Take a Load Off: Delegate Cyber Risk Management Using the Three Lines of Defense Model

“Cybersecurity should be managed as a risk discipline across the three lines of defense — ownership, oversight and assurance.” — Accenture, “The Convergence of Operational Risk and Cyber Security.”

Cyber risks: Everyone is talking about them, but most aren’t quite sure how to handle them. The situation for board directors is no different. While they have increased the amount of time and energy they are devoting to cyber risk management, many directors aren’t happy with the quality of the reports they’re getting, leading them to question whether the risks are being dealt with appropriately.

As a result, boards are putting the pressure on top management, which in turn puts pressure on the chief information security officer (CISO). And while many CISOs are now reporting directly to boards — as many as 27 percent, according to a recent PricewaterhouseCoopers (PwC) survey — board directors must avoid the temptation to micromanage the cybersecurity issue. It’s important to remember the simplistic description of the responsibilities of boards and management: Management executes while boards govern. The Harvard Law School Forum on Corporate Governance and Financial Regulation clarified the distinction further: “Good board members monitor, guide and enable good management; they do not do it themselves.”

The Three Lines of Defense for Cyber Risk Management

So to whom can board directors turn, other than top management and the CISO, to ensure they receive a true picture of the organization’s cyber risks and the effectiveness of its security strategy? That’s where a concept known as the Three Lines of Defense model comes in.

1. Management Control

The first line encompasses the information security department as well as various business units that own their cyber risks. These entities need to understand how their assets are vulnerable and actively manage their cyber risks within organizationally acceptable tolerances. Sometimes called management control, this function is tasked with managing cyber risks by executing various controls. This means handling risk events, updating key risk indicators (KRIs), and deploying and managing controls that affect people, processes and technology.

2. Risk Management

The second line of defense is composed of risk managers looking at aggregate risks at an enterprise level. It is often simply termed risk management but can also include compliance, legal, quality control and financial control.

The second line looks at cybersecurity control frameworks, defines KRIs and metrics, creates risk assessments, and tests and reviews conformance by tracking the actions of the first line of defense and analyzing the impact of those actions to determine their effectiveness in mitigating cyber risks. In other words, this function monitors how management is doing in its handling of cyber risks by determining the extent that risks are actively monitored and appropriately managed.

It is often performed under an umbrella of senior management and some board directors or a board-level committee, such as the audit committee or a risk committee. And, importantly, this second line can challenge the first line.

3. Internal Audit

The third line of defense is internal audit. It may also include input from external auditors and/or regulators. This function, sometimes termed independent assurance, evaluates the overall process of cyber risk governance for the entire organization. It ensures that the organization’s internal control framework is adequate for dealing with the risks the organization faces.

As with the second line of defense, the third line can push back on the assertions of the previous lines regarding the adequacy of the controls in place. This function usually reports directly to the board or the audit committee.

New Traps for Directors to Avoid

As boards get more frequent and lengthier updates from CISOs, it can be tempting for executives to use this new channel to get more deeply involved in what the organization is doing and how it is doing it. That is just one of the many traps directors must avoid. Below are some other common misconceptions that board directors should avoid when overseeing management of cyber risks.

  • Cybersecurity is primarily a technology issue and one piece of technology can fix it all.
  • Cybersecurity is something that can be fixed. Instead, board members should look at security as a process that will be part of the fabric of the organization for decades to come.
  • Management, left to its own devices, will give cyber risks the attention they deserve, fund the cybersecurity function to an appropriate level, and give the CISO the visibility and support he or she needs.
  • The CISO alone is in charge of security, even though security is a business issue and the CISO does not run the entire business. Instead, the second and third lines of defense should ensure that the organization deals with cyber risks as part of its enterprise risk management framework.
  • The CISO can be taken at his or her word. In many ways, the role of the CISO is about transparency and trust that the organization’s cyber risks are under control. Should this balance change, top leadership and board directors would be the first ones to know.

Preparing for Tomorrow’s Cyber Challenges

As former President Ronald Reagan famously said, “Trust, but verify.” Board directors should adopt a similar stance regarding cyber risks.

The Three Lines of Defense approach is the best way for an organization to track and act upon its cyber risks with a coordinated, enterprisewide strategy that produces measurements along the way to evaluate the impact of those actions. Given the rapid evolution of threats, and the strength and determination of modern attackers, organizations must survive today’s battles and take every opportunity to improve their ability to handle tomorrow’s challenges.

“Cybersecurity is no longer just about deflecting attackers. Today, it’s about figuring out how to manage and stay ahead of intruders who are already inside the organization.”Ernst & Young

Listen to the podcast series: Take Back Control of Your Cybersecurity now

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.