While many businesses will house some of these first-line functions under IT outside the CISO remit, most organizations will have at least some of these functions under the CISO. First-line functions within an information security group include:
- Incident response.
- Security operations centers.
- Monitoring of automation engineering.
- Security architecture consulting.
- Design.
- Deployment.
- Data science activities required to operate an effective security incident and event management system.
Second-line roles focus on risk management objectives that range from legal and regulatory compliance to broader risk management and include monitoring, testing, analyzing, and reporting on risk management matters. This definition matches a governance, risk, and compliance function within information security. Looking deeper, red teams, application security, and third-party risk management perform proactive monitoring, testing, analyzing, and reporting as well, and thus are part of the second-line function of an information security group. These teams are likely to work closely with second-line groups outside of information security, such as an enterprise risk management (ERM) group.
Enter the CISO
Many organizations have established a CISO. The history of that position can often shed light on where the functions under the CISO fit in the Three Lines Model.
The First-line CISO
In many organizations, the CISO position was created in response to a tactical breach. In those cases, the CISO will often report to a chief information officer (CIO) and be primarily occupied with first-line matters such as operating security monitoring tools and processes, incident response, and the architecture and deployment of preventative and detective controls. In the spirit of the Three Lines Model, these should be segregated not only from the assessment of operating efficacy, but also from any strategic risk assessment that drives prioritization and the initial genesis for control establishment. Organizations with a first-line CISO will often have second-line responsibilities falling within an ERM group led by a chief risk officer (CRO). Some of the largest banks following the first-line CISO model have a chief technology risk officer owning second-line responsibilities around cybersecurity.
The Second-line CISO
At other organizations, the CISO position may have been created in reaction to governance and oversight structures. Sometimes these structures have grown organically to respond to customer demands, third-party risk management findings, or investor pressure for stronger corporate governance standards. Other times, these structures are imposed by regulation. The CISO hired into this model will often have a risk management background, report to a chief risk officer or general counsel, and be primarily tasked with identifying and prioritizing the cybersecurity risks facing the organization. In satisfaction of the Three Lines Model, the CISO, in this case, is lacking the direct or indirect oversight over incident response or technical control deployment and operation. Organizations with a second-line CISO may have first-line operational duties handled by IT or engineering.
The Executive CISO
At yet another type of organization, the CISO will be a peer of the CIO and CRO and own segregated teams that perform first- and second-line functions. In these cases, the organization may use the term "information security" to more broadly encompass the entire CISO remit, with "cybersecurity" reserved for the first line and "security assurance" applied to the second. In these cases, separate senior-level leadership will run each group under the CISO. The first-line cybersecurity head will work closely with the CIO and IT to implement and operate controls. The second-line security assurance head may work closely with the CRO to challenge and test controls, identify risks, and consolidate reporting through governance.
Conclusion
A governance body or third-party reviewer should ensure the functions outlined across the first and second line information security definitions are tasked and that their management and operation are segregated from each other. Where the line will be drawn, however, can vary. It is important to begin such an evaluation by identifying what type of CISO organization and reporting is in place.