In this Cert Corner episode, Omar Sangurima reviews the COSO Enterprise Risk Management (ERM) certificate offered through the AICPA. As cybersecurity professionals increasingly present to boards and executive leadership, understanding enterprise risk becomes critical. Omar shares his candid experience with the course structure, exam difficulty, cost, and practical value — and reflects on how ERM reframes risk as part of business strategy and performance. Alyson Laderman adds insight into how certification exams are built and why question clarity matters. A practical conversation for CISOs, aspiring CISOs, and cyber leaders looking to bridge the business-risk gap. CHAPTERS:

00:00 – Welcome to Cert Corner

00:37 – Why COSO ERM?

02:55 – Don’t trust — verify: AI research and due diligence

04:27 – Cyber risk vs. enterprise risk language

05:39 – Are murky exam questions intentional?

06:01 – How certification exams are made (behind the scenes)

12:21 – Who should take COSO ERM?

15:30 – Exam cost breakdown (member vs. non-member)

18:35 – Course structure and prep time

20:53 – Final exam format (open book, timed)

21:50 – COSO ERM framework overview (5 domains, 20 principles)

24:09 – Section exams vs. final exam experience

28:54 – COSO vs. COBIT comparison

29:47 – Certificate vs. certification (CPE requirements)

31:19 – Translating cyber into business language

33:20 – Measuring ROI over time

35:29 – Lessons learned (and don’t cram during a snowstorm)

📌 About COSO ERM

The COSO Enterprise Risk Management framework integrates risk management into strategy and performance. Unlike cyber-focused frameworks (e.g., COBIT), ERM emphasizes enterprise-wide governance, business objectives, and organizational performance.

🎙 About The Cyber Mettle Podcast

Where law, business, and cybersecurity intersect. Practical conversations for professionals navigating risk, governance, leadership, and resilience.

#CyberMettle #COSO #EnterpriseRiskManagement #ERM #CISO #CyberLeadership #BoardReporting #RiskManagement #Governance #CyberStrategy #AICPA #CertCorner

GRC isn’t about checklists. It’s about structure, accountability, and human behavior.

In this episode of The Cyber Mettle Podcast, Dr. Mike Brass — Head of Governance, Risk & Compliance and Enterprise Security Architecture at National Highways (UK) — joins Dr. Omar Sangurima and Alyson Laderman, Esq. for a deep dive into:

• Why cybersecurity is fundamentally about human behavior • The evolution (and misuse) of “GRC engineering” • AI governance beyond the hype • The three lines of defense model and why it still matters • Why automation ≠ strategy • How apprenticeship models are reshaping cyber talent pipelines

Dr. Brass brings a rare interdisciplinary lens — from archaeology and anthropology to global IT leadership — explaining why governance must be holistic, structured, and aligned to business outcomes.

If your organization is being told AI can replace GRC… this conversation is for you.

• Why GRC is a second-line-of-defense function — not a checkbox

• The difference between automation and governance

• Why AI controls must extend existing frameworks — not bypass them

• The role of Enterprise Security Architecture (ESA)

• Apprenticeships vs. “mythical unicorn” hiring

• CAF, ISO 42001, NIST AI RMF, CSA guidance

• Aligning security to business mission

• Why governance is about asking “why” — not just “how”

Governance, Risk and Compliance Dr. Mike Brass Published by CRC Press (Taylor & Francis)

Though Dr. Brass and Dr. Sangurima are cybersecurity experts, and Alyson Laderman is an attorney, this podcast does not provide legal advice or specific cybersecurity consulting guidance. We share lived experience to help you think critically and make informed decisions.

