“Cybersecurity should be managed as a risk discipline across the three lines of defense — ownership, oversight and assurance.” — Accenture, “The Convergence of Operational Risk and Cyber Security.”

Cyber risks: Everyone is talking about them, but most aren’t quite sure how to handle them. The situation for board directors is no different. While they have increased the amount of time and energy they are devoting to cyber risk management, many directors aren’t happy with the quality of the reports they’re getting, leading them to question whether the risks are being dealt with appropriately.

As a result, boards are putting the pressure on top management, which in turn puts pressure on the chief information security officer (CISO). And while many CISOs are now reporting directly to boards — as many as 27 percent, according to a recent PricewaterhouseCoopers (PwC) survey — board directors must avoid the temptation to micromanage the cybersecurity issue. It’s important to remember the simplistic description of the responsibilities of boards and management: Management executes while boards govern. The Harvard Law School Forum on Corporate Governance and Financial Regulation clarified the distinction further: “Good board members monitor, guide and enable good management; they do not do it themselves.”

The Three Lines of Defense for Cyber Risk Management

So to whom can board directors turn, other than top management and the CISO, to ensure they receive a true picture of the organization’s cyber risks and the effectiveness of its security strategy? That’s where a concept known as the Three Lines of Defense model comes in.

1. Management Control

The first line encompasses the information security department as well as various business units that own their cyber risks. These entities need to understand how their assets are vulnerable and actively manage their cyber risks within organizationally acceptable tolerances. Sometimes called management control, this function is tasked with managing cyber risks by executing various controls. This means handling risk events, updating key risk indicators (KRIs), and deploying and managing controls that affect people, processes and technology.

2. Risk Management

The second line of defense is composed of risk managers looking at aggregate risks at an enterprise level. It is often simply termed risk management but can also include compliance, legal, quality control and financial control.

The second line looks at cybersecurity control frameworks, defines KRIs and metrics, creates risk assessments, and tests and reviews conformance by tracking the actions of the first line of defense and analyzing the impact of those actions to determine their effectiveness in mitigating cyber risks. In other words, this function monitors how management is doing in its handling of cyber risks by determining the extent that risks are actively monitored and appropriately managed.

It is often performed under an umbrella of senior management and some board directors or a board-level committee, such as the audit committee or a risk committee. And, importantly, this second line can challenge the first line.

3. Internal Audit

The third line of defense is internal audit. It may also include input from external auditors and/or regulators. This function, sometimes termed independent assurance, evaluates the overall process of cyber risk governance for the entire organization. It ensures that the organization’s internal control framework is adequate for dealing with the risks the organization faces.

As with the second line of defense, the third line can push back on the assertions of the previous lines regarding the adequacy of the controls in place. This function usually reports directly to the board or the audit committee.

New Traps for Directors to Avoid

As boards get more frequent and lengthier updates from CISOs, it can be tempting for executives to use this new channel to get more deeply involved in what the organization is doing and how it is doing it. That is just one of the many traps directors must avoid. Below are some other common misconceptions that board directors should avoid when overseeing management of cyber risks.

  • Cybersecurity is primarily a technology issue and one piece of technology can fix it all.
  • Cybersecurity is something that can be fixed. Instead, board members should look at security as a process that will be part of the fabric of the organization for decades to come.
  • Management, left to its own devices, will give cyber risks the attention they deserve, fund the cybersecurity function to an appropriate level, and give the CISO the visibility and support he or she needs.
  • The CISO alone is in charge of security, even though security is a business issue and the CISO does not run the entire business. Instead, the second and third lines of defense should ensure that the organization deals with cyber risks as part of its enterprise risk management framework.
  • The CISO can be taken at his or her word. In many ways, the role of the CISO is about transparency and trust that the organization’s cyber risks are under control. Should this balance change, top leadership and board directors would be the first ones to know.

Preparing for Tomorrow’s Cyber Challenges

As former President Ronald Reagan famously said, “Trust, but verify.” Board directors should adopt a similar stance regarding cyber risks.

The Three Lines of Defense approach is the best way for an organization to track and act upon its cyber risks with a coordinated, enterprisewide strategy that produces measurements along the way to evaluate the impact of those actions. Given the rapid evolution of threats, and the strength and determination of modern attackers, organizations must survive today’s battles and take every opportunity to improve their ability to handle tomorrow’s challenges.

“Cybersecurity is no longer just about deflecting attackers. Today, it’s about figuring out how to manage and stay ahead of intruders who are already inside the organization.”Ernst & Young

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…