Secure by Design

Embedding a holistic security approach into your future business strategy

raster illustration of circuit cogs and lock…

Head of Cyber Consulting at Leonardo UK, Laura Marsden, asks how much confidence organisations have in their ability to withstand potential cyber-attacks, if the vulnerabilities across their business estate are not fully understood.


Investment to enhance our protection against the threat of cyber-attack continues unabated. The EU Commission’s recent announcement that it is to invest €50m in security research comes at a time when the economic impact of cyber-crime has risen five-fold over the past four years alone1.


But just how sure can we be that investment in new technology and the latest toolsets are providing real value for money and more importantly, are actually providing the adequate security our interconnected businesses and organisations demand?


A holistic, up-to-date, understanding of Cyber Enterprise Risk (CER) at an appropriate level of detail is crucial to allow informed risk and investment decisions to be made. Traditional approaches to security based on purely technical solutions have often failed to deliver these benefits.


Enter the Cyber Vulnerability Investigation (CVI) methodology. Developed by Dstl and supported by partners such as Leonardo, CVI is designed to meet the challenges that traditional approaches fail to address:

  1. The Risk Landscape is constantly evolving. Any approach must be dynamic and cost effective to maintain, such that risk and investment decisions are based on up-to-date information;
  2. A holistic view of CER is needed at appropriate detail to facilitate good risk decisions. Traditional approaches focus either on a high level view of risk across an organisation, but fail to deliver practical recommendations; or look in-depth at a particular system, but fail to consider risk holistically;
  3. Agile delivery approaches require an approach to security that is flexible and can deal with uncertainty and change. Traditional approaches require advanced knowledge of a set of requirements or system design which often do not exist, creating conflict and a lack of useful risk information;
  4. In many cases whilst organisations know there are problems with security, the nature of those is not known. Any approach must be able to define the problem-space;
  5. Organisations do not build IT estates from scratch; rather they have a complex interwoven mix of legacy and new systems.


Understanding Your Estate

As an original CVI framework member, Leonardo is a trusted provider of CVI capability and is actively adapting the methodology to drive improvement and ensure organisations understand the benefits of being Secure by Design.


CVIs consider the Target of Interest from a socio-technical perspective; including Open Source Intelligence, Human Factors investigations, Security architecture and a deep technical understanding of the target. The combination of Human Factors and a deep technical understanding is unique to the CVI approach and offers powerful insight. 


The CVI attack path-based approach to risk analysis, with an underpinning set of model views, delivers a thorough understanding of the problem space, allowing a holistic picture of risk to be built for the target at an appropriate level of detail across all socio-technical elements. As the models are fully interlinked, the attack paths and resultant risk picture can be easily adapted and updated to respond to system changes in a cost effective manner, and ensure up-to-date risk information is available.


Fit for the Future

This flexibility allows the CVI approach to be effective during agile delivery, through updating the model and risk output alongside development. It is not necessary to understand the end-state up-front; rather the CVI is built alongside the design in a truly agile fashion and risk can be designed out. This facilitates informed risk and investment decisions at each step.


Ensuring your organisation is Secure by Design therefore means an organisation is not only constantly vigilant against current known threats, but is also agile enough to respond to any unknown threats with the potential to undermine future operations. Through a CVI holistic risk based approach to security, an organisation can benefit from:

  • Measurable Return on Investment - a cost-effective approach to ongoing risk management allowing decisions to be made based on up-to-date information;
  • Informed Strategic Decision Making - a truly holistic picture of Cyber Enterprise Risk for an organisation with the necessary detail to inform practical actions and investment decisions and,
  • Sustainable Security – an effective approach to security via agile deliveries to genuinely allow security to be baked in to system designs.



  1. European Commission - Press release “State of the Union 2017 - Cybersecurity: Commission scales up EU's response to cyber-attacks”