Rethinking the Place of CISOs in the Three Lines of Defense Framework
Hey Everyone,
Hope you're all doing great! Today, I want to talk about something important in our world of cyber security - where CISOs fit best in an organization to really make a difference.
We've seen different guidelines and rules from around the world, like BNM's RMiT in Malaysia and the ACSC's advice in Australia, trying to help organizations guide where to place their CISOs in the three lines of defense (3LoD) framework. We know regulations and public policies usually avoid being too prescriptive. However, based on popular interpretations of RMiT, most financial institutions place CISOs in the second line of defense, even though RMiT’s requirement S 9.4 says that an FI must designate a CISO (by whatever name is called - which means the role doesn’t have to be called a CISO).
Now here is a hot take:
If you're unsure about where the CISO role should fit, let me throw an idea your way: place the CISO in what I call the "1.5 line."
This might add a bit of complexity, like figuring out who the CISO reports to, but from what I've seen, positioning the CISO here is both strategic and effective. There's no better spot, in my opinion. And, by the way, the debate about who the CISO's boss should be is perennial. To me, it doesn't really matter whether it's the CEO, CTO, CIO, CRO - the key is that the CISO needs the influence, the freedom, and a direct line to the decision-makers (including the Board) to get things done.
Why the "1.5 Line"?
Putting the CISO somewhere between the first and second lines of defense means they get the best of both worlds. They're close enough to the tech action (day-to-day operations) to know what's going on and make quick decisions, but they also have the power to plan strategies and make sure the whole organization is moving in the right direction against cyber threats.
And Yes, Independence is Key
BNM's RMiT talks a lot about the CISO being independent in managing conflicts of interest, and I totally agree. Having our CISO in the 1.5 line doesn't change that. They can still make unbiased decisions that are best for the organization. If we need, we can have a cyber information risk officer (or whatever name you want to call it) in the second line to handle the cyber risk management side, making sure the CISO can focus on both immediate issues and long-term security planning.
So, What Can We Do?
Start the Conversation - Ask around and see if people think the CISO is in the right spot to protect their organizations.
Be the Example - If you're in a position to, show how being in the "1.5 line" can make a real difference in how we handle cyber security.
Think About Change - If you're in a place to make decisions, consider this approach. Our digital world is always changing, and how we handle security needs to change too.
Wrapping Up
The job of a CISO isn't just a title; it's about making sure our organization stays safe in the digital world. By rethinking where they stand, we can make sure they're in the best position to do just that.
Stay safe, and let's keep the conversation going.
Cheers,
Sivanathan