6 min read

What second-line GRC actually does all day

The three-lines model reads cleanly on a slide. The first line owns the risk because it owns the operations; the second line builds the frameworks and challenges the first; the third line audits everyone. What the slide does not show is that the second line produces almost nothing that is valuable in itself. A risk analysis, a policy, a supplier assessment — none of these artefacts protect anything. They only matter if they change a decision somewhere in the first line. Which means the real job, most days, is translation: turning a control requirement into a sentence an operations manager can act on, and turning what actually happens on a logistics site into evidence a framework can recognise.

EBIOS RM workshops make this concrete faster than anything else. The method is French, structured, and quietly brilliant, but its outputs are only as honest as the people in the room. Ask a site manager to enumerate feared events and you get silence; ask what would stop trucks leaving the yard tomorrow morning and you cannot make them stop talking. The methodology work is in the mapping — carrying that answer back through supporting assets, threat sources, and attack paths until it becomes a scenario the organisation can rank and treat. The insight is never in the matrix. The insight is in the conversation the matrix forced you to have.

Vulnerability management from the second line is a discipline of arithmetic under disagreement. A CVSS score arrives claiming 9.8; the asset owner claims the system is unreachable from the internet; the SLA clock is already running. The temptation is to arbitrate by authority. The productive path is to arbitrate by context: what does this score become once you account for exposure, for compensating controls, for what the asset actually processes? Some criticals deflate to scheduled maintenance. Some mediums, sitting on the wrong network segment next to the wrong database, become the week's real emergency. A tracker that reflects that reasoning is worth more than a dashboard of raw scores that nobody defends in front of an auditor.

The part nobody romanticises: sitewalks. Walking a logistics site with a checklist is where paper meets concrete, sometimes literally — the badge reader that has been propped open for the summer heat, the visitor register that stopped being filled in March, the server cupboard that doubles as storage for pallets of shrink-wrap. None of this appears in any tool. All of it is the actual security posture. Second-line GRC that never leaves the office converges on a beautifully documented parallel universe; the discipline is keeping the documentation tethered to the building. Policy without operational reality is assumption. I keep finding that the shortest path between the two is a pair of shoes.