CyberSecurity Operations and the 3 Lines of Defense model
While the “3 Lines of Defense” model described by ISACA has demonstrated its efficiency, by splitting the responsibilities of governing and implementing CyberSecurity, on one hand, ensuring its compliance and proper impact on risk management, on the 2nd hand, and finally auditing proper execution of the first 2 functions on a 3rd hand, the need to ensure that CyberSecurity Operations are performed by and under the control of CyberSecurity professionals remains.
What I mean by CyberSecurity Operations is selecting, implementing, configuring, troubleshooting and updating CyberSecurity technologies that protect their organization.
In order to confirm this, I have interviewed various CISOs of large french companies belonging to very different verticals (banking and finance, insurance, luxury, cosmetics, health, retail, energy, communication, manufacturing, transportation). Here are the conclusions of this:
in terms of reporting line, CISOs mainly report to CIOs, but more and more to a COMEX member (which can be the CIO as well, but not only, eg: General Secretary, Risk Management and sometimes even CEO)
in almost all cases, CISOs are managing CyberSecurity Operations, at least on equipments that are dedicated to [advanced] pure CyberSecurity functions (eg: authentication, filtering, encrypting, data leak prevention, incident detection and response, etc.).
Network infrastructure equipments that are also involved in network segmentation may remain operated by infrastructure teams, provided that very clear rules are predefined to grant or reject network access rights, but that requires that infrastructure teams are aware, trained and fully accountable.
When such clear rules are defined, the objective and the trend are usually to automate (at least through a proper workflow) such management of network access rights, to optimize cost, agility, and risk management
In some cases, the infrastructure team staff in charge of managing such network segmentation is also reporting to the CyberSecurity team in dotted line
in terms of selection of CyberSec technologies, the CISO remains in charge of CyberSecurity market watch and selection of appropriate technologies, even if it’s often validated by the CIO and sometimes most of his direct reports as well (through a proper governance body). Of course, CISO is also consulted for the selection of other IT technologies as well
CISO also has the ability to perform audits by him/herself, provided that he/she finds/is given the necessary resources (people and budget) for that. Of course, it does not prevent many other controls or audits, to be performed by internal / external auditors, customers, insurance companies, certification bodies, and so on
similarly, incident response remains under the responsibility of CISO, both for triage, investigation, decision to respond, trigger a crisis, or close the incident
securing industrial systems (PLCs, HMIs, barcode readers, etc.) is also performed under the responsibility of CISOs, despite the fact that CIOs are not always in charge of managing the connection of such equipments to the network
when it comes to securing commercial products and services, CISO is often in charge of it, unless there is another dedicated VP who takes such responsibility. This does not prevent the CISO from being involved in analysis and risk management, ensuring the compliance to regulations, and having the ability to vet (or at least suggest to do so) improperly protected systems.
While the 3 Lines of Defense model focuses on the importance to split responsibilities (to avoid duplicated tasks, ensure Segregation of Duties and optimize cost), it does not describe at which level should arbitration / decision be performed.
For sure, CyberSecurity topic is more and more discussed by ExComm members but setting up arbitration / decision at that level would require that they have a deep understanding and experience on technological CyberSecurity topics. While this may be true for IT or CyberSecurity vendors, it’s usually not the case for other companies. As it is the same for global Security topics (securing people, premises, and information of all kind), gathering CSO, CISO, and EHS in a common team is also emerging but not yet quite adopted. Most of them collaborate a lot together, but are not [yet] reporting to the same individual in the organization.
With the emergence of several move-to-cloud projects, the need to recruit, upskill, and manage various CyberSecurity individuals, and the strong evolution of regulations, there is a growing need for all teams involved to be managed by CyberSecurity professionals who understand their daily job and the impact on the business. For such reason, I found interesting the idea that was given to me by one of the CISOs interviewed: “Let the CISO consolidate several Lines of Defense in his team, provided that each line is managed by a different direct report, while asking external auditors for an independant opinion on the efficiency of the protection of company’s assets, and how it benchmarks within his/her industry”.
To conclude, I would like hereby to thank all CISOs that have contributed to my survey, for their valuable inputs and thoughts on this crucial topic 😉 !