The Strategic Defence Review (SDR) explicitly recognises that modern warfare has become software-defined, emphasising that military advantage now depends on the speed at which the armed forces can innovate and deploy emerging technology1. Yet the UK Ministry of Defence (MOD) continues to apply static and manual assurance models to dynamic software capability. While Secure by Design marks positive progress, it remains limited by internal skill gaps, manual compliance and control mapping, and audit-driven processes rooted in a legacy culture of compliance-based approaches. Furthermore, with the MOD’s heightened risk aversion around data, an attitude not mirrored in decisions involving vehicles or missiles, security and assurance decisions are being unnecessarily escalated rather than being made at the most appropriate level, exacerbating the issue further. The National Cyber Security Centre warns of a widening gap between threat complexity and our defensive capabilities, as adversaries like China, Russia, and Iran exploit our digital dependencies with increasing speed and sophistication2. Current assurance processes create a dangerous illusion of security, whilst slowing delivery to operational end-users, and deterring capable industry partners. We will be fighting tomorrow’s software war with yesterday’s security mindset.
The paradox at the heart of MOD software assurance isn't merely that point-in-time assurance fails to maintain a robust security posture, it's that a cultural reliance on these compliance-driven practices actively undermines the operational agility and innovative capabilities they're meant to enable and protect.
The security illusion
In recognising the shifting character of warfare, the MOD has put a large amount of focus on the development of its "digital backbone." A unified foundation of technology, people, and processes that puts digital enablement at the core of the organisation's transformation. This shift is driving a sharp increase in volume and complexity of software requiring assurance and deployment. Initiatives like the British Army’s ASGARD project, which aim to deliver software-defined platforms, autonomous systems, and AI-enabled decision-making tools that require rapid deployment cycles3, showcase this by putting digital transformation at the heart of the British Army’s priorities going forward.
Even with this shift in focus and demand, manual assurance processes continue to create significant hurdles for delivering cutting-edge technology needed on the battlefield. Despite the government’s Secure by Design initiative aimed at embedding security throughout development lifecycles, the MOD still currently relies on audit-based methods involving manual control mapping in Excel spreadsheets and documentation. JSP 453 exacerbates this inefficiency by requiring multi month-long cycles to achieve authorisation to operate approval, including extensive security coordination meetings and physical board presentations.
The MOD's Cyber Activity and Assurance Tracker (CAAT) relies on manually completed, questionnaire-based assessments and evidence collection every three months (or sooner in response to emerging threats or known breaches)4. While these assurance processes help establish baseline compliance, they fall short of improving real security posture due to the current lack of continuous monitoring once systems are deployed. Relying on questionnaires reduces security to subjective interpretation, first by the respondent then by the auditor, resulting in responses that are often incomplete, oversimplified, or, in some cases, entirely inaccurate. Reassessing systems every three months doesn’t solve this issue; it simply re-certifies flawed information. Successfully passing assurance reviews and gaining deployment approval may give the appearance of security, but in reality, it can create a false sense of protection. Adversaries, using technical tools to map and exploit systems, often have a clearer understanding of our system's true architecture and vulnerabilities, while we continue to rely on what are effectively creative writing exercises to meet compliance standards.
While the MOD attempts to move toward more agile models, progress remains insufficient to meet its transformation goals. Continued reliance on audit-based processes undermines real security and frames cybersecurity as a barrier rather than an enabler. This not only delays capability delivery but also deepens the "valley of death" challenge faced by early-stage companies and SMEs attempting to scale within the British defence ecosystem.
Modern warfare needs modern trust
Furthermore, the MOD ambition to accelerate software delivery suffers from a critical shortage of qualified cybersecurity specialists, forcing reliance on compliance-focused auditors. As has already been discussed, this legacy approach focuses on governance frameworks rather than hands-on threat detection, creating operational blind spots that adversaries exploit. Facing 90,000 sub-threshold attacks in the last two years on military networks, the MOD launched a fast-track recruitment pathway earlier this year for technical specialists, accelerating basic training from 10 weeks to 1 month for those with existing digital skills.5 These measures highlight the urgent need for cybersecurity expertise within the organisation. However, they will ultimately fall short of meeting the MOD's recruitment and, more importantly, retention goals if specialists are tied up reviewing spreadsheets and documents. Retention depends on enabling these individuals with appropriate tools to perform the technical tasks that they were trained and hired to carry out.
The absence of technical cybersecurity expertise across the MOD, leads to capability owners transferring the assurance risk to the digital teams within their front line command, leaving these teams to shoulder the ever-increasing assurance burden with limited resources to do so. This problem continues to compound, leading to assessment delay timelines stretching from months to years for even basic OFFICIAL-level systems.
With this backdrop, it is easy for overwhelmed digital teams to adopt a “no” first culture when approaching cybersecurity. When every innovation requires turning a "no" into a "yes," soldiers, airmen, sailors and marines will either abandon promising capabilities or find work arounds outside official oversight. This defensive posture transforms cybersecurity from being a mission enabler into an operational barrier, stifling creativity and innovation that the MOD desperately wants to achieve.
How do we do it right?
