A classic model for risk management and control is something called “The Three Lines of Defense (3ODL).”

The three lines are as follows:

Line 1: Risk Owners - Front line staff and operational management
Line 2: Risk Oversight - Risk management and compliance functions
Line 3: Risk Assurance - Internal audit

However, with the advent of modern sociotechnical systems like Agile, Cloud Native, and Event-Driven architectures these legacy lines (3ODL) are at best blurred and at worst completely broken. With the modern patterns and practices of DevOps and DevSecOps it’s not clear who the front line owners are anymore. Risk management and organizational compliance teams struggle to adapt to new cloud-native models such as ephemeral containers, microservices, and event-driven architecture like serverless. Most organizations' internal audit processes today are highly toil based and have low efficacy. This is something I have called in previous presentations “Security and Compliance Theater.”

In this presentation, we are going to look at a couple of case studies that include the good, the bad, and the ugly when it comes to 3ODL. Primary topics covered will be organizational design, DevSecOps, and Automated Governance.

Target is anyone working IT who is interested in Cyber Defense.