Managing and Monitoring Cyber Risk: Leveraging the 3-Lines of Defense

By: Aaron Kerr, Director of IT Risk Advisory & Security

Aaron Kerr


Managing and Monitoring Cyber Risk: Leveraging the 3-Lines of Defense

There are two types of companies: those that have been hacked and those that don’t know they have been hacked. Cyber threats continue to evolve and the “bad guys” are getting increasingly more sophisticated.  Due to the significant costs and technical expertise required to arm an organization against cyber-threats, many small and middle-market organizations are behind in establishing an effective mix of people, processes, and technologies to mitigate and manage cyber risk.  Estimates of the cost of cyber threats worldwide are around $500 Billion today, and a recent article by Forbes (1) suggests that cyber-crime costs will reach $2 Trillion by 2019.

Cyber-attacks began in the late 1980’s, and throughout the 1990’s began picking up steam. In the mid 2000’s, the first high profile attack on customer credit card information against TJX, owner of TJ Maxx, introduced the general public to the topic of cybersecurity. In 2013, Target Stores were breached via one of their third party vendors; this highlighted the challenges with a fragmented network perimeter and the importance of tightly integrated security tools and supporting processes.

Attacks continue to grow more sophisticated, and reactionary measures from organizations have ranged from accepting the likelihood of potential breach, to implementing broad sweeping initiatives designed to effectively mitigate the risk of damage from a cyber-attack.  While the initial organizational responses were often to conceal breaches from the public, the effective management, triage and communication of breaches to affected parties have become increasingly important for minimizing reputational risk.

Government intervention has forced the issue for many industries, including increased regulations over IT security in industries such as Finance (Consumer Data Security and Notification Act) and Healthcare (HIPAA).  Due to this increased governmental scrutiny, highly regulated industries and proactive large public organizations are typically better prepared to acknowledge cyber risk and implement strategies to address this risk.

The companies that have successfully reduced the risk of cyber threats have established the 3 lines of defense approach.   The key to successfully implementing this approach is creating an effective governance structure; continuous communication and training for each stakeholder group on their role in managing cyber risk; and monitoring and validating the processes and technologies being leveraged to mitigate cyber risk.

Stakeholders across the 3 lines and establishing an effective governance structure

Everybody is an interesting target to someone.  While the three separate lines of defense may blur with smaller companies, security is everyone’s responsibility. Large publicly-traded companies are accustomed to defined risk matrices and control activities. These methods can also be implemented for small and middle-market organizations in order to manage risks.  Large companies are also more likely to survive a hacking incident than a smaller or middle-market company. While Target has largely recovered from the financial loss of the 2013 breach, a Google search related to the event also references Fazio Mechanical Services, the third-party vendor that gave the Target hackers their opening. It is hard to imagine Fazio’s sales have skyrocketed since 2013.  Since no companies are immune to cyber threats, both small and large entities must actively assess their security posture. Regardless of company size, establishing the right governance structure and applying the appropriate framework is key to assessing the security posture of the company.  Cyber risk management affects every employee, board member, and contractor of an organization.  Each stakeholder has a responsibility to ensure they understand what is required to protect company assets and critical data.  Companies are responsible for developing a cyber risk management program to ensure all stakeholders are informed and fulfill their cybersecurity responsibilities.  Successful cyber risk management programs can often be broken down into 3 lines of defense.  The first line of defense is generally the Company’s IT Security and Operations team.  The second line of defense is the Company’s oversight function and often includes an IT Security Steering Committee or other cross functional management team. The third line of defense is often the Company’s Internal Audit or Compliance function, who will assess the effectiveness of the first and second line activities.

The tactical analysis and cyber mitigation techniques of the front line personnel are traditionally managed by a Security Operations Center (SOC) and/or IT Operations Management. These first line defenders monitor events and own the management and oversight of the security architecture.  This group has primary responsibility for the organization’s cybersecurity posture. Management and responsible users mitigate risks by performing control activities, reporting issues to Senior Management, and working to remediate identified deficiencies. This may include monitoring network traffic, classifying events as part of the organization’s incident response plan, and managing the firewalls, data encryption, and intrusion detection and prevention solutions.

The second line of cyber risk defense is made up of the Compliance or Risk Management function who has a key role in the IT Security Steering Committee. The IT Security Steering committee is important because it should include key business leaders and allow for an enterprise-wide discussion on cybersecurity risks and the potential impact on the organization.  The Risk Management function’s responsibilities include implementing IT risk policies and procedures and providing the accepted risk management framework (i.e. the 2014 National Institute of Standards and Technology (NIST) Cybersecurity Framework) to guide and educate operational managers.  Risk Management also monitors compliance with IT controls and provides analytical results to Senior Management via dashboard reporting (i.e. current tier of the NIST Cybersecurity Framework).

Internal audit and compliance functions provide the third line of defense by testing the effectiveness of management’s cybersecurity processes and controls, as well as, validating compliance with the NIST Cybersecurity Framework. These functions provide valuable insight to business management on the current state of the organization’s cybersecurity posture by using a combination of methods. These methods include, but are not limited to process oriented reviews (i.e. review of current NIST cybersecurity tier), detailed security analytics (i.e. performing an independent assessment of network events to ensure the first line of defense is effective), periodic compliance audits as necessary (i.e. HIPAA, PCI) and vulnerability and penetration testing. It is important to note that internal audits and assessments are treated as a third line of defense and should not be considered effective risk mitigation techniques on their own.

Clearview’s Perspective

We believe that based on the increasing complexity and dynamic environment of technology and the cyber threat landscape, that things will get worse before they get better.    The more activities and products get automated (i.e. the Internet of Things initiative), the more challenging it becomes to mitigate and manage the risk of cyber threats.

At Clearview, our team has established a proprietary process to help companies of all sizes and industries assess their security posture against the NIST Cyber Security Framework.  As a result of these assessments, we have helped many organizations enhance their security environment by practically leveraging the 3 Lines of Defense framework.  Small to mid-market companies may have some of those lines blurred across roles because of resource limitations so we make sure to help them implement practical policies, processes and technologies to enhance posture.  Within larger organizations with a more mature security environment, we have provided expertise across all three lines:

  • 1st Line – Establishing Security Training programs to increase awareness, executing simulated phishing and social engineering attacks to facilitate learning, Implementing Security best in breed technologies and providing subject matter expertise IT Security guidance and support
  • 2nd Line – Establishing or managing an IT Compliance or IT Risk Management function
  • 3rd Line – Managing IT Security Assessments that include a real-time analysis of cyber threats and conducting IT Compliance audits

Forbes Link:

More From Aaron

More in IT Risk Advisory & Security

Related Case Study