We have referenced this concept in blog posts previously related to growing your Information Security Program and ensuring independence in your Information Security Officer (ISO), however, we have not dug into the concept. I found myself revisiting this concept this week with an institution, so wanted to seize the moment and share it with you all.
What is the Three Lines of Defense concept?
The Three Lines of Defense is a concept used in risk management that ensures that risks are appropriately managed. It’s very similar to the checks and balances we have, at least in concept, in the US Federal Government…the Legislative, Judicial and Executive branches. The three branches can monitor the actions of the other branches to ensure that there are checks and balances in place, so no one has too much power and the ability to abuse that power.
It's the same concept with risk management. Separate entities are needed to ensure that risk is appropriately managed to allow an institution to meet its goals while not taking on too much risk. This risk management principle has been around for many years, while I don’t have a date, I recall it really becoming mainstream in the early 2000s in the financial industry. It is recognized in IT frameworks including NIST, ISO, etc.
I came across a good infographic that explains the lines, their roles, and how they interact from the Institute of Internal Auditors, here: https://www.corporatecomplianceinsights.com/three-lines-model-short-shrift-compliance/
In essence, the three lines are as follows:
- Management & Operations
- Deliver products and services.
- Actively manage risk and implement controls.
- Risk Management
- Oversee, advise, and support enterprise risk management.
- Challenge the first line on risk-related matters.
- Internal Audit
- Review and provide independent assurance and advice on the achievement of objectives, including risk management.
Why is this concept important?
While risk management is typically viewed and regarded as a compliance-related necessary evil, when implemented correctly it can be a strategic advantage to optimize performance and meet goals.
In relation to information security, this means placing the leadership of the program into the second line of defense in order to manage the risk. Three reasons this is more effective leadership:
- It makes information security a cross-functional discipline, not just an IT problem. The second line of defense interacts, consults, and leads enterprise-wide. The statistics for the cause of incidents are clear, user error is involved in 88% of all data breaches. While the role has traditionally been viewed as a technical focus, the data has shown consistently that technical knowledge alone doesn’t solve the problem of protecting our data and systems. While technical knowledge is important, it’s only one piece of the solution.
- Oversight and segregation of duties, the ‘challenge’ part of the risk management role, is important to ensure that risks are being appropriately mitigated and managed within the institution’s risk appetite. Additionally, it enables the discovery mistakes and ensures that the risk is fully mitigated considering not only the technology, but also from the perspective of users and business processes.
Historically, the more second line/enterprise role of the ISO was only something the financial services regulators required. I expect we will see this role become more universal as other regulatory bodies begin to hold companies responsible for data breaches.
Case in point, the Uber data breach in 2016, where the CSO schemed to hide the discovery of the 57 million user records breached from the Federal Trade Commission. According to the U.S. Attorney’s office, Sullivion told his subordinates, that “the story outside of the security group was ‘this investigation does not exist.’ Perhaps more oversight and effective challenge may have brought this to light earlier?
Another example lies in the SolarWinds breach of 2020 where the SEC alleged ‘SolarWinds’ public statements and risks were at odds with its internal assessments, including a 2018 presentation by a company engineer shared internally, including with the CISO, that their remote access set-up was “not very secure” and someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late.” The SEC states that the CISO was aware of the cybersecurity risks and vulnerabilities but failed to resolve the issue or at times sufficiently raise them further within the company. Was this risk within SolarWind’s appetite? Perhaps independent oversight and management of the risks could have prevented this widespread breach.
Sources:
https://www.erm-academy.org/risk-management-knowledge/understanding-enterprise-risk-management/