The Evolving Role of the Second Line of Defense in a Complex Cyber Risk Landscape

A combination of accelerating risk complexity and increasing attack times is creating a perfect storm for organizations. Responding effectively to this fast-evolving threat landscape demands more advanced capabilities. This article sets out the role of the Three Lines of Defense (3LoD) model in helping organizations define, coordinate and strengthen risk management responsibilities across operational, oversight and assurance functions - while highlighting the need for the Second Line of Defense (2LoD) to enable them to up their game in a constantly evolving threat landscape.

 

Speed x Complexity = A New Cyber Risk Reality

Complexity is now a critical security risk. A key theme from the World Economic Forum’s 2026 Global Cybersecurity Outlook is the complexity and resulting challenges, associated with managing what is now a material business risk. Kroll’s recent report, Bridging the Cyber Resiliency Gap, also highlights that while threat actors are continuing to get better at evading defenses and increasingly using artificial intelligence (AI) to advance and accelerate their attacks, only 19% of survey respondents believe their company can respond to an incident within minutes. 

This complexity is due to factors such as increased digitalization, which often includes the adoption and interconnection of OT, IoT and cloud technologies – all of which result in an increased attack surface. Overlay this with an ever-expanding third-party ecosystem, which is notoriously difficult to manage from a risk perspective, and organizations now find themselves in a situation where they are trying to protect a perimeter-less castle with moats replaced by canals (read: entry-points) that thread right through its grounds. The risks posed by increasing complexity are also reflected in the Kroll’s Bridging the Cyber Resiliency Gap report, which shared that seventy-two percent of organizations surveyed frequently experience misalignment between business and cybersecurity priorities.

It’s not only complexity. Speed often defines impact, with an external cyber threat environment made more unpredictable by a fragmented geopolitical landscape. This setting is also made more precarious due to the continual industrialization of an underground cybercriminal ecosystem in which attack infrastructure (e.g. malware-as-a-service and phishing campaign platforms) are made available to rent, meaning attackers no longer need to be technically sophisticated to carry out sophisticated attacks. Overlay this with the emergence of AI, and we are now in a digital arms race comparable to the kinetic, with threat actors increasingly adopting AI-enabled technologies and tools to advance and accelerate their attacks. Indeed, the Bridging the Cyber Resiliency Gap report, highlights that 76% of respondents experienced a security incident involving AI applications or models in the last year.

Kroll responds to thousands of cyber incidents each year, and our analysis shows that average breakout times (the time it takes an attacker to move inside your environment) are now under an hour, and in some cases under 29 minutes. This is a 65% increase in speed compared with 2024. By the time a security operations centre is triaging an alert, the attacker may already have moved laterally, stolen employee identities and positioned themselves for data exfiltration or extortion. Recognizing the impact of speed is critical. The impact and consequences of cyberattacks are operational, financial, regulatory and reputational. Cyber has now become one the most material risks for businesses, a reality that has not gone unnoticed by regulators around the world, who have it made it very clear that accountability for this risk lies squarely with the board.

 

Why the 2LoD Matters More Than Ever

The 3LoD model is the de facto organizational approach and standard set up to manage the complexity of this risk. In today’s increasingly complex cyber risk landscape, the model aims to provide a structured way to ensure that first line of defense (1LoD) teams own and manage cyber risks; while the second line of defense (2LoD) offers independent challenge, guidance and monitoring; and the 3LoD delivers objective audit assurance. 

While 1LoD, which is essentially responsible for all security operations and controls, thus analogous to foot-soldiers on the frontline, certainly have their work cut out, while 2LoD is becoming increasingly important. Why? 

Because their task is to ensure that 1LoD have appropriate cyber controls in place, commensurate with the risks they’re designed to address. To continue the analogy: if 1LoD are foot-soldiers on the frontline, patrolling the perimeter, manning the gates and engaging directly with attackers, then 2LoD is the watchtower command. They don’t fight on the battlements, but stand above the walls with a broader vantage point, scanning for emerging threats, spotting weaknesses in the defenses and signalling to the frontline when something requires immediate action.

 

The Growing Challenge for 2LoD 

Traditionally, 2LoD has carried out its role by conducting, for example, thematic reviews, ad hoc deep dives, manual control effectiveness testing and independent reviews/challenges of issues and resolutions. However, in this modern threat landscape they need to up their game amid a growing set of challenges, driven by: 

• Rapid regulatory evolution, such as the Digital Operational Resilience Act (DORA), the NIS 2 Directive, UK operational resilience regulations and Securities and Exchange Commission rules and increasing supervision, including direct supervision/inspections of 2LoD activities by the European Central Bank and the Financial Conduct Authority, where traditionally the focus was primarily on 1LoD activities.
• A need for 2LoD to implement more automated and data-driven control monitoring that provides continuous visibility, oversight and testing, instead of relying on manual, point-in-time assessments.
• Expanding digital ecosystems, such as the cloud, third parties and AI that require visibility and oversight while still taking into consideration federated ownership and accountability.
• Enabling business strategy by providing effective and targeted risk oversight without slowing down transformation or being seen as a blocker to business strategy.
• The requirement for robust governance, security, data and risk frameworks for emerging risks, such as the adoption of AI at scale.
• The requirement from boards as well as regulators for 2LoD to demonstrate their ability to adequately provide detailed risk frameworks and tangible oversight over operational resilience via, inter alia, defining critical business processes, asset mapping and regular scenario testing with accurate risk quantification and prioritization of risks/remediation activities. 
• Increased board-level scrutiny on activities/value-add of 2LoD as an independent authority to challenge, guide and monitor 1LoD activities and priorities.

In many organizations, however, the 2LoD is still playing catch up. These teams often lack the capacity and/or deep technical expertise—partly because the function has traditionally been staffed with risk management specialists rather than technical practitioners—to properly challenge 1LoD cyber teams. This also impacts their ability to design and implement technologies and processes that automate the real time collection and analysis of cyber risk data. Without these, 2LoD will struggle to keep pace with rapidly evolving threats and provide truly independent and informed challenge. The result is a higher likelihood of unseen vulnerabilities, increased exposure to cyber incidents and a greater risk of regulatory findings or penalties.

 

Advance Your 2LoD’s Capabilities with Kroll

In light of these growing challenges, it’s not surprising then, that Kroll is seeing a sharp uptick in 2LoD cyber risk teams requesting support in closing these gaps. Not only in a tactical manner, but also strategically, so they can operate with the speed, insight and technical depth that today’s threat landscape demands. 

By combining industry leading threat intelligence, deep technical expertise and proven risk management methodologies, we are increasingly working alongside risk leaders and 2LoD functions to put in place more data driven, proactive and challenge ready capabilities, including the modernization of frameworks and policies, design and testing of cyber scenarios, and the uplifting of cyber risk quantification methodologies. 

One recent example of this is our work in conducting an enterprise-wide assessment of a global bank’s third party risk management framework to ensure it not only takes a risk-based approach but also aligns with recent regulatory requirements such as DORA. By doing so, we are ensuring that risk oversight is not only informed but aligned to regulatory expectations, while also addressing the need for true resilience amid rapidly evolving threats.