- Report this article
Jerry Perullo
Jerry Perullo
Cybersecurity Advisor, Founder, and Professor
Published Dec 27, 2021
+ Follow
Since 2010, the Three Lines of Defense model has been widely adopted as an authoritative framework for operational and financial enterprise risk management across the globe. The model was not intended to dictate new positions and roles within an organization per se, but to evaluate existing structures to ensure sufficient coverage and independence to provide effective risk management. Even if you are not evaluated against the model today, it is a useful framework to gauge the maturity of your organization and prepare yourself for more advanced scrutiny as you grow.
While the original model and a 2020 "Three Lines Model" update were informed by decades of operational and financial audit, cybersecurity matured a bit late to inherit an obvious place within the paradigm. Likewise, the structure of cybersecurity in the enterprise and how security operations, risk management, and audit are positioned and overseen vary widely and lack consistency. The result is that Chief Information Security Officers (CISOs) differ significantly in their remits, reporting lines, and areas of expertise across firms. This presents challenges for external assessors ranging from auditors and regulatory examiners to Board Risk Committees when trying to apply a consistent evaluation approach across firms. Following is a discussion of where contemporary cybersecurity functions map to the Three Lines Model, where that mapping may identify benefits from independence or collaboration, and how enterprise risk management may prepare and adapt to different organization structures.
Applying the Three Lines Model
The three lines model specifies first and second line functions falling under Management, with a third-line provided by Internal Audit (with an emphasis on independence via accountability to the Governing Body). While the third line (Internal Audit) can and usually will conduct audits specific to Information Security, independence requirements draw a clear distinction that prevents Information Security and the CISO remit from being categorized under the third line in any organization. There is active debate, however, between whether the CISO organization is a first or second line function.
The first line is primarily concerned with the delivery of business products and services, but includes support functions defined to cover "front of house" and "back office" functions. Second line roles, on the other hand, assist with the management of risk. While all information security can be said to concern the management of risk in some capacity, there are some roles that are not merely assisting but providing a direct operational functionality. Examples include monitoring security alerts, conducting forensic analysis, or deploying intrusion prevention systems. While many organizations will house some of these first-line functions under Information Technology outside the CISO remit, most will have at least some of these functions within the CISO organization. Those functions constitute first-line functions of an Information Security group including Incident Response, Security Operations Center (SOC) monitoring, Automation Engineering, Security Architecture consulting, design, and deployment, and the Data Science activities required to operate an effective Security Incident and Event Management system (SIEM).
Second-line roles focus on risk management objectives ranging from legal and regulatory compliance to broader risk management and may include monitoring, testing, analyzing, and reporting on risk management matters. This definition matches a Governance, Risk, and Compliance (GRC) function within Information Security. Looking deeper, Red Teams, Application Security, and Third-Party Risk Management perform proactive monitoring, testing, analyzing, and reporting as well and thus are part of the second-line function of an Information Security group. These teams are likely to work closely with second-line groups outside Information Security such as ERM.
In the diagram below, the IIA's Three Lines Model is depicted with Information Security functions overlaid.
Threat Intelligence
A Cyber Threat Intelligence (CTI) group uniquely spans the lines of defense depending on their specific day to day actions. While supporting the analysis of threat objectives for prioritizing the program and contextualizing the risk register, their function falls under the second-line. While delivering tactical intelligence indicators that are matched against detective controls in realtime on the other hand, they are performing a first-line function. Practically speaking, a CTI team may report through either line of defense in day to day management or - for the purists - report directly to an executive CISO to avoid any semblance of conflict.
Enter the CISO
Many organizations have established a Chief Information Security Officer with ostensible primary authority for all cybersecurity matters. The history of that position can often shed light on where the functions under the CISO fit in the three line model.
The First Line CISO
In many organizations, the CISO position was created in response to a tactical breach. In those cases, the CISO will often report to a CIO and be primarily occupied with first-line matters such as operating security monitoring tools and processes, incident response, and the architecture and deployment of preventative and detective controls. In the spirit of the Three Lines Model these should be independent from not only the assessment of operating efficacy, but also from strategic risk assessment that drives prioritization and the initial genesis for control establishment. Organizations with a First Line CISO will often have second-line responsibilities falling within an Enterprise Risk Management (ERM) group often led by a Chief Risk Officer. Some of the largest banks following the First Line CISO model have a Chief Technology Risk Officer owning second-line responsibilities around cybersecurity.
The Second Line CISO
At other organizations, the CISO position will be created in reaction to new governance and oversight structures. Sometimes these structures will be established organically to respond to customer demands, third-party risk management findings, or investor pressure for stronger corporate governance standards. Other times, these structures will be imposed by new regulators brought in by entrance into a new business or market, or by an equity listing on a public exchange. The CISO hired into this model will often have a risk management background, report to a Chief Risk Officer (CRO) or General Counsel (GC), and be primarily tasked with identifying and prioritizing the cybersecurity risks facing the organization. In satisfaction of the Three Lines Model it is likely that the CISO in this instance does not have direct or indirect oversight over incident response or technical control deployment and operation. Organizations with a Second Line CISO may have first line operational duties handled by IT or engineering.
The Executive CISO
At yet another type of organization - often firms with the greatest cybersecurity focus and largest teams - the CISO will be a peer of the CIO and CRO and own siloed teams to perform first and second line functions with independence from each other. In these cases the organization may use the term "Information Security" to more broadly encompass the entire CISO remit, with "Cybersecurity" reserved for the first line and "Security Assurance" applied to the second. In these cases independent senior-level leadership will run each group under the CISO. The first line Cybersecurity head will work closely with the CIO and IT to implement and operate controls, while the second line Security Assurance head may work closely with the CRO to challenge and test controls, identify risks, and consolidate reporting through governance.
