“Cybersecurity should be managed as a risk discipline across the three lines of defense — ownership, oversight and assurance.” — Accenture, “The Convergence of Operational Risk and Cyber Security.”

Cyber risks: Everyone is talking about them, but most aren’t quite sure how to handle them. The situation for board directors is no different. While they have increased the amount of time and energy they are devoting to cyber risk management, many directors aren’t happy with the quality of the reports they’re getting, leading them to question whether the risks are being dealt with appropriately.

As a result, boards are putting the pressure on top management, which in turn puts pressure on the chief information security officer (CISO). And while many CISOs are now reporting directly to boards — as many as 27 percent, according to a recent PricewaterhouseCoopers (PwC) survey — board directors must avoid the temptation to micromanage the cybersecurity issue. It’s important to remember the simplistic description of the responsibilities of boards and management: Management executes while boards govern. The Harvard Law School Forum on Corporate Governance and Financial Regulation clarified the distinction further: “Good board members monitor, guide and enable good management; they do not do it themselves.”

The Three Lines of Defense for Cyber Risk Management

So to whom can board directors turn, other than top management and the CISO, to ensure they receive a true picture of the organization’s cyber risks and the effectiveness of its security strategy? That’s where a concept known as the Three Lines of Defense model comes in.

1. Management Control

The first line encompasses the information security department as well as various business units that own their cyber risks. These entities need to understand how their assets are vulnerable and actively manage their cyber risks within organizationally acceptable tolerances. Sometimes called management control, this function is tasked with managing cyber risks by executing various controls. This means handling risk events, updating key risk indicators (KRIs), and deploying and managing controls that affect people, processes and technology.

2. Risk Management

The second line of defense is composed of risk managers looking at aggregate risks at an enterprise level. It is often simply termed risk management but can also include compliance, legal, quality control and financial control.

The second line looks at cybersecurity control frameworks, defines KRIs and metrics, creates risk assessments, and tests and reviews conformance by tracking the actions of the first line of defense and analyzing the impact of those actions to determine their effectiveness in mitigating cyber risks. In other words, this function monitors how management is doing in its handling of cyber risks by determining the extent that risks are actively monitored and appropriately managed.

It is often performed under an umbrella of senior management and some board directors or a board-level committee, such as the audit committee or a risk committee. And, importantly, this second line can challenge the first line.

3. Internal Audit

The third line of defense is internal audit. It may also include input from external auditors and/or regulators. This function, sometimes termed independent assurance, evaluates the overall process of cyber risk governance for the entire organization. It ensures that the organization’s internal control framework is adequate for dealing with the risks the organization faces.

As with the second line of defense, the third line can push back on the assertions of the previous lines regarding the adequacy of the controls in place. This function usually reports directly to the board or the audit committee.

New Traps for Directors to Avoid

As boards get more frequent and lengthier updates from CISOs, it can be tempting for executives to use this new channel to get more deeply involved in what the organization is doing and how it is doing it. That is just one of the many traps directors must avoid. Below are some other common misconceptions that board directors should avoid when overseeing management of cyber risks.

  • Cybersecurity is primarily a technology issue and one piece of technology can fix it all.
  • Cybersecurity is something that can be fixed. Instead, board members should look at security as a process that will be part of the fabric of the organization for decades to come.
  • Management, left to its own devices, will give cyber risks the attention they deserve, fund the cybersecurity function to an appropriate level, and give the CISO the visibility and support he or she needs.
  • The CISO alone is in charge of security, even though security is a business issue and the CISO does not run the entire business. Instead, the second and third lines of defense should ensure that the organization deals with cyber risks as part of its enterprise risk management framework.
  • The CISO can be taken at his or her word. In many ways, the role of the CISO is about transparency and trust that the organization’s cyber risks are under control. Should this balance change, top leadership and board directors would be the first ones to know.

Preparing for Tomorrow’s Cyber Challenges

As former President Ronald Reagan famously said, “Trust, but verify.” Board directors should adopt a similar stance regarding cyber risks.

The Three Lines of Defense approach is the best way for an organization to track and act upon its cyber risks with a coordinated, enterprisewide strategy that produces measurements along the way to evaluate the impact of those actions. Given the rapid evolution of threats, and the strength and determination of modern attackers, organizations must survive today’s battles and take every opportunity to improve their ability to handle tomorrow’s challenges.

“Cybersecurity is no longer just about deflecting attackers. Today, it’s about figuring out how to manage and stay ahead of intruders who are already inside the organization.”Ernst & Young

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…