The UK has set its sights on becoming a global leader in artificial intelligence, quantum computing and other advanced technologies. It’s a bold ambition, but innovation on its own will not guarantee success.
Technical breakthroughs will not deliver long-term value if the systems they rely on are fragile or vulnerable to attack. For the UK to turn its aspirations into sustainable growth, security must be built in from the outset, not bolted on after the fact.
The limits of voluntary action —
The good news is that security is clearly on the UK government’s agenda. The forthcoming Cyber Security and Resilience Bill covers a range of areas with an emphasis on proactive security.
The Department for Science, Innovation and Technology (DSIT) also released a voluntary Code of Practice for the Security of AI earlier this year, and more recently published a new voluntary Software Security Code of Practice, which strongly emphasises the secure by design concept as integral to software development. Similarly, the NCSC has issued guidance on preparing security for the quantum age.
These efforts signal that security is not a secondary issue but recognised as fundamental to resilience and growth. However, voluntary initiatives can only take us so far. In a market the size of the UK, optional codes are unlikely to drive systemic change at the speed required.
Guidelines can be a useful resource, but they must not become a substitute for progress. Self-attestation and generalised best practices risk creating an illusion of security rather than real improvement. If secure by design is to make a meaningful difference, mandatory adoption is needed.
That said, without careful thought, a mandatory approach can easily become a blunt instrument that lacks the nuance to deal with different sectors and use cases. To succeed, policymakers need to work closely with industry leaders to understand their unique needs and challenges.
Secure by design as a living process —
Few will disagree with secure by design as a concept, but in practice, it too often becomes a compliance exercise. Organisations tick boxes for controls such as multi-factor authentication or incident response plans but rarely stop to ask what risk they are actually trying to mitigate.
The reality is that many businesses struggle to identify the three or four risks that truly matter in their context.
This is why secure by design cannot be treated as a static checklist. Risks evolve, and policies must evolve with them. Success should not be judged on whether guidelines are followed, but whether resilience is measurably improving.
Likewise, there cannot be a blanket approach to implementing secure by design. Something that works for manufacturing operational technology or Internet of Things devices likely won’t fit with the complexities of software development. Nuance is essential
Government’s role – convene, mandate, and enable —
The government has a pivotal role in ensuring secure by design moves from aspiration to reality. Public–private discussions are useful, but they cannot remain high-level conversations.
What is needed are sector-specific dialogues, focused on areas where the UK already has global strengths such as finance, healthcare and critical infrastructure. These convenings should result in clear, actionable outcomes that translate into practice.
Governmental influence is also essential to taking a secure by design approach beyond a voluntary uptake and setting a consistent baseline across multiple industries.
That said, any mandates should be paired with mechanisms that enable innovation, so they don’t end up stifling the very industries we want to build up. Businesses need to believe that secure by design will lead to better outcomes for them, and that’s irrespective if new regulations are introduced. This also requires a shift in customer behaviour – investments will be more worthwhile if buyers see security as a valuable factor.
Again, incentives need to be matched to the realities of different tech sectors. For example, when it comes to critical infrastructure providers, strictly mandated requirements as we’ve seen with regulations like NIS2 make sense.
But for areas like software development, the focus needs to be on encouraging a culture of security and building habits that will lead to continuous improvement. This will yield better results than hammering down blanket rules.
Ownership and accountability —
One of the biggest gaps in secure by design today is ownership. Boards often assume the CISO is responsible, CISOs point to regulators, while regulators expect companies to manage it themselves. In the end, nobody is clearly accountable.
Without defined responsibility, secure by design risks falling between the cracks. Boards must do more than sign off on budgets; they should challenge strategy and demand metrics that show whether resilience is improving. Success criteria must be established in advance, and progress tracked against them.
Security as a condition for leadership —
The UK’s ambition to cement itself as a hub for advanced technologies will only succeed if innovation is matched by resilience. Secure by design must be mandatory, measurable and meaningful – applied consistently across cloud, software, AI and other emerging technologies.
With resilience at its core, the UK can create the trust and confidence that allows innovation to flourish at scale.
Sabeen Malik is VP of Global Government Affairs and Public Policy at Rapid7.
