Walking in rain

CISO Governance: Choosing the optimal Line of Defense

Authors

  • Marc Minar

    Partner, Technology Consulting | EY Switzerland

  • Tom Schmidt

    EY EMEIA Financial Services Cybersecurity Competency Leader; EY Switzerland Financial Services Cybersecurity Leader; Partner, Technology Consulting, Ernst & Young AG

10 minute read 01 Dec 2025
Related topics
Technology
Financial services
Cybersecurity

Where the CISO sits affects independence, decision rights, seniority and collaboration - all critical to cybersecurity governance.

In brief

  • Cybersecurity is a strategic enabler, not just an operational risk, especially in regulated financial institutions.
  • CISO positioning requires balancing independence, decision rights, seniority and proximity to IT - all with regulatory expectations in mind.
  • Hybrid models like the 1.5 LoD offer a middle ground, but must still meet governance and segregation-of-duties standards.

Cyber threats are evolving rapidly, fueled by advanced AI-driven techniques such as deepfakes, autonomous malware and prompt injection. These developments require CISOs to embed AI into their defense strategies, not only to detect and respond in time but also to safeguard AI systems against manipulation. Yet, cybersecurity remains underestimated by some and regarded as a mere operational concern. In reality, it is a strategic imperative that cannot be sidelined for the sake of faster digital transformation or reduced time to market.

In regulated industries like financial services, leading organizations are relying already for a long time on the Three Lines of Defense (3LoD) model to clarify responsibilities and reduce conflicts of interest. Although the Institute of Internal Auditors introduced the similarly named Three Lines Model (3LM) as a governance framework, many firms continue to operationalize 3LoD to meet regulatory requirements, occasionally layering 3LM on top for strategic board-level oversight. This article examines how the CISO’s positioning within the 3LoD structure can enhance organizational resilience and reduce exposure to cybersecurity threats.

The 3 lines of defense concept

Before comparing the strengths and limitations of the 3LoD model, it is important to establish the fundamentals. As illustrated above, the Three Lines of Defense are typically assigned to distinct functions: IT and Cybersecurity Operations (1st LoD), Risk & Compliance including cyber risk oversight (2nd LoD) and Internal Audit (3rd LoD). The 3LoD model is grounded in the principle of separation of duties (SoD), which helps prevent fraud, conflicts of interest and operational errors. This principle is codified in frameworks such as NIST SP 800-53 Rev. 5 – AC-5, and remains a cornerstone of regulatory expectations, especially in financial services.

1

Chapter 1

What does the 3LoD model mean for the CISO?

Each line plays a distinct role in cybersecurity governance, but where does the CISO fit in?

The Second Line of Defense (2nd LoD) plays a pivotal role in the risk management model. It defines the boundaries within which the First Line (1st LoD) operates, provides guidance on risk management, and monitors whether that guidance is effectively implemented. It also evaluates the controls applied by the 1st LoD to ensure risks are managed within agreed parameters, and reports those risks to management and the Board of Directors.

The 1st LoD, as the risk-taker, is responsible for enabling the business by delivering services while implementing controls to protect the organization’s assets. This balancing act is shaped by each organization’s unique risk appetite, tolerance and the fast-evolving cyber threat landscape.

The Third Line of Defense (3rd LoD) functions independently, assessing the effectiveness of the other two lines and reporting directly to senior management. This structure is grounded in the principle of separation of duties (SoD), a key control concept codified in frameworks such as NIST SP 800-53 Rev. 5 – AC-5.

If the 1st LoD takes risks and the 2nd LoD manages and oversees them, where does that leave the Chief Information Security Officer (CISO)? In practice, financial institutions vary in their approaches: some place the CISO within Risk & Compliance (2nd LoD), while others embed the role within IT Security (1st LoD). Regardless of placement, expectations of the CISO continue to evolve.

Beyond developing and implementing the organization’s information security (IS) program, the CISO has an intrinsic interest to be perceived also as a strategic enabler of business value. This includes raising cyber awareness, strengthening processes, securing technology and enabling new products and services in a secure manner. Mature institutions structure their information security programs around updated frameworks like NIST CSF 2.0 – which introduces a sixth function, “Govern”, to emphasize leadership accountability, policy oversight and integration with enterprise risk management – and ISO/IEC 27001:2022 together with ISO/IEC 27002:2022, which reorganizes controls to better align with business risk. These updates signal a broader shift toward governance-led, risk-aligned cybersecurity strategies.

