Cybersecurity: Deliveroo's three lines of defence

player-id
772409850

Security operations lead Danielle Sudai on following the IIA's security framework at the delivery company

The plethora of individual roles in a typical security team can lead to duplicated effort and gaps where lines of responsibility are unclear.

The three lines of defence (3LoD) model is designed to tackle this problem. First introduced by the Institute of Internal Auditors (IIA) in 2013, it's a popular framework designed to help organisations manage risk, providing a standardised risk management process to help clarify roles and reduce cost and effort.

Deliveroo has implemented 3LoD for cyber security and during Computing's recent Cybersecurity Festival Danielle Sudai, security operations lead, explained how it works as well as some of the challenges in its implementation.

Sudai herself sits in the first of defence (1LoD) - risk ownership. At this level the job is to "look the risks in the eye", implement internal control measures to mitigate them, and articulate them to the next two lines.

The role of the second line of defence (2LoD) is to observe and challenge of 1LoD. "It's more 'Hey, what you're doing and the way that you're responding 1LoD, it's great. But is that something that we need? What can we change to meet more of the trends that we are facing as a company from a security perspective?'"

2LoD looks at how to measure things like quality and compliance, and how the organisation manages risk in certain domains, for example, product security. 2LoD includes communication between the CTO and the CISO to make sure things are really working the right way for the business.

Finally, 3LoD covers internal and external audits to help the organisation measure its current security posture and match it with threat and other trends. It's the risk assurance line.

"The first line of defence is absolutely critical and it must be supported by the second and third lines," Sudai explained. However, this is not a one-way street or a hierarchy, and the three layers must be in constant communication with each other to inform best practice and also to identify threats as they emerge.

Most businesses will be able to identify hundreds or even thousands of vulnerabilities, she said, "but it's only a small percentage of those vulnerabilities that are likely to pose an actual risk; for instance, many of the vulnerabilities may not be activated in our industry."

Benefits of the Three Lines of Defence model

The benefits of implementing the model at Deliveroo have included much improved observability that comes with more clearly defined duties, with a consequent reduction in gaps in coverage. "We are able to see all responsibilities for risk management, internal control and internal audit."

Over time, following the framework has created a stronger risk management culture and there are fewer overlaps between acting (1LoD), reviewing (2LoD) and guiding (3LoD) functions.

Another win is reporting. It's easier to "zoom out" from the first to the second and third lines to see how policy and business issues influence mitigation strategies. "Collaboration becomes a key now the responsibilities are different, so eventually, we're able to mandate each and every line of defence. But we have to have all our lines together in order for that to work."

There are now fewer surprises, and as a result the cost of risk management has come down, Sundai said. What's more, as a recognised regulatory framework, adherence to 3LoD makes demonstrating compliance simpler.

The challenges of 3LoD

Nevertheless, there have been issues with rolling out the model, Sudai said. The first is talent, where it has added to the recruitment challenge. "It is not a natural concept for novice people to easily understand, or for them to see how it fits with their role".

Then there's articulation. "Sometimes it's hard for us to clarify whether it's a second, first, or third line of defence issue, and sometimes we don't have enough tools to understand what is our responsibility."

Other challenges have included a failure by some to properly delegate issues to their proper place, as well as changes in management.

In view of these difficulties, it's important for organisations to see 3LoD as a tool to adapt to their unique defensive needs, not as rules to follow to "tick the regulatory box".

"Sometimes the three lines of defence is not enough. Sometimes we need to have the right decision and focus on our company as a whole. Is our security org focused on the reason we're here?" she said.

"So we're always questioning ourselves. Are we are making the right decision, or are we just going through a security standard and making sure we stick to it?"