. Your team should be able to think like an adversary and design security controls that address vulnerabilities from the outset.

Can your team:

• Understand the system architecture and data flows of the product or service.
• Identify potential attack vectors and vulnerabilities.
• Simulate attacks to evaluate how threat actors could exploit weaknesses.
• Assess the effectiveness of security controls in mitigating identified threats.
• Use structured threat modelling tools such as OWASP Threat Dragon, DFDs, or attack trees.

03 – Risk assessment

Before you can manage risk, your team must be skilled at assessing it. This involves understanding the potential impact and likelihood of security incidents, assessing vulnerabilities, and consistently applying a risk assessment methodology. Having these skills on your team ensures that security measures are applied where they matter most.

Can your team:

• Identify and document product or service assets.
• Assess the importance of these assets and the potential impact of compromise.
• Analyse the likelihood of threat events occurring.
• Evaluate vulnerabilities in relation to potential threats.
• Apply a consistent risk assessment methodology such as FAIR or NIST RMF across teams.

04 – Risk management

Effective risk management, applied from the start, is crucial to Secure by Design. Once risks are assessed, your team should have the capability to select and implement appropriate controls and monitor their effectiveness. Familiarity with organisational risk management frameworks and policies is essential here, as is the ability to document risk treatment plans thoroughly.

Can your team:

• Understand the organisation’s risk management framework and policies.
• Develop and implement a risk treatment plan.
• Select and apply appropriate security controls to mitigate risks.
• Continuously monitor the effectiveness of risk mitigation strategies.
• Maintain risk assessments and treatment plans in a risk register.

05 – Security architecture

Building secure systems requires an understanding of security best practices and how to incorporate them into foundational design. Security architecture skills ensure that security controls (e.g. access control, encryption) are built into the service from the start, making it resilient and secure by default.

Can your team:

• Apply Zero Trust principles to security design.
• Design and implement secure–by–default system architectures.
• Integrate security controls (e.g. access control, encryption) into infrastructure.
• Regularly review security architecture for compliance with best practices.
• Stay updated with emerging security frameworks like TOGAF Security Architecture or SABSA.

06 – Secure development and deployment

One of the fundamental tenets of Secure by Design is that security is not a post–production add–on; it must be embedded into the development process. Your team should be adept at secure coding practices (greatly supported by secure coding tools), code reviews, and security testing. Understanding where automation can play a role is also a valuable skill.

Can your team:

• Follow secure coding practices and conduct regular code reviews.
• Implement security testing throughout the development lifecycle.
• Automate security checks in CI/CD pipelines to detect vulnerabilities early.
• Use Software Composition Analysis (SCA) tools to check for vulnerable dependencies.
• Apply secure deployment practices to minimise the attack surface.

07 – Vulnerability management

Identifying, assessing, and mitigating vulnerabilities is an ongoing process that should start early. Your team should be skilled in using vulnerability scanning tools and maintaining a register for tracking and remediating these weaknesses, ensuring continuous improvement of your security posture.

Can your team:

• Use vulnerability scanning tools to detect weaknesses in infrastructure and applications.
• Assess vulnerabilities using CVSS scoring to prioritise remediation efforts.
• Develop and maintain a structured process for remediation and tracking.
• Maintain an updated vulnerability register to track and resolve risks efficiently.
• Stay informed about emerging vulnerabilities and security patches.

08 – Security testing

Conducting regular (not just annual) security tests, such as penetration tests, is essential for identifying issues before they can be exploited. This requires both planning skills and the technical ability to simulate real-world attacks, analyse results, and adjust security controls accordingly.

Can your team:

• Plan and conduct regular penetration tests to identify real–world vulnerabilities.
• Perform code analysis to detect security flaws at an early stage.
• Use automated security testing tools to enhance coverage and efficiency.
• Analyse and report on security testing results to drive improvements.
• Consider bug bounty programs or red teaming exercises for deeper security validation.

09 – Observability management

Observability is crucial for proactive threat detection and response. Your team should be able to collect and analyse logs, metrics, and alerts, using the data to continuously monitor for suspicious activities.

Can your team:

• Implement SIEM (Security Information and Event Management) tools to collect security data.
• Monitor logs, alerts, and metrics for suspicious activity.
• Analyse security data for proactive threat detection and incident response.
• Establish clear procedures for responding to security alerts and anomalies.
• Ensure secure storage and management of security observables.

10 – Communication and collaboration

Clear communication and effective collaboration are the glue that holds Secure by Design together. Your team should be able to articulate security requirements and findings clearly, work collaboratively with stakeholders, and engage management for support.

Can your team:

• Clearly communicate security requirements and risks to stakeholders.
• Foster collaboration between development, operations, and security teams.
• Ensure security findings are well–documented and shared effectively.
• Provide regular security awareness training for employees.
• Engage senior management to secure buy–in and resources for security initiatives.

–

By auditing your team’s skills against these areas, you’ll be better equipped to identify any gaps and develop a roadmap for adopting Secure by Design practices effectively.