[Verse 1] Three lines standing guard to keep us safe and sound First line operates, second monitors ground Third line assures with eyes that see it all But when lines collapse, that's when systems fall CISO reports to CIO, what do we see? Line two absorbed into line one, no autonomy The watchers become the workers, oversight is gone Independence broken, the model can't move on [Chorus] Three lines of defense, they must stand apart Operate, monitor, assure - each plays their part When lines merge together, governance will fail Independence is the key to tell the tale Three lines, three lines, standing strong and free Three lines, three lines, that's how it's meant to be [Verse 2] Board sits at the top as line three oversight But directors who can't grasp the technical fight Structure exists but function falls away Third line blind to what happens day by day Fear of blame stops reports from flowing up First line stays quiet, fills the silence cup Second line can't assess what it doesn't know Third line never sees how problems grow [Chorus] Three lines of defense, they must stand apart Operate, monitor, assure - each plays their part When lines merge together, governance will fail Independence is the key to tell the tale Three lines, three lines, standing strong and free Three lines, three lines, that's how it's meant to be [Bridge] Authority and resources check the first line health Communication culture shows the second line's stealth Board engagement, liability - third line's vital signs When you map the diagnostics, see the warning signs SOC Two control one point two shows us the way CMMC assessments need independence every day HIPAA evaluation fails when watchers work for watched Independence compromised means governance is botched [Chorus] Three lines of defense, they must stand apart Operate, monitor, assure - each plays their part When lines merge together, governance will fail Independence is the key to tell the tale Three lines, three lines, standing strong and free Three lines, three lines, that's how it's meant to be [Outro] First line operates, second monitors true Third line gives assurance in all that they do Keep the lines independent, let each play their role Three lines of defense make governance whole
← 3 Redefining Success | Governance Principle: Defence in Depth (Organisational) →