In today’s financial institutions, security and compliance often feel like a never-ending treadmill, important yet exhausting. With countless frameworks, regulations and internal policies stacking up, control operators are struggling to keep pace.
This article explores why the current approach is becoming unsustainable, how it’s impacting control operators and what needs to change to create a more practical, human-centric path forward.
Most financial institutions have adopted the three lines of defense (3LoD) model.
- 3LoD: Conducts internal audit
- 2LoD: Owns internal Enterprise Risk Management (ERM) framework, policies, standards and the control library
- 1LoD: Implements business needs and daily operations (control operators)
Disconnection between the regulatory requirements, industry best practices and internal standards creates isolated solutions for the control operators to implement in order to mitigate cybersecurity risks.
Life in the First Line of Defense
Everyone in the 1LoD plays a pivotal role within the organization. They have to make sure strategic business projects are delivered on time, whether it’s secure software development lifecycle processes, vulnerability scanning and patching, network monitoring, cyber threat analysis, internal/external audits, or as trusted cybersecurity advisors to business teams, all while staying compliant.
If the auditors are from national regulators, the pressure is immense and the margin of error is usually very thin. With pressure coming from many angles, internal process requirements can often feel more like blockers than enablers.
Between daily tasks, priority requests and regulatory requirements, most cybersecurity professionals are juggling too many balls at the same time. As the threat landscape and regulatory requirements continue to evolve, many cybersecurity teams in 1LoD are struggling to stay afloat.
As such, burnout for cybersecurity professionals is inevitable. How can we fix that?
Building a Mature Second Line of Defense
Having a mature 2LoD means that internal standards are not only aligned to different regulatory requirements in which the business is operating, but also to the industry best practices.
Controls within the internal standards deliver the following attributes:
- Business aligned
- Clearly articulated and mitigating risks are linked back to the organization’s risk taxonomy
- Clear ownership (control owner, control operator, control operation frequency, etc.)
- Clear priority (key control, non-key control)
- Assurance methods (KRIs, dashboards, control performance monitoring, etc.)
Below is a table demonstrating the many overlapping domains in the following regulatory requirements and industry best practices in the financial industry:
As you can see, many regulatory requirements and industry best practices overlap across common domains. When internal controls are designed and developed carefully by the 2LoD to address the shared requirements, it enables the control operators (1LoD) to optimize their efforts in implementing and maintaining those controls on the ground.
This reduces unnecessary complexity, streamlines assurance processes and makes ongoing control maintenance much more manageable across the organization.
Benefits of having a strong and robust control landscape which meets multiple expectations will not only save operation costs for the organization but also help with audit readiness.
Shifting Perspectives
Protecting customer interests and business needs should always be the priority for cybersecurity professionals. The primary responsibility of a cybersecurity professional is to protect an organization's information systems and data from cyber threats.
Too often, the three lines of defense operate in silos, driven by fear of audit findings or 'check and challenge' dynamics. True cybersecurity resilience demands trust and partnership, and not hierarchy or control.
Let’s try and shift perspectives from what’s right in theory to what’s best for customers and business processes by:
- Changing from reactive to proactive with collaborative improvement: Cybersecurity is an ecosystem which will fail without collaborative efforts. Failing an audit should not be seen as failure, it should be seen as an early warning sign. The conversation around it should be how can we all improve rather than who’s fault it is.
- Harmonizing requirements: While developing standards and controls, gather all the requirements (regulators, industry best practices, internal risk appetite statement, internal risk taxonomy) and invite control operators (1LoD) for collaborative efforts.
- Clearer prioritization aligned with real risk: Don’t just say not having a control can lead to ransomware risk. Add in the “how” based on the IT landscape within the business. For each control, mark key or non-key control. Due to a control failure, a cyber incident has taken place and it could appear on mainstream media – that’s your key control.
- Designing with control operators in mind: Most of the standards and controls are from a risk view. The control description has to be very clear for the control operator (1LoD) to understand. Without a clear control description, the control operator (1LoD) won’t be able to operationalize it on the ground.
How to Get Started
To start with, take one standard and review the understandability, potential duplicates across other standards and practicality on how the controls can be implemented. Start with one meeting and one control operator to understand what their pain points are in implementing the control. Building trust takes time, so be the hand to give that trust first.
Cybersecurity resilience and recovery are not the responsibility of one person or team. They require diverse knowledge, skills, critical thinking and shared understanding across the organization.
Cybersecurity professionals dedicate thousands of hours analyzing, monitoring, patching and making sure customers, employees and organizations are secure. Cybersecurity is too important to be seen as an annual compliance exercise, so let’s make it work for people and the resilience of the organization as a whole.