Published in: Thought Piece

DSTL’s New ‘Secure by Design’ Problem Book: How industry can rise to meet ongoing challenges – and the solutions we carry with us already.

Author Savva

Published on: April 28, 2025

Last week, the Defence Science and Technology Laboratory (DSTL) recently released their “Secure by Design Problem Book,” highlighting critical challenges in implementing security-by-design principles across UK defence. While primarily focused on military capabilities, this publication poses questions to rack the brains of anyone working near or in sensitive sectors supporting the defence supply chain. The problem book seems to be proffered by the DSTL team with hopes that ingestion of these points by both academics and organisations may produce a ‘trickle up’ effect that brings returns to our national defence infrastructure.

At ADAS, we’ve been examining how these challenges mirror those faced by our clients across various industries, and how these problems shape up with our varied experiences working in areas that stream into critical UK sectors, or upskilling talent that may work in these fields. This dives in without summary, so please consider following the link and reading the Secure by Design Problem book ahead of getting stuck in to our article.

Understanding the Landscape

DSTL’s problem book identifies four key challenges:

1. Upskilling UK defence in ‘Secure by Design’
2. Managing unevenly distributed information and knowledge
3. Incorporating security at the earliest stages of capability acquisition
4. Supporting security through the entire lifecycle

First glance confirms that – of course, these problems aren’t unique to defence – they’re relevant to any organisation developing or maintaining secure systems, especially in regulated or high-risk environments. Here was what jumped out at us…

Competency Frameworks: A Common Language for Risk

The problem book highlights the need for robust competency frameworks to ensure teams possess appropriate expertise. Ourselves being a house of standards – we audit and assess to various standards every day, and see exactly what impact the production of a standard language for risk can have on diverse organisations working towards shared or similar objectives.

Standards provide vital common reference points for internal and external stakeholders from diverse backgrounds who may struggle to communicate about risk management efforts. While frameworks like ISO 27001 take a risk-based approach (allowing implementations to differ between organisations), more prescriptive standards like Cyber Essentials Plus and IASME Cyber Assurance focus on specific controls.

Both approaches have their place. ISO 27001’s risk-based methodology allows for contextual adaptation but can be strengthened by clearly referencing technical controls in place. Meanwhile, Cyber Essentials Plus provides an objective, verifiable set of baseline security measures present on each device; CE produces an equality of outcome amongst organisations that may not have built a robust management system – but do have key areas under control.

Together, these frameworks create a shared language for discussing security, enabling more effective collaboration between technical and non-technical stakeholders when it may otherwise not be possible to effectively demonstrate adequate measures or buy-in for information security or risk management. Getting these terms of reference ‘out of the way’ also clears the table for blue sky thinking on more complex problems of standardising approaches or ways of thinking, because everyone can be sure that they’ve got the same controls in place without needing to spend time and energy validating.

Talent Development and Knowledge Sharing

DSTL’s focus on “Delivery Mechanisms” for upskilling talent parallels efforts are already underway across the UK cyber sector. Initiatives like the Cyber PATH, by the National Cyber Reslience Centre Group (where both our Managing Director and Technical Director provide support and consultancy) and regional Cyber Resilience Centres are actively working to develop the next generation of security professionals, with leadership from the front by policing, and input from a National Ambassador steering group made up of industry representation.

These programmes help bridge the gap between academic knowledge and practical skills needed in industry, addressing the critical shortage of qualified personnel that affects organisations of all sizes. The students are hungry for it, the industry is hungry for it – any initiatives that achieve this should get the time and fuel needed to get going.

Breaking Down Knowledge Silos

The problem book’s sections on “Mapping the body of knowledge” and “Disciplinary differences” highlight a challenge we encounter often whilst working with organisations providing vital services or functions whilst attempting to rapidly develop their information security posture: security knowledge tends to exist in silos, with limited sharing between disciplines and organisations.

Collaboration is essential in cybersecurity – and it often goes against the industrial instincts of the private sector to share efforts taken to upskill and break ideas down into accessible formats. We’re committed to raising the collective bar through knowledge sharing at ADAS; Community-driven projects like Savva’s ISO27001.zip exemplify the open-source approach to building a collective knowledge base from which the entire industry can benefit. With over 30,000 monthly visits and 1,000 identified repeat users, feedback is that the site provides an accessible interface to the standard – with resources of this kind clearly used when made available. According to the analytics, the site is often being scraped by AI agents – contributing to well-informed AI that provide useful help at the time it’s requested by implementors, auditors, and newcomers.

Creating shared terms of reference and common ways of thinking about security problems helps bridge the gap between complex theoretical systems and complex real-world problems. This collaborative approach is especially valuable for SMEs who may lack the resources for comprehensive in-house expertise. Effective maps of bodies of knowledge really do offer up a map that gives anyone reading a proper head-start in tackling risk based problems.

Building a Stronger Research Ecosystem

Perhaps most importantly, the problem book calls for “Growing and sustaining the ‘Secure by Design’ research ecosystem” – an area where industry, academia, and government must work together more effectively.

We simply need stronger feedback loops between industry demand and academic research, both in research and in knowledge-production in students. Developing well-rounded professionals with the complex knowledge bases required for modern security challenges without vendor-lock-in through outdated apprentice schemes is a modern challenge. This may require rethinking traditional academic structures to become more adaptive and industry-integrated while maintaining academic rigour.

The answer might lie in creating that “missing link” – a hybrid approach that combines the support structure of universities with closer industry ties, while avoiding vendor lock-in and ensuring transferable skills development. We don’t think anyone’s gotten this quite right yet, but there are some really awesome Universities that are successfully tethering their courses to industry expertise and bringing that expertise into the classroom.

Moving Forward: Implications for SMEs

DSTL’s problem book offers some clear guiding thoughts that mean we should all be:

1. Adopting appropriate frameworks: Implement standards like Cyber Essentials Plus, IASME Assurance, or ISO 27001 to establish a security baseline and demonstrate commitment to best practices.
2. Investing in skills development: Support both formal and informal learning opportunities for your team, connecting with initiatives like the Cyber Resilience Centres if you’re a newcomer to information security.
3. Collaborating and sharing knowledge: Engage with industry forums, open-source projects, and security communities to both contribute to and benefit from collective knowledge. Think about collaboration as what you can offer others, not what you can gain from the process. Knowledge sharing is not zero-sum.
4. Bridging the gap: Work to improve communication between technical and non-technical stakeholders, using frameworks as common reference points for fact-finding on areas for improvement.

If you found this article interesting – we’d love if you could send it to someone you think would agree with you, let’s get a conversation going and identify some avenues for useful collaobration!

At ADAS Cyber Security, we’re committed to helping organisations navigate these challenges through our Cyber Essentials Plus and IASME Assurance consultancy and certification, ISO 27001 consultancy, affordable and flexible vulnerability management solutions, and security culture development services. Even smaller teams can achieve meaningful security improvements and better position themselves in the security-conscious supply chains of the future with a no-frills approach that seeds in the soil of effective frameworks and standards, and flowers in resultant controls and awareness culture.