The Emergence of the Second-Line CISO

We are seeing a new wave in cyber risk, and it’s not a technical one.

As digital risk — including cyber — gains board-level scrutiny, CISOs need to change their corporate risk conversation and they will need new tools for reporting.

As a result of the global financial crisis, financial organizations adopted a concept in risk management called the Three Lines of Defense. This model clearly assigns responsibility for various risk and other governance functions to three discrete roles:

The First Line — Functions that own and manage risks
The Second Line — Functions that oversee risks
The Third Line — Functions that provide independent assurance
Areas of responsibility across the lines of defense

This structure has been widely adopted for financial reporting and even mandated by some regulators. It has proven to be very effective and risk managers have begun to slowly embrace it in other areas of risk.

We have seen the emergence of second line cybersecurity in the financial industry. As digital risks — including cyber — have begun to increase, the concept of a Second-Line Chief Information Security Officer has begun to spread. Other organizations that are highly-connected or those that provide digital services know that their business lives or dies by the proper digital risk management.

At a recent event, we surveyed attendees to see within which line of defense they thought their CISO operated and under which organizational function they reported. The results were surprising.

We found that a small number of CISOs or their equivalent are now reporting to the Chief Risk Officer. We expect that number to grow. At the same time, more responsibilities that are associated with the second line of defense are being given to the CISO.

With a presence at the second line, the needs of CISOs are changing. They need to be better equipped to answer targeted questions from leadership and to supply business-relevant impact answers.

This can pose a challenge because the tools and activities at each line are different. All work together to provide the enterprise with visibility and clarity into their cyber risk posture. The second line, however, is less tactical and must answer the question, ‘What does this mean for the business?’

Tools and Activities across the lines of defense

At Emergent, we are excited to offer an industry-first second line of defense digital risk management platform, the Instinct Engine. It is built on real-world and machine-generated digital loss scenarios to help you communicate in terms your business leaders understand — reputation, credit, or market losses — supported by objective, real-time data.

Contact us today to learn about our five-day-install 30-day proof-of-value.

To help us better anticipate the needs of the second line, please take our brief two question survey.