Corporate Security and Compliance Guidelines - 3 Lines of Defense
From a compliance and/or security perspective (and in its form depending on industry, business model and corporate structures), an organization should be viewed in layers fitting to its security risk realities. The current best practice doing so – which fits to most corporations – is identifying three main Lines of Defense (hereunder as LOD). This concept has primarily emerged within the banking sector and larger corporations, and offers a helpful practical way to address critical differences, risks and opportunities in compliance and related security matters. Furthermore, a growing number of industry standards and guidelines recommend (increasingly rather demand) such an organizational approach.
In general terms, one can describe these three LOD, and some practical issues, as follows:
1st Line of Defense
In general all employees and managers; with esp. the Business Units and Supply Chain Operations in regards to external threats:
The critical functions of prevention and detection rely heavily on a committed and aware 1st LOD, based on tailored soft controls (healthy culture and incentive management) and hard controls (organizational and operational controls and procedures). Empirically, rooted in this LOD, serious damages often occur due to outdated business threat intelligence or weak staff training, causing a lack in red flag awareness.
2nd Line of Defense
Risk Management related elements/functions (Compliance, Security,…):
These related elements constitute the heart of their functions, and work effectively (or not), based on their capability to: (a) run security threat intelligence cycles, model threats, and communicate risks and needs to senior management; (b) proactively design, shape and monitor strategies and controls; and (c) reactively respond to critical intelligence or incidents. In addition, (d) effective liaison with authorities, industry bodies, and service providers (such as RSB), is necessary for them to succeed – since threats are far too complex to be grasped solely from within. In corporate realities, 2nd LOD deficits often lay in weak or unprepared responses; or in an inability of other functions and leadership to understand and work well with the 2nd LOD functions. Such as, when human resources dismisses the importance of insider threat signs identified by security.
3rd Line of Defense
Internal Audit:
In order to (a) support the c-suite/leadership in their supervision and improvement of compliance and security, as well as (b) to address the supervisory board directly where relevant (e.g. in case of a rouge c-level manager), internal audit needs to be an independent, capable and willing 3rd LOD in matters of compliance and security. Here, reality often causes problems due to a “legacy thinking” – i.e. understanding the audit function merely in its traditional purposes. The latter causing auditors and their processes to not adequately grasp and apply critical threat management – such as how to spot and react to suspicious behavior.
Overall it is key to have developed comprehensive risk-based policies and strategies relating and synchronizing these three LOD. On this “meta level”, in practical matters many serious failures relate to inefficiencies between the LOD. Such as not being able to “connect the dots” (e.g. red flags) identified within different LOD. Whereas the latter issue most often is the product of not having a fitting (and centralized) security threat intelligence cycle established.