It’s a scenario every cybersecurity leader knows well. An incident occurs, and the organization fractures into silos. Your teams on the first line are in the trenches, managing the technical response. Simultaneously, the second line: legal, finance, and risk, are demanding answers, each with their own urgent priorities. Soon after, the third line, internal audit, schedules a review, and the board’s audit committee asks for a briefing, armed with questions they may not fully understand. You’re at the center, trying to translate, coordinate, and build a single, coherent narrative from a dozen fragmented perspectives.
This operational headache is precisely why a new, in-depth field study from researchers at the Accounting Department, École des Sciences de la Gestion, Université du Québec à Montréal, is so timely. Published in the International Journal of Disclosure and Governance, their work dives into the critical business importance of this challenge. As the article notes, “the importance of cybersecurity has become paramount for businesses,” a reality now codified by new SEC rules that mandate public companies disclose their processes for “assessing, identifying, and managing material risks from cybersecurity threats.” The question is no longer if you have a defense, but how effective it truly is.
The researchers took their study inside the “black box” of 13 public firms to see how they truly manage cybersecurity. Their findings offer a powerful blueprint for CISOs, showing that real effectiveness is achieved not by the first line working alone, but through the strategic orchestration of all three lines of defense.
A Unified Front: Structuring Your Three Lines for Success
The study uses the Three Lines of Defense model to frame its findings, revealing how mature organizations define and integrate these roles:
First Line:
This is the CISO’s domain, encompassing the IT and information security functions directly responsible for managing cybersecurity services and safeguarding the organization’s assets.
Second Line:
These are the crucial oversight partners. Functions like governance, risk management, legal, and finance support the first line and provide essential oversight.
Third Line:
This is the independent assurance provider: the internal audit function, which offers unbiased assessments on the effectiveness of cybersecurity governance directly to management and the board.
The researchers found that in the most effective organizations, these are not rigid tiers but a collaborative network. One executive described the ideal interaction as the three lines working “shoulder-to-shoulder.” The study identified that the structure itself is a key indicator of an organization’s security maturity. In high-performing firms, the CISO reports to a senior executive on the executive committee and has a direct line to present to the board. This is a stark contrast to less mature organizations where the cybersecurity lead is buried deeper within the IT structure.
However, the study also uncovered a persistent and critical challenge: a significant lack of cybersecurity expertise at the board level. This gap forces CISOs and internal auditors into an educational role. One participant admitted, “I almost put all the words in [the board members’] mouths… I gave them about ten questions that they should ask us.”
The Four-Stage Cycle: A Process for Continuous Improvement
Beyond structure, the research identified a clear, four-stage process that mature organizations follow to manage cybersecurity in a continuous, evolving loop.
1. Plan: Building the Foundation
The planning stage is about establishing a risk-based approach. Interestingly, the most experienced CISOs interviewed warned against rigidly adhering to a single framework. One CISO stated, “You don’t manage your risk by being 100% compliant,” viewing frameworks like NIST and ISO as “toolboxes” to build a custom approach suited to their organization’s maturity. A particularly powerful finding was the impact of tying executive compensation to cybersecurity KPIs. As one Director of Cybersecurity bluntly put it, “If 10% of your bonus… is linked to these objectives, believe me, you’ll see change happen… Money always talks.”
2. Do: Putting the Plan into Action
This stage is about execution. It extends far beyond technical controls to include relentless employee training and awareness campaigns. One company described cutting off email access for employees who failed to complete their mandatory cybersecurity training, showing a firm commitment. This stage also involves proactive measures, such as conducting daily press reviews to learn from incidents affecting other companies and engaging external consultants for independent benchmarking and maturity assessments.
3. Check: Ensuring Accountability Through Oversig
Here, the second and third lines play a vital role. Internal audit, as the independent third line, is critical for testing the effectiveness of controls, following up on identified deficiencies, and reporting their findings directly to the audit committee. This creates a powerful accountability loop. As one Senior Director of Internal Audit explained, “We have a cybersecurity program to continually strengthen its controls. And we… monitor this over time… we look at what improvements are coming, what the gaps are, and then we follow up on these action plans.”
4. Act: Closing the Loop and Evolving
This is the crucial final step: continuous improvement. Based on the findings from audits, internal phishing tests, or even high-profile market incidents (one firm described doing a “complete debrief” of the Desjardins breach), mature organizations constantly adjust. They update internal policies, refine incident response manuals, and make the data-driven case for increased investment. This evolution also extends to business operations, with participants noting that they now add specific cyber clauses to contracts with third-party partners.
The Human Factor: Why Relational Mechanisms Matter
Finally, the researchers concluded that even the best structures and processes will fail without the right “relational mechanisms.” This is the human element that binds the defense together. The foundation is close and regular collaboration between the CISO, risk functions, and internal audit.
Beyond internal meetings, the study highlighted the immense value of external peer groups. Many of the CISOs and internal auditors interviewed belong to formal, industry-specific information-sharing communities. There, they can discuss threats and best practices in a trusted environment, creating a collective intelligence that strengthens all members.
For any CISO, the message from this research is clear and actionable. Your technical leadership is the foundation, but your ability to build bridges: to educate the board, partner with the second line, and leverage the independent assurance of the third. This is what will elevate your program from a necessary function to a source of true, strategic business resilience.
For Further Reading:
Héroux, S., & Fortin, A. (2024). How the three lines of defense can contribute to public firms’ cybersecurity effectiveness. International Journal of Disclosure and Governance, 22, 377–396. https://doi.org/10.1057/s41310-024-00226-7
