Secure by Design isn't a spreadsheet

The government’s Secure by Design mandate asks for two things a spreadsheet can never deliver: security designed in from the start, and assurance that stays current as the service changes.

What the mandate actually asks

Secure by Design moves security from a late-stage gate to a continuous discipline across the delivery lifecycle. It expects threat modelling early, security activities mapped to each phase, risk-balanced decisions with residual risk owned, and evidence captured as you go - not assembled the week before go-live.

Why the tracker fails

• It is point-in-time - a snapshot that is stale the moment the service changes.
• It has no gates - nothing stops delivery moving on with an open security activity.
• Evidence is collected at the end, under pressure, instead of in place as work happens.
• It is editable - which is the opposite of an audit trail.

Ironically, the government’s own Secure by Design tracking often lives in exactly the spreadsheet the mandate’s spirit argues against.

What continuous Secure by Design looks like

Gates at each phase - design, build, test, release, operate - each with its activities and sign-off. Risk-balanced release decisions where residual risk is explicit and owned. An append-only record of every decision, ready for accreditation. And re-assessment when the service changes, because ‘secure at launch’ is not the same as ‘secure’.

That is the difference between ticking a box and designing for security.