Three Lines of Defence for Cyber Risk Management: Security Checks and Balances
Cyber risk is now a key risk that is on the agenda of the board and senior management. It is important to have the right structure and framework to allow adequate checks and balances, and to ensure that cyber risks are identified and managed at organisational level, instead of being left to the CISO and/or cyber security team. It is also important to recognise that Cyber is not purely a technology issue. It needs the right combination of People, Process and Technology as a holistic risk management approach. Three Lines of Defence model has been used in the financial services industry for many years for Governance, Risk management and Compliance (GRC). It can serve as a best practice for the government sector too. While Management function owns the risk as the first line of defence, the Risk and Compliance (2nd line) and Internal Audit (3rd line) functions serve as essential checks and balances.