​

The ONS is embedding security within digital delivery through Secure by Design, transforming cyber resilience from a technical function into an organisation-wide culture.

To strengthen its digital resilience, ONS adopted the Secure by Design approach, embedding security directly into the way digital services are planned, built and delivered. Rather than viewing Secure by Design as a new framework to replace existing practices, the organisation quickly recognised that it provided the structure needed to connect and mature the strong foundations already in place.

As Leighton Osmond, Head of Cyber Security Risk and Secure by Design champion at ONS, explained: “As Secure by Design came into the picture, it complemented our existing risk management and governance frameworks. It helped us realise we already had most of the pieces of the jigsaw – we just needed to put them together.”

Challenge

While ONS already demonstrated a high level of cybersecurity maturity, the organisation identified opportunities to strengthen its approach further. In particular, there was a need to improve continuous assurance, develop stronger security architecture practices, and ensure that security could operate effectively within increasingly agile delivery models.

Security also needed to move beyond being a specialist function or late-stage control and instead become an embedded part of everyday digital delivery and decision-making across the organisation.

Solution

Senior leadership across digital, architecture and delivery functions played a central role in championing Secure by Design. This leadership support ensured the approach was embedded into strategic planning, governance structures and operational processes.

Secure by Design principles were mapped directly onto existing delivery life cycles, allowing teams to clearly see how security fits naturally into each project stage. Awareness was raised through internal engagement, while governance and assurance frameworks were aligned to support consistent application across programmes and services.

Security teams worked closely with delivery teams, embedding risk assessment, threat modelling and secure architecture design into everyday project activity. At the same time, security expectations were strengthened within commercial and supply chain processes, ensuring partners and suppliers aligned with ONS security standards from the outset.

A key focus for ONS was integrating Secure by Design into agile development environments. By bringing developers and security professionals together at the earliest stages of delivery, security became an enabler rather than a barrier to progress. Early engagement reduced friction, prevented late-stage remediation, and improved the quality and resilience of digital services.

Secure by Design was treated as a cultural transformation rather than a compliance exercise. Security became a shared responsibility across governance, commercial, financial and delivery teams, embedding cyber resilience into everyday conversations and decisions across the organisation.

Result

The adoption of Secure by Design has delivered tangible benefits for ONS. The organisation has seen stronger early engagement with security requirements, reduced numbers and severity of identified risks, and increased confidence in the security posture of new digital services. Lower overall risk scores, fewer retroactive fixes, and improved alignment with supply chain partners have contributed to a stronger and more resilient digital environment.

ONS has also implemented a maturity model within its Secure by Design framework, enabling progress to be measured, tracked and continuously improved over time. This allows the organisation to demonstrate clear security growth while maintaining momentum across teams.

Next Steps

Looking forward, ONS expects Secure by Design to continue delivering long-term value through fewer security incidents, reduced remediation costs, and stronger public trust in the protection of national data assets.