Standard : Security is built in, not bolted on

Purpose and Strategic Importance

This standard ensures security is embedded into every stage of product development rather than added reactively. By integrating security into design, architecture, and delivery pipelines, teams create resilient systems that can adapt to evolving threats while maintaining compliance.

It supports our policies "Secure by Design", "Zero Trust Architecture", and "Infrastructure as Code & Policy as Code". Without this standard, products risk being fragile, exposed, and costly to remediate.

Strategic Impact

  • Proactive protection of customer data and trust
  • Reduced cost and time of addressing vulnerabilities
  • Stronger compliance with regulations and governance

Risks of Not Having This Standard

  • Higher exposure to security incidents and breaches
  • Expensive retrofitting of security controls post-delivery
  • Regulatory fines and reputational harm

CMMI Maturity Model

Level 1 – Initial

  • People & Culture: Security treated as optional or external responsibility.
  • Process & Governance: No security processes embedded in delivery.
  • Technology & Tools: Manual, inconsistent security checks.
  • Measurement & Metrics: No metrics on vulnerabilities or remediation.

Level 2 – Managed

  • People & Culture: Security awareness grows, but adoption is reactive.
  • Process & Governance: Security reviews occur before release only.
  • Technology & Tools: Static tools used manually at late stages.
  • Measurement & Metrics: Basic vulnerability counts tracked.

Level 3 – Defined

  • People & Culture: Teams share responsibility for security.
  • Process & Governance: Secure coding standards and architecture patterns embedded.
  • Technology & Tools: Automated scans in CI/CD pipelines.
  • Measurement & Metrics: Vulnerability tracking and remediation SLAs enforced.

Level 4 – Quantitatively Managed

  • People & Culture: Security-first mindset adopted across roles.
  • Process & Governance: Governance reviews focus on continuous risk management.
  • Technology & Tools: IaC and Policy as Code ensure environments are compliant by default.
  • Measurement & Metrics: Quantitative data links security practices to reduced incident frequency.

Level 5 – Optimising

  • People & Culture: Security embedded as cultural norm, seen as enabler of trust.
  • Process & Governance: Security governance continuously adapts to emerging threats.
  • Technology & Tools: Zero Trust and intelligent tooling proactively prevent threats.
  • Measurement & Metrics: Continuous improvement cycles measure and improve security posture.

Key Measures

  • % of pipelines with automated security checks
  • Mean time to remediate vulnerabilities (MTTR)
  • % of infrastructure managed via IaC with policy enforcement
  • Number of security incidents per release cycle