Cybersecurity in the Three Lines Model
Since 2010, the Three Lines of Defense model has been widely adopted as an authoritative framework for operational and financial enterprise risk management across the globe. The model was not intended to dictate new positions and roles within an organization per se, but to evaluate existing structures to ensure sufficient coverage and independence to provide effective risk management. Even if you are not evaluated against the model today, it is a useful framework to gauge the maturity of your organization and prepare yourself for more advanced scrutiny as you grow.
While the original model and a 2020 "Three Lines Model" update were informed by decades of operational and financial audit, cybersecurity matured a bit late to inherit an obvious place within the paradigm. Likewise, the structure of cybersecurity in the enterprise and how security operations, risk management, and audit are positioned and overseen vary widely and lack consistency. The result is that Chief Information Security Officers (CISOs) differ significantly in their remits, reporting lines, and areas of expertise across firms. This presents challenges for external assessors ranging from auditors and regulatory examiners to Board Risk Committees when trying to apply a consistent evaluation approach across firms. Following is a discussion of where contemporary cybersecurity functions map to the Three Lines Model, where that mapping may identify benefits from independence or collaboration, and how enterprise risk management may prepare and adapt to different organization structures.
Applying the Three Lines Model
The three lines model specifies first and second line functions falling under Management, with a third-line provided by Internal Audit (with an emphasis on independence via accountability to the Governing Body). While the third line (Internal Audit) can and usually will conduct audits specific to Information Security, independence requirements draw a clear distinction that prevents Information Security and the CISO remit from being categorized under the third line in any organization. There is active debate, however, between whether the CISO organization is a first or second line function.
The first line is primarily concerned with the delivery of business products and services, but includes support functions defined to cover "front of house" and "back office" functions. Second line roles, on the other hand, assist with the management of risk. While all information security can be said to concern the management of risk in some capacity, there are some roles that are not merely assisting but providing a direct operational functionality. Examples include monitoring security alerts, conducting forensic analysis, or deploying intrusion prevention systems. While many organizations will house some of these first-line functions under Information Technology outside the CISO remit, most will have at least some of these functions within the CISO organization. Those functions constitute first-line functions of an Information Security group including Incident Response, Security Operations Center (SOC) monitoring, Automation Engineering, Security Architecture consulting, design, and deployment, and the Data Science activities required to operate an effective Security Incident and Event Management system (SIEM).
Second-line roles focus on risk management objectives ranging from legal and regulatory compliance to broader risk management and may include monitoring, testing, analyzing, and reporting on risk management matters. This definition matches a Governance, Risk, and Compliance (GRC) function within Information Security. Looking deeper, Red Teams, Application Security, and Third-Party Risk Management perform proactive monitoring, testing, analyzing, and reporting as well and thus are part of the second-line function of an Information Security group. These teams are likely to work closely with second-line groups outside Information Security such as ERM.
In the diagram below, the IIA's Three Lines Model is depicted with Information Security functions overlaid.
Threat Intelligence
A Cyber Threat Intelligence (CTI) group uniquely spans the lines of defense depending on their specific day to day actions. While supporting the analysis of threat objectives for prioritizing the program and contextualizing the risk register, their function falls under the second-line. While delivering tactical intelligence indicators that are matched against detective controls in realtime on the other hand, they are performing a first-line function. Practically speaking, a CTI team may report through either line of defense in day to day management or - for the purists - report directly to an executive CISO to avoid any semblance of conflict.
Enter the CISO
Many organizations have established a Chief Information Security Officer with ostensible primary authority for all cybersecurity matters. The history of that position can often shed light on where the functions under the CISO fit in the three line model.
The First Line CISO
In many organizations, the CISO position was created in response to a tactical breach. In those cases, the CISO will often report to a CIO and be primarily occupied with first-line matters such as operating security monitoring tools and processes, incident response, and the architecture and deployment of preventative and detective controls. In the spirit of the Three Lines Model these should be independent from not only the assessment of operating efficacy, but also from strategic risk assessment that drives prioritization and the initial genesis for control establishment. Organizations with a First Line CISO will often have second-line responsibilities falling within an Enterprise Risk Management (ERM) group often led by a Chief Risk Officer. Some of the largest banks following the First Line CISO model have a Chief Technology Risk Officer owning second-line responsibilities around cybersecurity.
The Second Line CISO
At other organizations, the CISO position will be created in reaction to new governance and oversight structures. Sometimes these structures will be established organically to respond to customer demands, third-party risk management findings, or investor pressure for stronger corporate governance standards. Other times, these structures will be imposed by new regulators brought in by entrance into a new business or market, or by an equity listing on a public exchange. The CISO hired into this model will often have a risk management background, report to a Chief Risk Officer (CRO) or General Counsel (GC), and be primarily tasked with identifying and prioritizing the cybersecurity risks facing the organization. In satisfaction of the Three Lines Model it is likely that the CISO in this instance does not have direct or indirect oversight over incident response or technical control deployment and operation. Organizations with a Second Line CISO may have first line operational duties handled by IT or engineering.
The Executive CISO
At yet another type of organization - often firms with the greatest cybersecurity focus and largest teams - the CISO will be a peer of the CIO and CRO and own siloed teams to perform first and second line functions with independence from each other. In these cases the organization may use the term "Information Security" to more broadly encompass the entire CISO remit, with "Cybersecurity" reserved for the first line and "Security Assurance" applied to the second. In these cases independent senior-level leadership will run each group under the CISO. The first line Cybersecurity head will work closely with the CIO and IT to implement and operate controls, while the second line Security Assurance head may work closely with the CRO to challenge and test controls, identify risks, and consolidate reporting through governance.
Conclusion
A governance body or third-party reviewer should ensure the functions outlined across the first and second line Information Security definitions are tasked and that their management and operation enjoy independence from each other. Where the line will be drawn, however, can vary. It is important to begin such an evaluation by identifying what type of CISO organization and reporting is in place and identifying where those functions may gain independence by being housed outside the CISO in an IT or ERM program.
References