When the three lines of defense for information security rapidly become two

The increasing adoption of Security-as-a-Service (SECaaS) models is moving not only the responsibility for managing security operations from enterprise clients to service providers but also the responsibility for managing security risks and controls. Our latest Cybersecurity Pulse study shows that almost two-thirds (61%) of enterprise clients expect their front-line information security functions to move to a second line of defense role in the future.

Front-line information security functions will be increasingly focusing their efforts on monitoring the effectiveness of risk and control management practices of cloud service providers and/or managed security service providers, but there are a few critical prerequisites that must be in place:

• Eighty-four percent (84%) of enterprise clients believe that increasing the level of automation is the most important factor for accelerating the transition of information security functions from a first line of defense to a second line of defense role.
• Sixty-five percent (65%) of enterprise clients highlighted that monitoring the effectiveness of security risk and controls operated by service providers is their number one challenge at the moment.

The Bottom Line: The transition of front-line information security functions to a second line of defense role seems inevitable, and the stakes are too high for enterprise clients to get this wrong.

Cloud service providers and/or managed security service providers are rapidly becoming the first line of defense, but enterprise clients must not forget that they remain accountable to customers and shareholders. A false sense of security could be particularly dangerous in this silently and quickly spreading trend. The push for enterprise clients to delegate their responsibility must be accompanied by the deployment of rock-solid internal monitoring processes, and automation will play a critical part in bringing greater efficiency and assurance.