In Defense of the Three Lines of Defense
Legend has it that President Kennedy once visited a NASA facility and asked a janitor what his job was, to which the janitor replied, ‘to put a man on the moon’. The veracity of the popular tale has been questioned, but not the lesson of complete organizational ownership it teaches.
I’m happy to see that lesson beginning to take hold regarding the complete organizational ownership of risk management and cyber security. At Mizuho, we have adopted a firm-wide belt/suspenders approach to risk management, widely known as “The Three Lines of Defense”—the 3LOD approach, to reduce operational risk. As adopted, it works to keep us safe and is indicative of the evolution of the role of today’s Chief Information Security Officer (CISO).
The Three Lines of Defense is one of the most important steps toward a more secure cyber environment that an organization can adopt
In my past life as an IT Auditor I recall being frustrated that the Internal Audit function seemed to be solely responsible for identifying risk and recommending methods for management to mitigate such risk. On the surface, the delineation of duties made sense. But Internal Audit reviewed a process on a periodic basis (e.g. annually), while business and technology management were involved in the process on a daily, real-time, basis.
The role of technology management to own the risk and have that ownership cascade down through managers to the rest of the firm, was not happening. Cybersecurity was something that happened ‘over there’ and away from the day-to-day operation and decision-making of the firm. When I moved into the CISO role, one of my first challenges was to change an ‘over there mentality’ to an ‘always here reality’.
The Three Lines of Defense is one of the most important steps toward a more secure cyber environment that an organization can adopt. As you try to attend every meeting on every technology, service, or product being introduced to your firm, your herculean efforts will likely result in your cybersecurity program functioning on a wing and a prayer. The solution to this debacle relies on a shift in paradigm to a new and improved approach which at the very least saves a CISO from major burnout and at the same time provides your organization with the best possible approach to identifying, managing and reporting on the health of your cyber security function.
As the CISO of Mizuho Americas, I am in the second line of defense reporting to the Chief Risk Officer (CRO). You might consider the CISO as the rules committee in any sport; Internal Audit (the third line of defense) as the referees who enforce the rules; and technology management and technology employees (the first line of defense) as the athletes who must constantly play by these rules.
Business and technology management execute processes and own and manage the risk; the CISO defines the security strategy and rules, reviews the processes to ensure effectiveness, and challenges management to ensure the firm’s security plan and approach established are being adhered to; and internal audit conducts independent and objective oversight of the overall effectiveness of the program.
While I can’t claim any special credit for this, I do applaud Mizuho for recognizing the value of imbedding security within all firm activities via the Three Lines of Defense approach. The financial services industry has been nudged in this direction through a series of breaches and tightened financial industry regulations. This approach is recognized by other industries as well.
My role as CISO is to reduce cyber security risk to my firm and make that approach a part of the corporate culture. With the support of management, the implementation of a Three Line of Defense model helped to spread the art of risk management across the entire organization and ultimately reduced cyber risk to an amount acceptable to the firm.
As you know, change is never easy. People are often creatures of habit and therefore, may feel threatened by a change in the risk management approach, but once accepted, the realization that this change both strengthens and enriches management’s role will become self-evident. When first initiated, you may hear this phrase repeatedly: “please explain the Three Lines of Defense to me again, I don’t understand it”. Unfortunately, you may find this is often less indicative of a problem with understanding than it is with actual acceptance.
There may also be considerable resource requirements in order to implement this process: this will include people, time, energy, products and skillset. The process requires planning for a shelf life that supports the long-term goals and technology environment of your firm. Flexibility and agility are also critical as adjustments will need to be made. As a CISO, I can attest that this is as much a journey as it is a process.
The key benefits of the 3LOD approach regarding cyber security include:
• A common firm-wide understanding of the cyber security threats faced by the firm
• More involvement in risk identification by business and technology personnel, who are the day-to-day owners and operators of business processes
• An enhanced means of determining controls necessary to reduce identified or potential risk
• A heightened sensitivity to potential security risk events throughout the organization, and the ability of identifying them as soon as possible (you cannot fix what you are unaware of or are hesitant to point out). The 3LOD approach enables personnel to point out potential risk without being subject to criticism
• A holistic approach to understanding and maintaining risk at an acceptable level, inclusive of senior management and Board Director personnel
While living in an ‘always here reality’ will require some effort on the part of your organization, the overall lasting benefits of the Three Lines of Defense cannot be disputed.