Skip to content

Part 1: The Three Lines of Defense are a’changing

Posted by:

1 min read

Recently, on June 20th this year, the Institute of Internal Auditors (IIA) opened up a request for public comments on its proposed changes to their Three Lines of Defense (3LOD) risk management and control model. The IIA’s request for comments closed around September 19th, and have just posted the results of their survey here: 

https://global.theiia.org/about/about-internal-auditing/Pages/Three-Lines-of-Defense-Review-Exposure-Document-and-Survey.aspx

Why are they proposing changes? Despite its widespread acceptance and use, the current 3LOD has been criticized for being too restrictive, not effective in some smaller organizations or perhaps creating ineffective organizational silos in larger ones. Perhaps most important, it focuses attention on defensive approaches rather than stressing the importance of a more proactive approach to managing risk. Given the maturing and changing governance, risk, and compliance approaches to become a more integrated one, IIA decided it was time to propose updating the model.

In part 2, we will get a little more background on this model.

About GuidePoint

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cybersecurity expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at www.guidepointsecurity.com.

Contributing Authors

Brian Betterton, Practice Director, Governance and Risk, GuidePoint Security

Categories: Governance, Risk & Compliance

Brian Betterton

Practice Director - Governance & Risk,
GuidePoint Security

Brian is the Practice Director of Governance and Risk at GuidePoint Security. His professional experience started in 2001 and includes creating strategy, leading, building and maturing security, risk, and compliance programs. He has led and participated in programs throughout the world for industries such as financial, critical infrastructure/energy, healthcare, hospitality, technology cloud services and retail verticals. He has held various roles, including technologist, consultant, architect, strategist and leader of global security programs. He has been included in the Security Executive Rankings and, in 2012, he was on the leadership team selected to SC Magazine’s European shortlist for Information Security Team of the Year.

Brian holds several certifications, including Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM).

Threat Intelligence Panel: A Day in the Life of a Threat Analyst
Register today for a live talk with Gary Brickhouse, CISO at GuidePoint Security, and his panel of TAS and AppSec practitioners focusing on advanced methods for testing the weakest points of your organization’s cybersecurity.
Watch Now

Related Articles

View All

  • Governance, Risk & Compliance
Part 2: The Three Lines of Defense are a’changing
Posted by: Brian Betterton
Read More 5 min read
  • GRIT Blog
To Pay or Not to Pay: The Ransomware Dilemma
Posted by: Jason Baker
Published 11/14/24, 09:00am
Read More 11 min read
  • Blog
Protecting Critical Infrastructure: A Collaborative Approach to Security for ICS, OT, and IIoT
Posted by: Christopher Warner
Read More 4 min read