Outline Secure by Design Communication Plan
How to inform and engage colleagues within your organisation during the implementation of Secure by Design.
This guidance is for Secure by Design champions, working groups, and their internal communication teams. It includes example communication activities that can be adapted to raise awareness and understanding of Secure by Design.
Key considerations
Before you begin, there are various elements you should consider.
Communication and engagement objectives
These may include ensuring people know:
- why Secure by Design is being implemented
- how it will impact them
- what they need to do
- when they need to do to it
- where they can find further information
Other goals might include driving collaboration between teams (including delivery and security) and giving opportunities to provide feedback so questions can be addressed and the approach can be improved.
Support and advocacy
Establish which colleagues from communication, training and security teams you need to help you develop and deliver this activity. Senior-level advocates such as your CDIO, CTOs and CISO (or equivalents) should also be used to help deliver your messages with the necessary authority to drive adoption.
Audience alignment
Identify who you need to communicate with and consider why they are important, what they need to know and what behaviours and actions you need to drive. The example RACI matrix outlines which roles might be affected by each part of the approach.
It’s important to establish how to position Secure by Design alongside your existing activities on cyber security, risk management, digital transformation and other relevant areas when engaging with various audiences.
Some of the people you need to engage with include:
- your Permanent Secretary or equivalent, COO and other members of your executive team
- senior functional leaders including CDIOs, CTOs, CISOs (or their equivalents)
- senior Responsible Owners, service owners and product owners
- project managers, delivery managers and digital and data teams
- colleagues from cyber security, risk management and assurance
- commercial, procurement, finance and auditing teams
- suppliers
Channels and resources
Use a combination of tactics such as show and tells, webinars, newsletters, blogs and your intranet to ensure all relevant colleagues receive your messages. Prioritise face-to-face communication where possible so you can gauge reactions and respond to questions.
The example communication plan below includes links to various examples and templates – see the Secure by Design Communication Toolkit for a full list of available resources. These should be modified to reflect the branding and tone used in your regular communication.
Contact secure-by-design@digital.cabinet-office.gov.uk if you require support adapting these or have ideas for additional resources.
Insight and evaluation
Determine which tools you could use or create (such as staff surveys or focus groups) to research your audiences and measure the success of your activities.
The OASIS framework published by the Government Communication Service provides a useful structure for delivering an effective, efficient and evaluated campaign.
Example Communication Plan
These suggested activities are designed to align with the implementation phases (preparation, transition and operation) outlined in the Guide to adopting Secure by Design.
It covers suggested audiences, goals, key messages, and channels, but does not provide detail on the exact timing, frequency or ownership of each type of communication. This will need to be established by each organisation.
Some messages can be applied across government, while others will need to be adapted to be organisation-specific. Plan in advance so communication can be staggered appropriately, creating momentum as you progress towards the implementation deadlines.
Initial activities (aligns with the Secure by Design ‘Preparation’ phase)
Target those who can drive the required cultural change including members of your executive team such as a CEO or Permanent Secretary, COO, Directors and Deputy Directors. Leaders of functional areas within the organisation including CDIOs, CTOs and CISOs should also be covered, as well as SROs and service owners.
Suggested objectives:
- Ensure stakeholders are aware of what Secure by Design is, how it will impact the organisation, and the benefits
- Ensure stakeholders understand how Secure by Design is being implemented and what the milestones are
- Help leaders understand their role in advocating Secure by Design and any actions they should take
- Share details of the organisation’s Secure by Design champion and working group members
Suggested messages:
- Secure by Design is a cross-government approach to increase cyber resilience by building risk-driven cyber security into new digital services.
- Secure by Design is mandatory for central government departments and arm’s length bodies, and optional for other parts of the public sector.
- It applies to new services and projects (and significant changes to existing projects) which are required to pass through the Cabinet Office digital and technology spend controls approval process.
- Overall accountability for the adoption of Secure by Design should lie with a CDIO (or equivalent) who oversees digital strategy, transformation and delivery.
- Success will depend on a significant culture change, where security is considered throughout digital delivery and there is timely and effective collaboration between delivery, security and other teams.
Example methods:
- Written briefings – adapt the Secure by Design Factsheet to get across essential information.
