Chapter 1
What does the 3LoD model mean for the CISO?
While each LoD contributes to the overall security posture of the organization, there are clear differences between their responsibilities.
The 2nd LoD, at the center of our risk management model, plays a pivotal role as it provides guidance on risk management while also controlling whether the guidance is effective. In a nutshell, the 2nd LoD defines the boundaries between which the 1LoD can manage its risks. Additionally, the 2nd LoD controls the effectiveness of the controls implemented by the 1st LoD to ensure that the risks are managed within those agreed boundaries. Also, the 2nd LoD is in charge of reporting the risks to management and the BoD. As a risk-taker, the responsibility of the 1st LoD is to strike a balance between enabling the business by providing the services needed and putting in place the controls necessary to safeguard the assets of the organization. The complexity of that task comes from the uniqueness of each organization, their respective risk appetite, and risk tolerance, as well as the fast-changing cyber threat landscape. Finally, the 3rd LoD, as an independent function, assesses the conduct of the other lines of defense, and reports to the senior management (SM) of the organization.
If the 1st LoD takes risks and the 2nd LoD manages and controls those risks, where does that leave the Chief Information Security Officer (CISO) or the CISO Office? Banks and insurers show differences in where they place it. Some prefer to run it as part of Risk & Compliance, while others place it closer within the IT Security function. Wherever it goes, what are the expectations of the CISO?
The CISO is essentially responsible for developing and implementing an information security (IS) program across the organization, with the aim of protecting its assets. In other words, the CISO will support the organization in increasing the information security and cyber awareness of its people, bolstering its processes, and strengthening its technology. In well-established and mature financial institutions, the IS program is structured according to industry-leading frameworks (e.g., NIST CSF, ISO 27001) to ensure a holistic and exhaustive approach.
Chapter 2
What’s the trade-off between the 1st and 2nd LoD?
There are certain dependencies between the lines of defense – and four dimensions to consider.
Each organization will have to explore individually how to best balance the advantages and drawbacks for their own needs. In this chapter, we explore the pros and cons of positioning the CISO in either the 1st LoD (scenario 1) or the 2nd LoD (scenario 2). More specifically, we will contrast four dimensions of the trade-offs:
Chapter 3
Should you position your CISO in the 1st LoD or 2nd LoD?
The short answer is: it depends. Besides your organization and overall situation, it’s worth taking into account regulators’ expectations.
Financial regulators such as FINMA or the SEC have defined principles that must be applied in order to conduct business. The interpretation of these principles is up to each organization as long as the actual implementation satisfies the regulators' expectations. For example, the Swiss financial regulator mandates segregation of duties between the parties involved in risk management (FINMA Operational Risk 08/21). While some banks address this by positioning the CISO in a different segment of the organization (2nd LoD), others implement restrictive measures that enable the segregation of duties within the same part of the organization. Thus, it is not surprising that the regulator would have greater concerns when the application of such a principle is not obvious. Likewise, if the organization faced prior cases of conflicts of interest and doubt had emerged as to the effectiveness of segregation, it may be worth considering a different setup.
To bridge this chasm, some organizations have taken an alternative approach to the traditional 3LoD risk management model: the 1.5 LoD (sometimes also referred to as 1.b LoD). This sees the 1st LoD requalified as IT Ops. Hybrid approaches like this can be observed mainly in large and complex financial institutions and consist of positioning the CISO on its own, between the IT function and the overall risk function. While this alternative model directly addresses the challenges of conflict of interests and independence of the team, it does not yet put the CISO on an equal power footing with IT Ops.
Summary
The positioning and power of the CISO in an organization will influence the risk of conflict of interest. While leaders face trade-offs in reshaping their organizational structure, consideration should be given to the four dimensions explored in this article. Additionally, insights into the industry trends, capabilities to successfully drive transformations, and close collaborations with market regulators are essential for organizations willing to shape their future cyber operating model.
Acknowledgement
We thank Anthony Kieffer for his valuable contribution to this article.