Applying Secure By Design to High-Threat Programme Change

Implementing continuous development to address new opportunities and requirements

The client owned a mature, large-scale web application that housed vast amounts of sensitive information. One part of this application was accessible from the internet, while the other was used within government infrastructure, which had a low tolerance for risk.


Due to its business-critical nature, the client sought the expertise of Tom Burton, a Cyber Security specialist at Cambridge Management Consulting, to update the application to meet new opportunities and modern network requirements.

Download the Full Case Study

Contact Form - Secure by Design Case Study

The

Challenge

The client needed to integrate a new third-party SaaS web service into the existing application to enhance business efficiency and process speed.


This SaaS environment was subject to compliance with some UK Government security standards, however they could not apply conventional, direct assurance and accreditation activities because of the third-party's SaaS shared delivery model.


The client needed the final solution to recognise this uncertainty while managing risk, security, and business benefits. 

Our Approach

To resolve their challenges, Tom and his team adopted an approach based on the principles of 'Secure by Design', working with the client's business and engineering representatives to jointly develop the optimum integration approach and security controls before implementations started.


The lack of assurance meant that the integration needed to treat 3rd party SaaS as largely untrusted. The client had several architectural options, each with different implications in their cost, timescale, risk profile, business efficiency, and future flexibility. Tom iterated the design with the client, helping them to select the best, most viable solution, reconsidering risk, compensatory controls, and benefits at each stage.


Adopting a risk-driven approach, Tom identified the inherent risks that the change would introduce regardless of the integration approach as a first critical step. These risks were understandable to the non-security and non-technical communities. Getting stakeholder agreement on them ensured that all parties would recognise the constraints the solution would have to live within. The client proposed their preferred solution architecture, enabling Tom to assess the residual risk that the change would present, and propose additional security controls to bring that risk down to an acceptable level.


As Tom's work progressed, the client adjusted the solution architecture in response to address options that became unviable or inefficient. Alternative options and their implications were discussed. When changes had been decided, Tom quickly reviewed and updated the risks and security controls, introducing fast feedback into the design process, and ensuring that his architecture design was built with future flexibility internalised. The inherent risks did not remain static either, and were reviewed on each iteration, adding new risks that arose, and retiring redundant ones according to the proposed solutions characteristics.

DOWNLOAD CASE STUDY

Outcomes & Results

1

Faster, Cheaper Deployment

If security had been considered late in the change process after implementation, it is likely that the solution design would have needed significant rework, retrofitted inefficient controls with a negative cost and operational impact, and/or a higher level of risk accepted. Tom and his team avoided these costly and unnecessary effects by getting early agreement on the risks that needed to be treated, and quickly iterating to an optimal solution with the client.

2

Long Lasting Solutions

This approach also aligned with the principles of embedding continuous assurance and making changes securely because all controls can be tied back to the risks that they are addressing; future changes will be able to refer to these dependencies and build on them rather than undermine the existing security.

3

Positive Reception

The Government end-client was delighted with the thoroughness of the analysis and documentation, had no concerns about the risk or mitigations proposed, and saw significant benefits in the collaborative approach that had been adopted.

Get in touch with our Cyber Security consultants

We are a highly collaborative team of senior-level executive professionals able to adapt to any challenge, however niche & challenging.

+44 (0)1223 750335

info@cambridgemc.com

Contact Form - Secure by Design Case Study

Case Studies

Our team has had the privilege of partnering with a diverse array of clients, from burgeoning startups to FTSE 100 companies. Each case study reflects our commitment to delivering tailored solutions that drive real business results.

CASE STUDIES

A little bit about Cambridge MC

Cambridge Management Consulting is a specialist consultancy drawing on an extensive global network of over 200 senior executives in 22 countries.


Our purpose is to help our clients have a better impact on the world.