- Presentations – tailor the Secure by Design Presentation slides so they are relevant to senior leaders, using governance forums and one-to-one meetings to reach the necessary individuals.
- Messaging tools – use management-specific channels (if they exist) or direct messages to distribute the Secure by Design for Senior Leaders video and respond to queries using the Secure by Design Q&A.
Target the people who can actively put the necessary processes and procedures in place to implement Secure by Design including service and product owners, delivery managers, and those leading digital and data, security, and commercial teams.
Suggested objectives:
- Share the mandatory and recommended elements of the Secure by Design approach
- Explain what projects the policy applies to and how it will be monitored
- Explain how you plan to progress the implementation of Secure by Design
- Outline the potential impacts of Secure by Design on ways of working
- Encourage collaboration between teams
- Provide an opportunity for team leaders to ask questions and give feedback
- Identify what training and resources may be required across the organisation
Suggested messages:
- Secure by Design highlights cyber security risks as delivery and business risks, making risk management everyone’s responsibility within the delivery team.
- Teams should consider security during the initial stages of projects, and throughout the entire digital delivery lifecycle.
- Secure by Design provides a way for security experts to support and advise delivery and commercial teams to develop appropriate and proportionate security practices.
- The Secure by Design principles are a mandatory requirement to be met by projects – following the best practice in the recommended activities will help teams to achieve the desired outcomes.
- Guidance has been developed to help plan resources, including an example RACI matrix that provides an overview of the roles and responsibilities that could be involved in Secure by Design activities.
- Following the successful implementation of the principles, Secure by Design should become a natural part of the delivery lifecycle, rather than a resource-heavy process.
- The digital and technology spend control process will be used to check Secure by Design adoption – it is the responsibility of project and delivery teams to monitor whether they are meeting the required cyber security standard.
Example methods:
- Personal emails – use the About Secure by Design video and information in the Secure by Design Factsheet to introduce the approach and invite team leaders to discuss how it affects them.
- Presentations – tailor the Secure by Design Presentation slides to be relevant to team leaders, inviting them to show-and-tell sessions or one-to-one meetings to share the information. Use the Secure by Design Quiz to ensure the necessary information has been understood.
- Messaging tools – follow up presentations with information from the Secure by Design Q&A that’s most relevant to your organisation, prompting further discussion to help inform your transition plan.
The leaders of the areas most heavily affected by Secure by Design should be sharing necessary information with their teams, but there is still a need for people across the whole organisation to be aware of the approach and how it affects them.
Suggested objectives:
- Create a consistent understanding and appreciation of Secure by Design
- Explain the impact Secure by Design may have on particular teams or individuals
- Share details of how the organisation plans to implement Secure by Design
- Explain how the approach aligns with the organisation’s other initiatives
- Provide an opportunity for colleagues to ask questions or give feedback
Suggested messages:
- Secure by Design is for anybody in government involved in the delivery of digital services – it is designed to make cyber security everyone’s collective responsibility.
- Part of the Secure by Design policy is to mitigate security risks associated with using third-party products and ensure suppliers meet the relevant security obligations, regulations, and industry security standards.
- Relevant elements of Secure by Design will be included as part of the Service Standard and Service Manual, which will help teams going through this process ensure they’re meeting the required criteria.
- A Secure by Design champion has been appointed to drive implementation – they are being supported by a working group who will be encouraging collaboration and knowledge sharing across the organisation.
Example methods:
- Newsletters and blogs – adapt the example Secure by Design articles, including quotes from senior advocates within your organisation to give it the necessary authority.
- Training sessions – tailor the Secure by Design Presentation slides to be relevant to your organisation, and use the Secure by Design Quiz to ensure the necessary information has been understood.
- Team meetings – reference Secure by Design in standups and other regular meetings, helping establish it as part of the project delivery lifecycle.
- Messaging tools – use existing channels (or set up a dedicated one) to field questions on the approach, using the Secure by Design Q&A to provide consistent answers.
- Intranet – publish the About Secure by Design video, Secure by Design Factsheet and other relevant documents (such as your transition plan) so information is accessible to teams across your organisation.
A series of webinars is in development aimed at those working in various roles and teams to explain their relationship to Secure by Design. To find out when these will be available and to express your interest, email secure-by-design@digital.cabinet-office.gov.uk.
