National Cyber Security Centre: ‘It’s entirely possible to build good, secure tech using an agile approach’

Written by Rebecca Hill on 16 February 2017 in News

The NCSC’s chief architect describes the agile approach taken to developing its IT systems

Lego figures fixing a computer - Image credit: marie-lyse briffard via Flickr

The UK’s National Cyber Security Centre has revealed how it built its new IT systems using an agile approach, saying that waterfall “was never going to bring this job in on time”.

The London-based centre, which launched in October last year but was officially opened by the Queen this week, created its own IT system from scratch.

This, it said, was because none of the existing IT systems designed for working with information classified in the category ‘official’ met the needs of the centre – which was formed from several different organisations under the parent body GCHQ.


Philip Hammond tells business to ‘sharpen its approach’ to preventing cyber attacks, as Queen opens new cyber security centre

National Cyber Security Centre launches schools competition for girls

Pasting of passwords improves security, says National Cyber Security Centre

In a blog post, the centre’s chief architect, named as Richard C, said that the existing systems did not “strike the right balance of security, usability and functionality required” by the new organisation.

He said that having an agile approach was crucial. “A traditional waterfall approach was never going to bring this job in on time.”

However, he noted that there were areas where using agile techniques would be “tricky”, such as procurement of commercial services and equipment.

“While it’s possible to iterate the code which defines the configuration of our service, frequently changing our minds about the hardware we use just isn't practical,” he said.

The blog post also emphasised that it is “entirely possible to build good, secure tech using an agile approach”.

The main difference is that the system needs to be evolved over time, with risks taken in “sensible ways” while building in new functionality of security into the system.

“On day one, we were running a relatively high risk in some areas while we were comfortable with the controls we had in place elsewhere,” he wrote.

In addition, the team had to take “well-informed decisions to accept calculated risks” in the knowledge that more controls would be added as deployment numbers increased.

Working in this way meant that each sprint added not only new features to the system, but also increased security.

“The risks we take change on a sprint by sprint basis. We’ll continue to take sensible decisions, security being considered as an important factor, along with various other demands of the project, like usability and cost,” he writes.

Because of this approach, however, the system will “never be ‘accredited’ in the traditional sense of a point-in-time decision, because it will never be ‘done’”.

The centre had three main design principles for the project: technology, security and user experience.

However, he says that the most important element is that the system is “a pleasure for people to use”, noting that “a highly secure solution that no-one uses isn’t secure at all”.



Related Articles

National Cyber Security Centre warns UK Government and power companies of Russian threat
19 March 2018

Owners of critical infrastructure and providers of services are being urged to be prepared for Russian cyber attacks

Information Commissioner’s Office ‘making enquiries’ after MPs admit to sharing passwords
8 December 2017

Three Conservative politicians have been reminded of their data protection obligations after revealing they share their login details

Related Sponsored Articles

Associate feature: 5 ways IoT is transforming the public sector
5 February 2018

Vodafone explores some of the ways IoT is significantly improving public sector service delivery

Associate feature: Who keeps your organisation secure?
19 February 2018

BT's Amy Lemberger argues that having the right security in place to protect your organisation is no longer just an option. It is a necessity.

Health Innovators You Should Know About: FlowForma's no-code, logic-only solution
19 December 2016

Microsoft partner FlowForma walks through its efforts to empower local government as part of a series that highlights local government innovators across the UK

Share this page