SecureTrust Cybersecurity
Contents
The Three Lines Of Defense For SMBs

The Importance of the Three Lines of Defense to SMBs

When my firm vCISO Services, LLC engages with an SMB interested in our services, we provide a brief overview of the Three Lines of Defense (3LoD) model.

We have found such an approach to be quite effective when explaining information security risk to small and midsized businesses (SMBs).

We believe SMBs need a core understanding of the 3LoD to understand information security effectively and holistically and how it Impacts their business.

But it took a while for us to reach that approach.

In the Beginning

My first approach to explaining our services to prospects, when I founded vCISO Services, LLC in 2017, was what I thought was basic, simple, and pragmatic.

We believe most SMBs do not need the expense of a full-time Chief Information Security Officer (CISO) but they do need their experience and skill set.

Therefore, the simple (and I thought what would be most effective) explanation is that a Virtual CISO (vCISO) provides the same services of as a CISO, just part time.

However, I soon discovered that I made an error of assumption.

Large businesses understand what a CISO is and does and their value to the business. 

Most SMBs, in my experience, do not.

IT professional effortlessly managing a server

The common yet incorrect thought is that a CISO, and by extension a vCISO, is a technical position.

“You’ll be managing our firewalls? You configure antivirus? We have an MSSP for that.”

No, a virtual CISO should not manage firewalls or configure antivirus, they are a business strategic resource.

But how best to convey it?

I pivoted to explaining what information security is, and that IT security (or cybersecurity) is a subset of information security dealing with technical controls.

I then explained that vCISOs, like CISOs, examine risks to information security and make appropriate control recommendations, and the controls need not be limited to technical actions.

A word of advice to anyone dealing with SMBs who have never undergone an audit, they often do not grasp the concept of a control.

They may see the word as negative, leading to false assumptions that information security is all about saying no, you can’t do that, when the intent is the exact opposite – to enable the business to do all it needs to do, while minimizing risk to information.

The Three Lines Of Defense

The Three Lines Of Defense Explained

I was closer to conveying the value of a virtual CISO but needed a different approach. I reached into my career history for the answer.

My last full-time corporate position before going independent was as the CISO for a community institution, a bank with approximately $4.2 billion in assets, so not a small bank but certainly not a large, nationwide one.

Banks, by their nature, achieve profitability by effectively managing risks. It costs money to earn money (efficiency ratio), therefore banks desire to manage all aspects of risk to their business.

Banks deal with nine categories of risk:

  1. Credit
  2. Interest rate
  3. Liquidity
  4. Foreign exchange
  5. Transaction
  6. Compliance
  7. Strategic
  8. Reputation

Therefore, banks understand risk well, and usually have a Chief Risk Officer (CRO) to manage those risks.

If I had my way, I’d require all CISOs to do a stint in security for a bank; it would enhance their understanding of risk.

It was during my time there that I perfected my understanding of the 3LoD model.

The three lines model is a risk management approach to help organizations identify and manage risks effectively by creating three distinct lines of defense.

I like to further explain it in simple terms relative to information security: 

  • First Line  –  Operational IT Security Management, e.g., configuration of firewalls and SIEMs, patch management. First line involves implementation and management of cyber (technological) controls. 
  • Second Line  –  Risk Management, e.g., risk assessments, control evaluation and efficacy, governance, compliance. Second line ensures risks are identified, tracked, and managed. I believe one of the most effective tools of the (v)CISO is the Information Security Risk Assessment (ISRA). 
  • Third Line  –  Audit, e.g., SOC2, financial regulatory examination. The third line ensures first and second line are performing their roles effectively. 

I then explain the virtual CISO falls in the second line.

This then leads to a discussion of the necessity of keeping the lines separate. 

Separation of duties in cybersecurity

Separation Of Duties

Certain aspects of information security should be kept separate.

For example, system administrators should create and manage user accounts but should not review them for correctness, as that opens the possibility of creating and obfuscating privileged users that can be leveraged for fraud.

Another example is firewall management; the first line should implement firewall rules, but the rule base should be reviewed by an independent party to ensure no gaps are intentionally or unintentionally created.

Once SMBs understand the business benefits of maintaining separation of duties, the 3LoD model becomes much easier to understand.

They also often see that audit is not an enemy, as it is in their business’s best interest that the first and second lines operate correctly.

As this is a business communication approach, the C-suite and the Board of Directors can now relate to the 3LoD.

The result is explaining what a virtual CISO does, and why it can be an important service for SMBs, becomes a simple exercise.

The virtual CISO operates strictly in the second line of defense and is a risk management professional.

They must have the technical expertise to understand all activities of the first line and the business acumen to be able to convey to both audit and executive management and the board.

One can see that the virtual CISO must have deep risk management experience.

Why this is Important to SMBs

Once SMBs appreciate the basics of the 3LoD, aligning their enterprise risk management program with information security becomes possible.

Information security becomes a business enabler instead of a cost center because the C-Suite and the Board of Directors understand the benefits of having (and risks of not having) a holistic information program.

Businesses that never understand the 3LoD model will never have proper information security governance, and therefore any information security program they try to implement will be reactionary and full of gaps.

Related Content

 Greg Schaffer
Greg Schaffer

With over 33 years of experience in information technology and security, Greg Schaffer is a seasoned information security executive and founding principal of vCISO Services, LLC.

Share This Article

Subscribe to SecureTrust newsletter

Get the week’s best
cybersecurity content.
Sign Up >

Join 10,000 Subscribers

AI & Cybersecurity Insights
Delivered To Your Inbox

SecureTrust Cybersecurity Powered By Helios