Secure by Design - Nothing "New" To See Here - But Definitely Worth Another Look.

The UK Government, National Cyber Security Centre (NCSC) and Ministry of Defence (MoD) all promote Secure by Design as a cornerstone of modern digital resilience.

Unsurprising perhaps, it is far from a new and novel concept. Getting it right first time is a management principle that has been around for a while.

Secure by Design echoes decades-old business management philosophies that have long championed proactive quality assurance and risk mitigation. At its core, it embodies the ethos of “getting it right first time”, a mantra that traces back to the 1960s and the pioneering work of Japanese industrial engineer Shigeo Shingo.

Mistake Proofing

Shingo’s concept of Poka-Yoke, which translates to “mistake-proofing”, was developed to eliminate human error in manufacturing processes. By designing systems that prevent faults before they occur, Poka-Yoke revolutionised production quality and laid the groundwork for what would later be formalized as the Zero Defects philosophy. This approach emphasized that quality should be built into the process, not inspected in after the fact.

Parallels with Secure by Design are unmistakable: both advocate for embedding safeguards/controls from the outset rather than retrofitting them post-deployment.

The Zero Defects movement, popularised by Philip Crosby in the 1970s, reinforced the idea that quality is not a goal but a standard. It rejected the notion of acceptable error rates and instead promoted a culture of excellence and accountability. In today’s cybersecurity landscape, this translates to systems that are architected with security by design and default, not as an afterthought.

The NCSC’s principles mirror this by urging developers to consider strategic objectives, risk management, preventive, detective and recovery safeguards/controls, and robust testing from the earliest stages of design and development.

Zero Accidents

The influence of these philosophies extends beyond manufacturing and into health and safety management. The concept of “zero accidents” has become a benchmark in high-risk industries, advocating for environments where safety is systematically engineered into operations.

The concept of "Zero Accidents" was first formally advocated in the early 1990s by the Construction Industry Institute (CII), which introduced the Nine Zero Injury Principles to promote accident-free workplaces.

Origins of the Zero Accidents Philosophy:

• 1990s – Construction Industry Institute (CII): The idea of achieving zero injuries gained traction through CII’s research and advocacy. Their Nine Zero Injury Principles laid the foundation for safety programs that aimed not just to reduce accidents but to eliminate them entirely.

• Vision Zero Movement – Mid to Late 1990s: In parallel, the Vision Zero initiative emerged in Sweden, focusing on road safety. It was based on the belief that no loss of life is acceptable and that traffic systems should be designed to prevent fatalities and serious injuries. This expanded the zero accidents philosophy beyond industrial settings into public policy.

• European Safety Agencies – 2010s Onward: The European Agency for Safety and Health at Work further developed the Zero Accident Vision as a mindset rather than a numerical target. It emphasised that all accidents are preventable and that safety should be embedded into organisational culture.

Secure by Design

This mindset is now mirrored in digital safety, where the goal is to prevent breaches and vulnerabilities through thoughtful design rather than reactive patching and/or expensive rework.

Modern frameworks like ISO 27001:2022 for Information Security Management Systems (ISMS) reinforce this proactive stance. The standard mandates that security controls be integrated into project management processes, ensuring that risks are identified, assessed, and mitigated throughout the lifecycle of a system. It aligns closely with Secure by Design by embedding security governance into organisational culture and workflows.

Similar standards and frameworks exist that enable improved business management and continuous improvement from the US National Institute of Standards and Technology e.g. NIST Cyber Security Framework (CSF 2.0) and the UK National Cyber Security Centre (UN NCSC) e.g. Cyber Essentials, 10 Steps to Cyber Security, Cyber Assessment Framework etc… …

Moreover, the General Data Protection Regulation (GDPR) enshrines the principle of Data Protection by Design and Default. This legal requirement compels organisations to implement technical and organisational measures that safeguard personal data from the outset. It’s a regulatory and legal embodiment of the same foundational idea: build it right, build it safe.

A brief history of getting it right first time:

• 1960s Poka-Yoke: Mistake-proofing in manufacturing to prevent defects at the source.

• 1970s Zero Defects: Quality philosophy promoting “do it right the first time.”

• 1980s–1990s Zero Accidents (Health & Safety): Safety culture aiming for zero workplace injuries through proactive design.

• 2000s Secure by Design (Early Adoption): Security integrated into software development from the start.

• 2010s GDPR Data Protection by Design: Legal mandate for privacy-first system architecture.

• 2020s ISO 27001:2022 Security in Project Management: Security controls embedded in project lifecycles and governance.

Summary

In essence, the UK Government, UK NCSC and UK MoD Secure by Design Principles are not a radical departure from traditional management wisdom, they are simply a digital evolution of time-tested management practices.

Whether in manufacturing, safety, or digital business, the message remains consistent: excellence begins at design.

Getting it right first time is a proven management concept. Secure by Design Principles simply apply decades old management principles to modern day organisations. Principles which are proven to enable improved quality and reduce accidents.

Embracing NCSC Secure by Design Principles might just be the smartest investment you make, protecting your reputation, winning customer trust, and future‑proofing your business against evolving cyber threats.

Learn more on our 2-day Instructor led, Digital Trust Professional® (DTP®) NCSC Secure by Design (SbD) Foundation Certificate course: DTP NCSC Secure by Design Foundation

Further reading

• NCSC Secure by Design Principles: https://www.ncsc.gov.uk/collection/cyber-security-design-principles