A project or operations team must consider cyber security from the outset. This includes agreeing team and stakeholder responsibilities, which enables:
- ownership of specific security activities
- identification of skills required within the team and any gaps
- personal responsibility for mitigating risk within the project or service
These responsibilities should be documented by project and operational teams, with further description of the role requirements where necessary. This should be conducted by your Senior Responsible Owner (SRO) and product and delivery managers, with the wider team consulted as part of the process.
The SRO is accountable for making sure digital services and infrastructure either built within the department or procured through suppliers are secure. They are responsible for taking risk-based decisions throughout the lifecycle of the digital service or infrastructure.
If a project or operations team do not have an SRO, another appropriate person in the team (for example, a Service Owner) should take on this role. That person must have the appropriate risk management experience or qualifications.