Conclusion
A governance body or third-party reviewer should ensure the functions outlined across the first and second line Information Security definitions are tasked and that their management and operation enjoy independence from each other. Where the line will be drawn, however, can vary. It is important to begin such an evaluation by identifying what type of CISO organization and reporting is in place and identifying where those functions may gain independence by being housed outside the CISO in an IT or ERM program.
References
Help improve contributions
Mark contributions as unhelpful if you find them irrelevant or not valuable to the article. This feedback is private to you and won’t be shared publicly.
Contribution hidden for you
This feedback is never shared publicly, we’ll use it to show better contributions to everyone.
Like
Celebrate
Support
Love
Insightful
Funny
730
59 Comments
Christopher Burke
Manager @ Truist | Risk Management, Compliance, Cybersecurity
7mo
- Report this comment
What are your thoughts / experience with organizations that have GRC as a 1st Line function. Line 1.5 evaluating the Cyber organization itself, and traditional Lines 2 and 3.
1Reaction
Mauro Rodrigues da Cunha, NACD.DC
Independent Director | Corporate Governance | Audit | Risk | People | ESG | Latino
1y
- Report this comment
Jerry… thank you for sharing your article when we met at #CIIFall2022. It addresses with precision my worries in terms of org design for the CISO function. Congratulations. I will share with my peers.
1Reaction 2Reactions
Navrisk Consulting
2y
- Report this comment
Well covered Jerry! This model has been adopted by not only financial institutions but other large multi national organizations using high end technology including AI. Ideally while working in an organization, based on these LODs, there should not be any hard lines as mere presence of structures which tend to define your status is an anathema amongst the new gen. A team approach is always successful.I would say the new IT/cyber security organizations continues to evolve based on learnings, experiences, emerging technologies & threats as well as organizational culture. I have personally observed many rapid evolution in structures in the last fifteen years.Thanks for sharing.
1Reaction
Tim Bateson
Chartered Engineer and cybersecurity leader
2y
- Report this comment
Dee Pang - Happy New Year! One for us to discuss at some point (perhaps mark up current team workload against this model, then overlay start/stop/continue?).
1Reaction 2Reactions
Sergej Epp
Cybersecurity | CISO at Palo Alto Networks | ex-Deutsche Bank
2y
- Report this comment
Jerry looking at Europe, things are again a bit different. For instance, regulators would often not allow the CISO to report to the CIO (as described in „First Line CISO“ Option). However, what I like about your 3LOD organizational proposal, is the equilibrium of technical capabilities between both the first and second line. Imagine a second line with only mission to create endless policies and procedures which nobody takes into account. Clearly a model from the past, which does not fit any modern digital bank. Anyway, with 3LOD the regulators helped historically to increase the security mindset across all important security functions…the question is what’s next in the evolution?Don’t we need in FSI in general more 🥕 carrots and less sticks…?
4Reactions 5Reactions
See more comments
To view or add a comment, sign in
More articles by this author
No more previous content
- An open letter to a fresh cybersecurity hire Sep 2, 2022
- Vulnerability management is dead. But GRC is hiring... Aug 22, 2022
- How much AppSec is too much? Aug 19, 2022
- The value of the True Positive. Jun 22, 2022
- Making Sense of Geographic Network and Travel Restrictions Feb 25, 2022
- IOCs aren't for blocking - they are for control validation Feb 5, 2022
- Patching is Overrated Jan 31, 2022
- Cybersecurity for Investor Relations and Corporate Governance Jan 6, 2022
- It's not the 2FA.. it's the 1TP!!! Oct 1, 2020
- Quick trick to assess your vulnerability to SIM swapping. Oct 25, 2019
No more next content
Sign in
Stay updated on your professional world
Sign in
By clicking Continue, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy.
New to LinkedIn? Join now
Insights from the community
- Network Engineering How can you align your vulnerability assessment with your organization's risk management strategy?
- IT Operations Management How can you ensure IT security and governance teams share a common understanding of IT risks?
- Systems Management How can you use system security and risk management to gain a competitive edge?
- Information Security How can you customize a risk management tool to meet your organization's specific needs?
- Information Security How can you create a scalable risk monitoring and reporting program?
- Information Security What are the limitations of vulnerability scanners for risk management?
- Information Security How can you scale and adapt IAM risk management for different business units?
- Business Architecture How can you improve your organization's information security and risk management program?
- Information Security How can you make IAM risk management agile and responsive to threats?
- Risk Management How can you align operational risk management with emerging cyber threats and climate change risks?
Others also viewed
- Third Party Thursday - January 19, 2023 Venminder 1y
- Third Party Thursday - April 13, 2023 Venminder 11mo
- Third Party Thursday - March 9, 2023 Venminder 1y
- Integrating Information and Communication Technology Risk Programs with Enterprise Risk Management CMMC Solutions 1y
- Reciprocity ROAR Platform and Product Suite Ashwin Harish.P 1y
- Third Party Thursday - February 2, 2023 Venminder 1y
- Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks Bob Chaput-NACD.DC, Cyber-Risk Oversight, CISSP, CRISC 1y
- Third Party Thursday - February 8, 2024 Venminder 1mo
- Third Party Thursday - January 12, 2023 Venminder 1y
- Third Party Thursday - November 9, 2023 Venminder 4mo
Explore topics
- Sales
- Marketing
- Business Administration
- HR Management
- Content Management
- Engineering
- Soft Skills
- See All