Ongoing activities (aligns with the Secure by Design ‘Transition’ and ‘Operation’ phases)
Suggested objectives:
- Provide detail of the practical elements of Secure by Design
- Ensure everyone is aware of their role and responsibilities for the pilot scheme
- Share details of the pilot scheme scope and timelines
- Ensure processes are followed as expected and identify problem areas
- Provide opportunities for those involved to share feedback
Suggested messages:
- Every team is different and the roles and responsibilities related to Secure by Design need to be adapted to reflect the internal structures, processes, governance, culture and resources.
- The Secure by Design self assessment tracker should be managed by a delivery or project manager. They should include completion of the tracker within their regular processes, collaborating with the relevant internal colleagues to answer each question and collect the necessary evidence.
- The most important element of the pilot process is to gather information. This should cover what has worked as well as what hasn’t so improvements and solutions can be devised.
Example methods:
- Training sessions – target roles and teams with specific content so they can understand where they fit into Secure by Design. Provide a walkthrough of tools such as the example RACI matrix, example security controls taxonomy, and the Secure by Design self assessment tracker.
- Team meetings – use these as an opportunity to share information and receive updates on progress towards the objectives of your pilot scheme.
- Messaging tools – the appropriate channel should be used to log and address issues, with this information used to improve the implementation process across the organisation.
Suggested objectives:
- Ensure team leaders, SROs and service owners are aware of their Secure by Design responsibilities
- Give senior leaders confidence that delivery teams are effectively meeting Secure by Design requirements
- Provide reports on progress towards Secure by Design milestones to governance forums
- Identify potential blockers to the implementation process and devise solutions
Suggested messages:
- Secure by Design provides a way to continuously monitor adherence to cyber security principles, but it does not replace the need for security assurance practices within organisations.
- Organisations are encouraged to offer consistent processes, policies and shared resources (such as a threat assessment and security controls set) that can be used by delivery teams across projects.
- Data is being collated from Secure by Design self assessments submitted by organisations which will be used to determine if the principles are being followed and whether they’re having a positive impact on security performance and culture.
Example methods:
- Personal emails – use direct communication to maintain the support of your advocates and address issues raised by senior leaders.
- Presentations – invite senior leaders to attend a series of Secure by Design seminars over the course of the implementation period at which updates can be shared and the necessary decisions discussed.
- Governance forums – use these to provide detail on data (analytical and anecdotal) related to the success of pilot projects and the progress of implementation.
Suggested objectives:
- Set expectations and timelines related to the full adoption of Secure by Design across the organisation
- Share details of the specific changes being made to internal processes, policies, standards and documents, and the cultural changes associated with the approach
- Ensure colleagues in commercial and procurement teams are starting to build Secure by Design requirements into their supplier engagement, including procurements and contracts
Suggested messages:
- Describe the specific changes being made in the organisation as a result of the Secure by Design implementation, including who is affected and when.
- Secure by Design is largely an amalgamation of cyber security best practices that should already be in place, rather than something completely new. This is an opportunity to bring these together to ensure consistency and to address any gaps.
- This approach does not apply to digital services which are in operation or undergoing routine maintenance, it’s about new projects and services or those undergoing major change. However, over time, it is expected that all digital services will either be retired or come into scope of the Secure by Design policy.
- Apart from the inherent risks related to not implementing a robust cyber security programme, not meeting the principles may result in delays to passing the digital and technology spend control process and securing further project funding.
Example methods:
- Presentations – share lessons learned from your pilot project(s), describing issues faced and solutions that will help other project teams.
- Training sessions – provide targeted sessions for specific teams and roles that explain the potential impact of Secure by Design on their ways of working.
- Newsletters and blogs – share examples of collaborative behaviour between teams and individuals that are helping to facilitate the adoption of Secure by Design requires.
- Messaging tools – use the output of working group meetings to provide regular updates to keep people up-to-date with the latest Secure by Design developments.
- All-hands meetings – use opportunities where your entire organisation comes together to share progress towards Secure by Design implementation and invite questions.
- Onboarding – integrate the About Secure by Design video and Secure by Design Factsheet into the material used to welcome new employees so they can quickly understand the relevant information.