ABOUT CAMBRIDGE MC

Industry insights

Case Study: A Rapid Strategy Stress Test to Accelerate a Go-to-Market Strategy

by Mauro Mortali 9 May 2026
We were approached by a global networking systems, services, and software company that specialises in optical and routing solutions. Their technology helps carriers, enterprises, and governments build more efficient and scalable networks, particularly for high-bandwidth applications like 5G, cloud computing, and AI-driven networking. Africa is a key strategic market for this client. They are also playing an active role in advancing outlined 5G technology on the continent, emphasising a focus on routing and switching aggregation components, network slicing, and monetisation. The Opportunity The client engaged Cambridge MC to provide external insight and support to augment and accelerate the progress of their Go-to-Market plans for Africa. We proposed our in-house rapid Strategy Stress Test that delivers key insights across areas of your strategy using a 1–5 health-scoring matrix. The client's aim is to grow market share in the region with a precisely focussed strategy that targets their market with key propositions and solutions. We were engaged to review this strategy and their plans for the region, identifying critical opportunities and gaps with a quick turnaround. Approach We used our Rapid Strategy Stress Test methodology which provides: Target geographies, opportunities, and partners for resource effectiveness and success maximisation Assessment of client's Go-to-Market Strategy including identification and testing of key assumptions Identification of new opportunities and any gaps in the strategy Recommendations on how best to capitalise on the market and accelerate their route to success This included carrying out target addressable and client-addressable market sizing by country for the Optical, Data Centre Interconnect, Routing and Switching portfolios; competitor market share analysis; analysis of current and planned data centre build in the target countries; future trend analysis, including Political, Economic, Social, Technological, Legal and Environmental trends by country. We put their GtM strategy and plans through our Stress Test framework, scoring capabilities against best-in-class – across 11 parameters such as Market Potential, Adaptability to Local Needs, Pricing and Marketing & Demand Generation. Recommendations were made against each of the 11 areas relating to opportunities to accelerate their GtM strategy. In order to support effective targeting of resources into key countries, we developed a country prioritisation framework across 15 parameters, such as GDP growth, energy supply, stability of regulatory environment, and ease of doing business. This quantitative assessment was supplemented with the real world experience of our Africa experts. 
A digital human made of blocks and wires jumping into the air

Your Digital Transformation Isn’t Failing Because of the Tech

by Ruth Redding 23 April 2026
Why digital transformation fails: human adoption. Learn how leaders can reduce change resistance, protect ROI and improve programme success with structured change management | READ FULL ARTICLE
Businessman walks across desert into AI portal

5 AI Use Cases You Can Stand Up in 90 Days

9 April 2026
This article suggests how to pilot AI in 90 days with five practical use cases for operations leaders – from triage and forecasting to summarisation – with clear governance and measurable value | READ FULL ARTICLE
Wind farms and solar panels in the countryside at dawn

Energy, Risk and Competitiveness: The Real Sustainability Conversation

by Scott Armstrong 27 March 2026
Sustainability | Energy, risk and competitiveness – find out why sustainability is no longer just about reporting, but about resilience, cost control and long-term advantage | READ FULL ARTICLE
Yello and turquoise neon lights.

Press Release: Cambridge Management Consulting Acquires The Carrier Club

24 March 2026
International consulting firm, Cambridge Management Consulting has acquired telecommunications cost-reduction specialist, The Carrier Club, strengthening its ability to help organisations reduce their telecoms and network infrastructure costs.
Pembroke College lawn bathed in sunlight

Case Study: A Corporate Partnership Between Pembroke College & Cambridge MC Based on Shared Values

by Tim Passingham 12 March 2026
CAMBRIDGE | See how Cambridge MC and Pembroke College are creating mutual value through a unique corporate partnership spanning student opportunities, academic collaboration and industry events | READ FULL CASE STUDY
Neon sharks made out of code.

Ransomware in 2026: What Boards Actually Need to Know

by Simon Crimp 9 March 2026
Cyber Security | Ransomware in 2026 is a board-level resilience issue. Learn the key risks, weak spots and practical questions boards should ask to improve readiness, recovery and response.
The Top 21.2026 at the awards event in Cambridge, UK.

#21toWatch 2026 Winners Revealed: Deeptech Founders Tackling Society's Toughest Health and Climate Challenges

6 March 2026
The #21toWatch Top21.2026 winners have been announced at an awards ceremony at The Glasshouse innovation hub in Cambridge.
Asian business woman near a long window and looking at a tablet.

IWD 2026: Embracing The Power of Femininity at Work

by Arianna Mortali 6 March 2026
BLOG | A student’s perspective on why women shouldn’t have to ‘play masculine’ to succeed at work – and how valuing empathy, confidence and inclusive leadership can help close gender gaps and build healthier organisations.
SHOW MORE