When vCISO Services, LLC engages with a Small or Midsized Business (SMB) interested in our services, we provide a brief overview of the Three Lines of Defense (3LoD) model. We have found such an approach to be quite effective when explaining information security risk to small and midsized businesses (SMBs). We believe SMBs need a core understanding of the 3LoD to understand information security effectively and holistically and how it Impacts their business. But it took a while for us to reach that approach.
In the Beginning My first approach to explain our services to prospects, when I founded vCISO Services, LLC in 2017, was what I thought basic, simple, and pragmatic. We believe most SMBs do not need the expense of a full-time Chief Information Security Officer (CISO) but they do need their experience and skill set. Therefore, the simple (and I thought what would be most effective) explanation is that a Virtual CISO (vCISO) provides the same services of a CISO, just part time.
However, I soon discovered that I made an error of assumption. Large businesses understand what a CISO is and does and their value to the business. Most SMBs, in my experience, do not. The common yet incorrect thought is that a CISO, and by extension a vCISO, is a technical position. “You’ll be managing our firewalls? You configure antivirus? We have an MSSP for that.” No, a virtual CISO should not manage firewalls or configure antivirus, they are a business strategic resource. But how best to convey?
I pivoted to explaining what information security is, and that IT security (or cybersecurity) is a subset of information security dealing with technical controls. I then explained that vCISOs, like CISOs, examine risks to information security, make appropriate control recommendations, and the controls need not be limited to technical actions. A word of advice to anyone dealing with SMBs who have never undergone an audit, they often do not grasp the concept of a control. They may see the word as negative, leading to false assumptions that information security is all about saying no, you can’t do that, when the intent is the exact opposite – to enable the business to do all it needs to do, while minimizing risk to information.
3LoD Explained I was closer to conveying the value of a virtual CISO but needed a different approach. I reached into my career history for the answer.
My last full-time corporate position before going independent was as the CISO for a community institution, a bank with approximately $4.2 billion in assets, so not a small bank but certainly not a large, nationwide one. Banks, by their nature, achieve profitability by effectively managing risks. It costs money to earn money (efficiency ratio), therefore banks desire to manage all aspects of risk to their business.
Banks deal with nine categories of risk: credit, interest rate, liquidity, foreign exchange, transaction, compliance, strategic, and reputation. Therefore, banks understand risk well, and usually have a Chief Risk Officer (CRO) to manage those risks. If I had my way, I’d require all CISOs to do a stint in security for a bank; it would enhance their understanding of risk. It was during my time there that I perfected my understanding of the 3LoD model.
“The three lines model is a risk management approach to help organizations identify and manage risks effectively by creating three distinct lines of defense.” I like to further explain it in simple terms relative to information security:
- First Line – Operational IT Security Management, e.g., configuration of firewalls and SIEMs, patch management. First line involves implementation and management of cyber (technological) controls.
- Second Line – Risk Management, e.g., risk assessments, control evaluation and efficacy, governance, compliance. Second line ensures risks are identified, tracked, and managed. I believe one of the most effective tools of the (v)CISO is the Information Security Risk Assessment (ISRA).
- Third Line – Audit, e.g., SOC2, financial regulatory examination. Third line ensures first and second line are performing their roles effectively.
I then explain the virtual CISO falls in second line. This then leads to a discussion of the necessity of keeping the lines separate.
Separation of Duties Certain aspects of information security should be kept separate. For example, system administrators should create and manage user accounts but should not review them for correctness, as that opens the possibility of creating and obfuscating privileged users that can be leveraged for fraud. Another example is firewall management; first line should implement firewall rules, but the rule base should be reviewed by an independent party to ensure no gaps are intentionally or unintentionally created.
Once SMBs understand the business benefits of maintaining separation of duties, the 3LoD model becomes much easier to understand. They also often see that audit is not an enemy, as it is in their business best interest that first and second line operate correctly. As this is a business communication approach, the C-suite and the Board of Directors can now relate to the 3LoD.
The result is explaining then what a virtual CISO does, and why it can be an important service for SMBs, becomes a simple exercise. The virtual CISO operates strictly in the second line of defense and is a risk management professional. They must have technical expertise to understand all activities of first line and the business acumen to be able to convey to both audit and executive management and the board.One can see that the virtual CISO must have deep risk management experience.
Why this is Important to SMBs Once SMBs appreciate the basics of the 3LoD, aligning their enterprise risk management program with information security becomes possible. Information security becomes a business enabler instead of a cost center because the C-Suite and the Board of Directors understand the benefits of having (and risks of not having) a holistic information program. Businesses that never understand the 3LoD model will never have proper information security governance, and therefore any information security program they try to implement will be reactionary and full of gaps.
Originally published on SecureTrust at https://securetrust.io/cybersecurity-insights/three-lines-of-defense-model/
 All businesses have an ERM program, even if informal and not documented, because all businesses identify and address business risks, else they don’t remain in business lon