2

Chapter 2

CISO positioning: weighing trade-offs in the 1st vs. 2nd LoD

The CISO placement involves trade-offs across four dimensions, each shaped by organizational structure and governance needs.

Each organization must assess how best to balance the advantages and drawbacks of positioning the CISO within the First or Second Line of Defense. In this chapter, we explore the trade-offs between placing the CISO in the 1st LoD (scenario 1) or the 2nd LoD (scenario 2), focusing on three key dimensions: independence, decision-making authority and proximity to IT.

Comparison between ciso in the 1st vs 2nd line of defense

In addition to the three criteria mentioned above, it is also important to consider the organizational seniority of the CISO position. The CISO’s place within the corporate hierarchy influences access to decision makers and the ability to shape strategic priorities. A higher reporting line, such as directly to an executive board member, enhances visibility, authority and impact. Ideally, the CISO should also report regularly to the Board of Directors.

Seniority is closely linked to hierarchy level and reporting structure. In financial institutions, the CISO should not be positioned below “N-2.” This means either reporting directly to an executive board member (N-1) or, for example, to the CRO when the CRO reports to a CFO who is an executive board member (placing the CISO at N-2). The higher the CISO is positioned, the closer their proximity to executive leadership and the greater their influence on enterprise-wide risk and security strategy.

3

Chapter 3

Should your CISO sit in the 1st or 2nd Line of Defense?

The right CISO placement depends on the CISO’s role and your structure, but regulators expect clear segregation of duties and accountability.

How EY can help

Regulators such as FINMA, the US SEC as well as the EU’s DORA and NIS2 directives have introduced increasingly stringent requirements for ICT risk management, incident classification and third-party oversight. These frameworks demand faster reporting, clearer segregation of duties and robust resilience testing, all of which influence how CISOs are positioned within organizations, especially financial institutions.
 

While each organization interprets these principles based on its structure and the concrete CISO‘s role, regulators expect that implementation meets the intent of the rules. For example, FINMA’s Circular 2023/01 mandates segregation of duties between risk owners, controllers and auditors. Some banks address this by placing the CISO in the 2nd LoD, while others maintain the role within the 1st LoD but implement compensating controls to ensure independence. In cases where segregation is unclear, or where past conflicts of interest have occurred, regulators may expect a more distinct separation.
 

To navigate this trade-off, some institutions adopt a hybrid model, often referred to as the 1.5 LoD or 1.b LoD, positioning the CISO between IT and Risk. In this model, the CISO may have dual reporting lines, operationally to the CIO and functionally to the CRO, enabling both proximity to execution and oversight independence. However, this setup requires clear governance to avoid ambiguity in accountability. While it can reduce conflicts of interest and improve oversight (compared to a pure 1st LoD setup), it may still leave the CISO without full decision-making authority or equal standing with IT leadership.
 

Ultimately, the right placement depends on the CISO’s concrete role, organization’s size, complexity, risk appetite and regulatory exposure. Regardless of structure, the CISO must be empowered to act independently, influence decisions and ensure cybersecurity is embedded across the enterprise.

Summary

The CISO’s placement within the Three Lines of Defense significantly impacts their independence, influence and ability to manage cyber risk. Organizations must typically weigh structural trade-offs across three key dimensions, while aligning with evolving regulatory expectations. Success also depends on understanding industry trends, building transformation capabilities and fostering strong collaboration with regulators to shape a resilient and future-ready cybersecurity operating model.


FAQs

Related articles

    Explore how EY can help you with Cybersecurity

    Secure Creators can innovate and adopt emerging technology without compromising cybersecurity. Explore our service offering.

    Explore Cybersecurity
    Contact team now
    Diverse business professionals having a discussion during a meeting in a modern office. Team of multicultural businesspeople sharing creative ideas in an inclusive workplace.

    About this article

    Authors

    • Marc Minar
      Partner, Technology Consulting | EY Switzerland
    • Tom Schmidt
      EY EMEIA Financial Services Cybersecurity Competency Leader; EY Switzerland Financial Services Cybersecurity Leader; Partner, Technology Consulting, Ernst & Young AG
    Related topics
    Technology
    Financial services
    Cybersecurity

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Limited, each of which is a separate legal entity. Ernst & Young Limited is a Swiss company with registered seats in Switzerland providing services to clients in Switzerland.