Defining Security by Design

In the previous steps Security by Design was described as the design and development of online products and services to build in security from the very beginning to reduce the likelihood of flaws that might compromise information security. However, there is no uniformity of wording around the definition of Security by Design.

According to Joinup (the European Union’s one-stop shop for interoperable, open and free digital government ICT solutions), Security by Design is built on the fundamental idea of having security built into an online product or service by design, instead of being added on later by third party products and services.

Ernst & Young looks at Security by Design from a risk-based perspective as an approach to cyber security that builds in risk thinking from the onset of a project. They define Security by Design as an:

“approach that builds cybersecurity into any initiative from the onset, rather than as an afterthought, enabling innovation with confidence. It is a strategic and pragmatic approach that works across all parts of the organization. Security by Design remains in the initiative’s lifecycle to help with the ongoing management and mitigation of security risks.” (EY Global, 2020).

Meanwhile, the industry generally takes a project-based view of Security by Design as an approach that factors in cyber security at the inception of technology transformation projects by building security into the software development lifecycle.