Understanding the three lines of defence for information security

The three lines of defence model was pioneered by the Institute of Internal Auditors (IIA) and is a means by which effective risk management, including cyber risk and security management, can be governed, applied and assured. 

Organisations use this governance model to make sure that cyber risk is treated as a business issue and not just something for the IT department, and that it’s subject to ongoing improvement and scrutiny. It also ensures cyber security is supported by the effective separation of roles. 

By adopting the three lines of defence model, organisations can ensure that effective cyber risk management converges, mature their approach and improve the cyber risk culture within the organisation – this is often the key to unlocking true resilience. 

The three lines of defence explained: 

Before looking at why businesses adopt the three lines of defence model, it’s important to understand the role that each line of defence plays in helping to ensure cyber resilience. 

First line of defence: This covers the functions that have operational responsibility for owning and managing risk. This includes the managers and staff who make day-to-day decisions about risk in the best interests of the business.

Second line of defence: This covers the functions that provide guidance as to HOW risks should be managed on the first line of defence. This includes policies, standards and control frameworks. This line then monitors the extent to which this guidance is being followed and how effective it is. 

Third line of defence: This function (which typically focuses on internal audit) – provides independent assurance that the first two lines are operating effectively, in addition to making recommendations for improvement.

Why it’s important to use the three lines of defence: 

The three lines of defence model helps to ensure effective risk management coverage through continuous monitoring across the three lines. 

This approach leads to the maturing of cyber risk management due to the checks and balances taking place at all times, and the implementation of improvements when highlighted by these checks. 

Perhaps most importantly, it supports clear risk ownership and risk reporting to the board – at CRMG, we believe that effective cyber risk management must come from the top down and have buy-in and support at the board level. 

It also evidences responsible and effective management of cyber risk to internal and external stakeholders. 

Ultimately, the three lines of defence approach improves risk culture by moving away from a narrative of “it’s an IT problem for the IT team to resolve” to it being a business risk problem that all members of the organisation are responsible for and must play a part in. 

The challenges organisations can face when adopting the lines of defence approach: 

Perhaps the biggest issue that can arise with the lines of defence model is that some businesses simply apply it to existing practices; this runs the risk of turning it into a paper exercise rather than driving actual change. 

Implementing this model can also lead to a culture of mistrust as those on the first line of defence can feel as though those on the second line are trying to catch them out – the second line can also see the third line as acting in the same way towards them. 

This is why it’s important to create a cyber-aware culture within the organisation so that all employees understand the importance of cyber risk management and the collective and individual roles they play in ensuring resilience. 

With buy-in and support from senior management, the entire workforce is held to account within a cyber culture that doesn’t pinpoint responsibility and blame on a single team or individual. 

How to successfully deploy the three lines of defence model: 

The three lines of defence model should be just one part of the approach an organisation takes to cyber security. At CRMG, we champion taking a risk-based approach; our team can help businesses to clearly understand the specific risks they face and then put in place the right arrangements to mitigate them.