Secure by Design: Insights from our chat with the NCSC
3 June 2025
Zoe Shiers
Listen to the whole conversation on the CyNam Community Podcast: https://lnkd.in/eaZsqq5b
In a recent CyNam Community Call, our CTO, Mark Adams, sat down with Ollie Whitehouse, CTO at the UK’s National Cyber Security Centre (NCSC), to discuss the growing importance of Secure by Design.
The discussion delved into how organisations — large and small — can integrate security into their development practices, make smarter technology choices, and share responsibility for open-source security.
Here are three key takeaways from that conversation.
1. Technical debt vs security debt: you will pay eventually
Secure by Design means building with a clear view of the threats your product or service may face. Ollie Whitehouse was clear: if you don’t think about security up front, you're simply deferring the cost — and when that cost comes due, it’s often higher.
Security needs to be part of the planning process, the threat modelling stage, and the design decisions you make at the start — not an afterthought when you're shipping.
“If you do it in the test cycle, you're never anyone's friend.” – Ollie Whitehouse
2. Secure by Design isn't just for the big players
One of the most refreshing insights was that Secure by Design is not a luxury reserved for large enterprises. Whether you're an SME or a global tech firm, the percentage of development effort that should go into secure engineering should be the same.
Ollie reminded us that security standards will continue to evolve — and for now, they may even be a little fragmented. But the core principle remains: the earlier you build in security, the less expensive and painful it will be later.
At Surevine, we’ve seen this firsthand. Working with customers on high-assurance systems means we don’t get the option to cut corners. Secure by Design is baked into how we work — not just what we deliver.
3. Open-source needs more than applause — it needs support
The open-source model powers nearly everything — but its security often depends on the unpaid efforts of just a few. The Log4j vulnerability proved this painfully.
As Ollie put it, “Those that gain the most from open source don’t necessarily contribute proportionally.”
Secure by Design in an open-source world means more than just patching vulnerabilities when they hit the headlines. It means proactive support, shared responsibility, and funding the work that keeps shared infrastructure safe.
Mark shared Surevine’s experience patching a CVE in Openfire and contributing back to the community. It’s just one example, but it's a model that works — and one we believe more businesses should adopt. We need more businesses to commit to long-term support, tooling, and developer time to secure the libraries we all rely on.
What Can You Do Today?
Whether you’re a developer, CTO, or just someone shaping your organisation’s product strategy, Secure by Design starts with deliberate action:
· Choosing memory-safe languages where possible
· Building security into your pipelines and stories
· Publishing (and sticking to) security roadmaps
· Training developers to think adversarially - and empowering them with tools and time
· Supporting the open-source communities you depend on
Secure by Design isn’t just about avoiding breaches. It’s about making informed, sustainable choices that future-proof your technology — and protect your users.
As Ollie put it: "There is a moral argument here, as much as a technical, business, or philosophical one."
Want to Go Deeper?
Listen to the whole conversation:
If you’re facing software security challenges — or want to build Secure by Design into your next project — get in touch with us.
