Thursday, November 22, 2018

Three Lines of Defense & Cyber Risk

I’ve been reading and thinking a lot about the role each Line of Defense should play when it comes to cyber risk.

The Three Lines of Defense concept has been around for a long time. It provides a logical separation for organizational functions that sit in different parts of the company and have distinct (at least on paper) roles. It's a staple in highly regulated industries such as financial services.

As a reminder: 
  • The majority of an organization belongs to the first line. These are the groups that manage processes, take risks, and operate controls. Examples include Information Technology, Finance, Sales, Marketing, and Human Resources. 
  • A company’s compliance and risk functions that provide independent risk oversight constitute the second line. A good example is the Enterprise Risk Management function. 
  • The Internal Audit (IA) group that independently tests and validates the work of the first and second line is considered the third line.

Let’s start with the line that is easiest to understand in general: The third line! 

Not many would argue in terms of what role Internal Audit should play in terms of helping the company manage its cyber risk. Depending on the size and complexity of the company, the IA group would include cyber risk in its own audit risk universe and perform periodic audits aimed at assessing cyber risk levels at the organization. 

The cyber audits may focus on systems, network or business processes such as online banking. Specific audits may be designed to review emerging technologies such as the use of Cloud Computing or Artificial Intelligence. 

These audits assess the effectiveness of the work of the first or second line and will result in audit reports usually asking the process/system/business owners to add or improve certain controls. 

It gets trickier when we move to first and second line because not all companies have the same titles, reporting lines and roles. 

Let's look at some common challenges associated with first and second line related to cyber risk management: 

Challenge #1: To which function does the Chief Information Security Officer (CISO) report?

According K logix, more than 50% of CISOs report into the Chief Information Officer (CIO); 15% to the Chief Executive Officer (CEO) and the rest to the Chief Operating Officer (COO) or the Risk groups. 

As we know, IT is considered a first line function. For this reason, CISOs who report into the CIOs reside in the first line. The pros and cons of this structure are well-documented. 

Pros include being part of the technology team which translates into being part of technology and security decision making process. This could result in faster implementation of cyber risk mitigation solutions.

Cons could include potential conflict of interest between CIOs and CISOs. For instance, CIOs may decide - much to the CISO's chagrin - that cyber risk mitigation should take a backseat to improving outcomes other business units are pushing for.

Challenge #2: Does the company have a dedicated person/team managing cyber risk in the second line (i.e. in the Chief Risk Officer (CRO) organization)?

It depends on the company’s size, complexity and industry. Bigger companies in financial services or health care usually have dedicated focus on cyber risk in the second line - usually in the CRO organization. They are three scenarios I have seen most frequently: 

  • Mature companies -  mostly in regulated industries - have started creating and filling C-level roles for Chief Technology Risk Officers (CTRO) reporting directly to CROs. CTRO is responsible for second line oversight for technology and cyber risk by providing effective challenge to the first line.  S/he takes part in key decisions related to mitigating or accepting cyber risk and makes sure that the decisions taken by the organization are in line with its risk appetite.
  • Smaller companies or those which may not rely much on technology may not need a CTRO right away, but may still want some level of second line oversight. In that case, they could run their cyber risk second line of defense programs as part of their operational risk group or Enterprise Risk Management functions. 
  • Finally, some organizations may not want to invest any resources in the second line to oversee cyber risk. More often than not, the lack of specific focus on cyber risk in the second line may result in these companies relying heavily on the first line and the decisions made by CISOs and CIOs. 

Challenge #3: What is the level of collaboration among the CTRO, CISO, CIO and CRO? 

The level of collaboration will depend on the company’s culture, the individuals filling those roles and other factors (such as regulators and Board).

I will go with the assumption that CIO and CISO are part of the first line, and CRO and CTRO belong to the second (i.e. first scenario above).

The beauty of this model, if executed right, is that CRO and CTRO could provide essential support to the CIO and CISO in getting funding to mitigate key cyber risks. 

This offers a stark contrast to the viewpoint that the second line’s main function is to only provide effective challenge, which could be interpreted as “saying no” to what the CIO or CISO would like to do. An effective partnership between first and second line functions could set the company apart from others in managing cyber risk.

Challenge #4: How strong are the Lines of Defense as a whole?   

Many say that the company’s cyber defenses are as strong as its weakest link. However, if the company has successfully implemented a layered security approach with good compensating controls, it will be quite difficult to cause harm to that organization even though some cyber controls may get compromised. This is because other controls would pick up the slack. 

We can apply a similar concept to the Lines of Defense. Ideally, we would like all Three Lines to be strong in dealing with cyber risk. 

But, this is rarely the case. 

Many times, one of the lines is stronger than the others and may have to pull most of the weight in mitigating cyber risk. If one of the remaining two lines provides some level of support to the strong line, this may indeed work in the short to medium run. 

In the longer run – especially for bigger and global organizations, the company should ensure that each line pulls its weight. 

To summarize: 
  • CIOs and CISOs are usually the first line. They manage technology/security teams, ongoing cyber and technology operations. They take decisions on cyber risk on a daily basis.
  • CROs and CTROs generally sit in the second line. They support the CIO and CISO by providing them with a framework (policies, risk appetites etc.) with which to manage cyber risk. They ensure that decisions related to accepting or mitigating cyber risk fall within the organization's agreed-upon risk appetite. They provide support in explaining importance of security to executive audiences and in securing funding to mitigate cyber risk.
  • IA, the third line, validates the effectiveness of both first and second line by performing periodic audits in cyber risk domains.
  • Mature companies, who can effectively leverage all three Lines, will fare better in the long run in managing their cyber risk.  
Do you agree?