Blogs Jerry Perullo Feb 02, 2022
Have you ever wondered where the chief information security officer (CISO) fits within The IIA's Three Lines Model? The truth is there is no right answer, and different CISOs will perform different duties. However, identifying where your CISO fits can help guide your audit approach.
Within the Three Lines Model, the first line is primarily concerned with the delivery of business products and services, but it includes support functions defined to cover "front of house" and "back office." Second-line roles, on the other hand, assist with risk management. While it could be said that all information security tasks deal with the management of risk in some capacity, there are some roles that are not merely assisting, but providing a direct operational functionality. Examples include monitoring security alerts, conducting forensic analysis, or deploying intrusion prevention systems.
While many businesses will house some of these first-line functions under IT outside the CISO remit, most organizations will have at least some of these functions under the CISO. First-line functions within an information security group include:
Second-line roles focus on risk management objectives that range from legal and regulatory compliance to broader risk management and include monitoring, testing, analyzing, and reporting on risk management matters. This definition matches a governance, risk, and compliance function within information security. Looking deeper, red teams, application security, and third-party risk management perform proactive monitoring, testing, analyzing, and reporting as well, and thus are part of the second-line function of an information security group. These teams are likely to work closely with second-line groups outside of information security, such as an enterprise risk management (ERM) group.
Many organizations have established a CISO. The history of that position can often shed light on where the functions under the CISO fit in the Three Lines Model.
In many organizations, the CISO position was created in response to a tactical breach. In those cases, the CISO will often report to a chief information officer (CIO) and be primarily occupied with first-line matters such as operating security monitoring tools and processes, incident response, and the architecture and deployment of preventative and detective controls. In the spirit of the Three Lines Model, these should be segregated not only from the assessment of operating efficacy, but also from any strategic risk assessment that drives prioritization and the initial genesis for control establishment. Organizations with a first-line CISO will often have second-line responsibilities falling within an ERM group led by a chief risk officer (CRO). Some of the largest banks following the first-line CISO model have a chief technology risk officer owning second-line responsibilities around cybersecurity.
At other organizations, the CISO position may have been created in reaction to governance and oversight structures. Sometimes these structures have grown organically to respond to customer demands, third-party risk management findings, or investor pressure for stronger corporate governance standards. Other times, these structures are imposed by regulation. The CISO hired into this model will often have a risk management background, report to a chief risk officer or general counsel, and be primarily tasked with identifying and prioritizing the cybersecurity risks facing the organization. In satisfaction of the Three Lines Model, the CISO, in this case, is lacking the direct or indirect oversight over incident response or technical control deployment and operation. Organizations with a second-line CISO may have first-line operational duties handled by IT or engineering.
At yet another type of organization, the CISO will be a peer of the CIO and CRO and own segregated teams that perform first- and second-line functions. In these cases, the organization may use the term "information security" to more broadly encompass the entire CISO remit, with "cybersecurity" reserved for the first line and "security assurance" applied to the second. In these cases, separate senior-level leadership will run each group under the CISO. The first-line cybersecurity head will work closely with the CIO and IT to implement and operate controls. The second-line security assurance head may work closely with the CRO to challenge and test controls, identify risks, and consolidate reporting through governance.
A governance body or third-party reviewer should ensure the functions outlined across the first and second line information security definitions are tasked and that their management and operation are segregated from each other. Where the line will be drawn, however, can vary. It is important to begin such an evaluation by identifying what type of CISO organization and reporting is in place.