Ultimately, the focus must be on the delivery of capability for our service personnel. Getting this right means changing the Concepts of Employment (CONEMPs) and Concept of Operations (CONOPs) that currently slow and inhibit innovation at pace and transforms our warfighters from subjects of bureaucratic red tape into empowered recipients of cutting-edge software, delivering the battlefield advantage they need to win the next war. To do this, cybersecurity must transition from a bureaucratic hurdle to an operational enabler by leveraging an automation-based approach. By leveraging modern software practices to automate the repeatable manual processes of assurance, it enables the security specialists within the MOD to rapidly assure, onboard, deploy, and truly risk manage capability versus slow legacy compliance auditing processes. Practices such as DevSecOps, Continuous Integration/Continuous Deployment (CI/CD) security pipelines, infrastructure as code (IaC), policy as code (PaC), and continuous monitoring, enables the MOD to achieve the ultimate goal of delivering cutting edge capabilities to our service personnel on the front line.
Automation and continuous security. Let code check code. Automating security scans reduces human error and enables continuous detection of viruses, common vulnerabilities and exposures (CVEs), and software hardening. Once deployed, 24/7 security monitoring can detect incidents and alert teams to incidents and newly discovered CVEs within a live environment.
For example, in December 2021, a critical vulnerability in the widely used Log4J library allowed attackers to steal credentials, extract data, and deploy malware. Organisations with continuous security monitoring and mature asset management responded most effectively. Others, relying on manual processes, remained vulnerable, with 72% of organisations still unpatched nearly a year later6.
Given the high stakes of military operations, the MOD cannot afford to rely on manual security checks. Continuous, automated security monitoring is essential to maintain software integrity and cybersecurity readiness.
Technical agility. IaC and PaC embed security directly into deployment workflows, eliminating the need for separate, manual approval processes. IaC enforces consistent and secure infrastructure baselines, while PaC continuously validates compliance within CI/CD pipelines7. For government networks, this shifts security from a manual gatekeeping function to an automated, integrated capability which enables continuous validation rather than relying on point-in-time audits. The result is faster, more secure software delivery, without compromising security requirements.
When combined with API-driven microservices and containerised deployments, this approach forms the foundation of secure, interoperable, and integrated architectures with allies and partners. IaC templates allow infrastructure to be rapidly reconfigured for partner integration, while PaC dynamically adapts policies to meet varying partner security requirements. Furthermore, modular systems can scale to meet operational demand; while maintaining consistent security standards across distributed allied networks, all achieved through automated policy enforcement, rather than slow manual coordination.
Measuring performance. Automating security needs to be coupled with tangible measurements of success. Focusing on metrics such as mean time to detect, restore, remediate, and redeploy creates an innovation ecosystem that is focused on delivering capability and battlefield advantage rather than compliance documentation. US Department of Defense (DoD) research shows this approach can dramatically increase speed of innovation. As an example - Kessel Run, the US Air Forces first software factory, transformed over 10 years from zero code deployed to 4,000 annual deployments, including the delivery of a mission planning application that assisted in the evacuation of 123,000+ lives during Afghanistan withdrawal in 20218.
Operational enablement. When security is automated and capabilities can be deployed and updated in real time, end-users experience true capability enhancement, not bureaucratic gatekeeping. Integrating security automation into the assurance process removes the traditional trade-off between security and speed, which often forces teams to either slow innovation or find work arounds. Instead of waiting months for manual security approvals, capabilities can be securely delivered within days. The shift from manual audits to automated enablement empowers end-users with timely, cutting-edge software that is essential for mission success, while preserving a strong and consistent security posture.
From compliance to capability
The MOD’s Secure by Design initiative is a step in the right direction, but the scale of the MOD’s transformation ambitions demands bolder action. While Russia wages war on our continent, China and Iran launch daily cyberattacks against our critical infrastructure. The Strategic Defence Review demands a “step-change in British defence” and that defence needs to “drive innovation at a wartime pace,” yet legacy compliance processes continue to constrain the very technologies they aim to protect. Delivering on this vision means embracing continuous security, technical flexibility for rapid deployment, and the organisational agility required for joint operations.
Crucially, it also requires a mindset shift, seeing cybersecurity as an enabler of innovation, not a blocker. Success depends on fostering an ecosystem of technical specialists. Coders, engineers, and cybersecurity experts, not more consultants and auditors.
At its core, this is about empowering those on the frontline. Our service personnel deserve better than outdated processes and glacial delivery timelines. Software-defined warfare has arrived and our adversaries are already exploiting our digital dependencies. In this new operational landscape, cybersecurity is not just an IT concern; it is a mission-critical capability that directly determines whether our forces can operate safely, effectively, and at pace.
Point-in-time assurance leaves the MOD perpetually exposed in a constantly evolving threat environment. Our adversaries aren’t waiting… So why are we? The time to transform is now.
References
1. The Strategic Defence Review - 2025
2. NAO Report: Government Cyber Resilience - January 2025
3. The British Army Challenge Set 2025
4. https://www.digital.mod.uk/secure-by-design/assess-your-risk/do-regular-assessments
5. https://www.gov.uk/government/news/fast-track-armed-forces-recruitment-launched-to-boost-uk-cyber-defence
6. https://www.tenable.com/press-releases/tenable-research-finds-72-of-organizations-remain-vulnerable-to-nightmare-log4j
7. https://csrc.nist.gov/pubs/sp/800/204/c/final
8. https://www.airandspaceforces.com/kessel-run-air-force-software-factor-pivoting/