00:00 – Omar’s “Fanboy” Moment & Intro 00:34 – Podcast Disclaimer 01:26 – Dr. Mike Brass Background (Archaeology → Cybersecurity) 03:46 – The Moment That Changed His View of Cybersecurity 07:12 – Human Behavior as the Core of Security 10:43 – Apprenticeships vs. Traditional Entry Paths 14:54 – UK Cyber Apprenticeship Model Explained 20:35 – Why Diversity of Thought Matters in Security 22:48 – What GRC Actually Does (Second Line of Defense) 28:47 – The “GRC Engineering” Debate 32:54 – AI Marketing vs. AI Reality 37:36 – AI Governance Frameworks (ISO 42001, NIST, CSA, ISACA) 44:40 – Aligning Controls to Business Outcomes 51:52 – AI, Supply Chain & Hidden Risk 56:59 – Enterprise Security Architecture’s Role 59:30 – Final Advice for Business Leaders 1:01:07 – Book Mention & Where to Find It 1:01:31 – Closing Thoughts

#CyberSecurity #GRC #AIGovernance #RiskManagement #InfoSec #ThreeLinesOfDefense #CyberLeadership #Governance #EnterpriseSecurity #CyberMettle

Dr Mike Brass interview, GRC explained, governance risk compliance podcast, AI governance framework, ISO 42001 overview, NIST AI RMF, CAF framework UK, three lines of defense cybersecurity, enterprise security architecture, cybersecurity apprenticeships UK, automation vs governance, AI risk management, cyber leadership strategy

Small businesses aren’t “too small” for cybercrime; they’re often the easiest target. NIST’s Daniel Eliot breaks down free, practical on-ramps to CSF 2.0, starting with MFA. In this episode, Omar Sangurima and Alyson Laderman are joined by Daniel Eliot (NIST), who leads small business engagement in NIST’s Applied Cybersecurity Division. Together, they unpack what small businesses actually need to do to reduce risk without getting overwhelmed.

You’ll learn:

• Why “we’re too small to be targeted” is a logical fallacy (wide-net attacks don’t discriminate)

• Why cybersecurity is becoming a competitive advantage (customers + supply chain expectations)

• The real value of inventory + crown jewels thinking (“what breaks the business if we lose access?”)

• How CSF 2.0 evolved into a framework for organizations of all sizes and sectors

• Daniel’s “magic wand” first step: enable multi-factor authentication (MFA)

• The NIST Small Business Cybersecurity Corner (70+ free resources) and how resources are selected

• How to give feedback to NIST: csf@nist.gov and public comment periods

• A newer resource: Building Out Your Small Business Cybersecurity Team (MSP/MSSP, upskilling, universities, nonprofits)

Resources mentioned (as stated in the episode):

• NIST Small Business Cybersecurity Corner: nist.gov/itl/smallbusinesscyber

• CSF feedback email: csf@nist.gov

• (Referenced) OLIR / Informative References database (Daniel calls it “O-L-I-R”)

0:00 — Welcome + show disclaimer 1:25 — Meet Daniel Eliot (NIST): small business engagement

3:20 — Why NIST built small business resources (2014 + 2018 Acts)

4:56 — Where to find the “Small Business Cybersecurity Corner”

6:39 — “We’re too small” is a myth: why small businesses are targets

8:39 — Cybersecurity as a competitive advantage (customers + supply chain)

10:58 — Inventory & “crown jewels”: what happens if you lose access?

12:16 — Vendor/supplier incidents: resilience beyond your own systems

16:06 — CSF 2.0: why it’s now for all sectors (not just critical infrastructure)

18:03 — Magic wand advice: enable MFA

20:13 — Small Business CSF 2.0 Quick Start Guide (how it was built)

24:42 — How to give NIST feedback (email + public comment)

27:30 — Will CSF 3.0 happen soon? what might drive versioning

35:50 — OLIR: mapping CSF to other standards (crosswalk support)

44:41 — New resource: “Building Out Your Small Business Cybersecurity Team”

49:00 — Closing: Keep It Cyber Mettle!

#CyberMettlePodcast #NIST #CybersecurityFramework #CSF2 #SmallBusinessCybersecurity #MFA #CyberResilience #VendorRisk #SupplyChainSecurity #GRC #Cybersecurity

NIST small business cybersecurity, NIST CSF 2.0, cybersecurity framework 2.0, small business cyber resilience, multi factor authentication small business, NIST quick start guide, supply chain cybersecurity, vendor risk management, cybersecurity for SMBs, NIST cybersecurity resources, small business ransomware preparedness, cybersecurity inventory crown jewels, NIST OLIR informative references