In this Cert Corner episode, Omar Sangurima reviews the COSO Enterprise Risk Management (ERM) certificate offered through the AICPA. As cybersecurity professionals increasingly present to boards and executive leadership, understanding enterprise risk becomes critical. Omar shares his candid experience with the course structure, exam difficulty, cost, and practical value — and reflects on how ERM reframes risk as part of business strategy and performance. Alyson Laderman adds insight into how certification exams are built and why question clarity matters. A practical conversation for CISOs, aspiring CISOs, and cyber leaders looking to bridge the business-risk gap. CHAPTERS:

00:00 – Welcome to Cert Corner

00:37 – Why COSO ERM?

02:55 – Don’t trust — verify: AI research and due diligence

04:27 – Cyber risk vs. enterprise risk language

05:39 – Are murky exam questions intentional?

06:01 – How certification exams are made (behind the scenes)

12:21 – Who should take COSO ERM?

15:30 – Exam cost breakdown (member vs. non-member)

18:35 – Course structure and prep time

20:53 – Final exam format (open book, timed)

21:50 – COSO ERM framework overview (5 domains, 20 principles)

24:09 – Section exams vs. final exam experience

28:54 – COSO vs. COBIT comparison

29:47 – Certificate vs. certification (CPE requirements)

31:19 – Translating cyber into business language

33:20 – Measuring ROI over time

35:29 – Lessons learned (and don’t cram during a snowstorm)

📌 About COSO ERM

The COSO Enterprise Risk Management framework integrates risk management into strategy and performance. Unlike cyber-focused frameworks (e.g., COBIT), ERM emphasizes enterprise-wide governance, business objectives, and organizational performance.

🎙 About The Cyber Mettle Podcast

Where law, business, and cybersecurity intersect. Practical conversations for professionals navigating risk, governance, leadership, and resilience.

#CyberMettle #COSO #EnterpriseRiskManagement #ERM #CISO #CyberLeadership #BoardReporting #RiskManagement #Governance #CyberStrategy #AICPA #CertCorner

GRC isn’t about checklists. It’s about structure, accountability, and human behavior.

In this episode of The Cyber Mettle Podcast, Dr. Mike Brass — Head of Governance, Risk & Compliance and Enterprise Security Architecture at National Highways (UK) — joins Dr. Omar Sangurima and Alyson Laderman, Esq. for a deep dive into:

• Why cybersecurity is fundamentally about human behavior • The evolution (and misuse) of “GRC engineering” • AI governance beyond the hype • The three lines of defense model and why it still matters • Why automation ≠ strategy • How apprenticeship models are reshaping cyber talent pipelines

Dr. Brass brings a rare interdisciplinary lens — from archaeology and anthropology to global IT leadership — explaining why governance must be holistic, structured, and aligned to business outcomes.

If your organization is being told AI can replace GRC… this conversation is for you.

• Why GRC is a second-line-of-defense function — not a checkbox

• The difference between automation and governance

• Why AI controls must extend existing frameworks — not bypass them

• The role of Enterprise Security Architecture (ESA)

• Apprenticeships vs. “mythical unicorn” hiring

• CAF, ISO 42001, NIST AI RMF, CSA guidance

• Aligning security to business mission

• Why governance is about asking “why” — not just “how”

Governance, Risk and Compliance Dr. Mike Brass Published by CRC Press (Taylor & Francis)

Though Dr. Brass and Dr. Sangurima are cybersecurity experts, and Alyson Laderman is an attorney, this podcast does not provide legal advice or specific cybersecurity consulting guidance. We share lived experience to help you think critically and make informed decisions.

00:00 – Omar’s “Fanboy” Moment & Intro 00:34 – Podcast Disclaimer 01:26 – Dr. Mike Brass Background (Archaeology → Cybersecurity) 03:46 – The Moment That Changed His View of Cybersecurity 07:12 – Human Behavior as the Core of Security 10:43 – Apprenticeships vs. Traditional Entry Paths 14:54 – UK Cyber Apprenticeship Model Explained 20:35 – Why Diversity of Thought Matters in Security 22:48 – What GRC Actually Does (Second Line of Defense) 28:47 – The “GRC Engineering” Debate 32:54 – AI Marketing vs. AI Reality 37:36 – AI Governance Frameworks (ISO 42001, NIST, CSA, ISACA) 44:40 – Aligning Controls to Business Outcomes 51:52 – AI, Supply Chain & Hidden Risk 56:59 – Enterprise Security Architecture’s Role 59:30 – Final Advice for Business Leaders 1:01:07 – Book Mention & Where to Find It 1:01:31 – Closing Thoughts

#CyberSecurity #GRC #AIGovernance #RiskManagement #InfoSec #ThreeLinesOfDefense #CyberLeadership #Governance #EnterpriseSecurity #CyberMettle

Dr Mike Brass interview, GRC explained, governance risk compliance podcast, AI governance framework, ISO 42001 overview, NIST AI RMF, CAF framework UK, three lines of defense cybersecurity, enterprise security architecture, cybersecurity apprenticeships UK, automation vs governance, AI risk management, cyber leadership strategy

Small businesses aren’t “too small” for cybercrime; they’re often the easiest target. NIST’s Daniel Eliot breaks down free, practical on-ramps to CSF 2.0, starting with MFA. In this episode, Omar Sangurima and Alyson Laderman are joined by Daniel Eliot (NIST), who leads small business engagement in NIST’s Applied Cybersecurity Division. Together, they unpack what small businesses actually need to do to reduce risk without getting overwhelmed.

You’ll learn:

• Why “we’re too small to be targeted” is a logical fallacy (wide-net attacks don’t discriminate)

• Why cybersecurity is becoming a competitive advantage (customers + supply chain expectations)

• The real value of inventory + crown jewels thinking (“what breaks the business if we lose access?”)

• How CSF 2.0 evolved into a framework for organizations of all sizes and sectors

• Daniel’s “magic wand” first step: enable multi-factor authentication (MFA)

• The NIST Small Business Cybersecurity Corner (70+ free resources) and how resources are selected

• How to give feedback to NIST: csf@nist.gov and public comment periods

• A newer resource: Building Out Your Small Business Cybersecurity Team (MSP/MSSP, upskilling, universities, nonprofits)

Resources mentioned (as stated in the episode):

• NIST Small Business Cybersecurity Corner: nist.gov/itl/smallbusinesscyber

• CSF feedback email: csf@nist.gov

• (Referenced) OLIR / Informative References database (Daniel calls it “O-L-I-R”)

0:00 — Welcome + show disclaimer 1:25 — Meet Daniel Eliot (NIST): small business engagement

3:20 — Why NIST built small business resources (2014 + 2018 Acts)

4:56 — Where to find the “Small Business Cybersecurity Corner”

6:39 — “We’re too small” is a myth: why small businesses are targets

8:39 — Cybersecurity as a competitive advantage (customers + supply chain)

10:58 — Inventory & “crown jewels”: what happens if you lose access?

12:16 — Vendor/supplier incidents: resilience beyond your own systems

16:06 — CSF 2.0: why it’s now for all sectors (not just critical infrastructure)

18:03 — Magic wand advice: enable MFA

20:13 — Small Business CSF 2.0 Quick Start Guide (how it was built)

24:42 — How to give NIST feedback (email + public comment)

27:30 — Will CSF 3.0 happen soon? what might drive versioning

35:50 — OLIR: mapping CSF to other standards (crosswalk support)

44:41 — New resource: “Building Out Your Small Business Cybersecurity Team”

49:00 — Closing: Keep It Cyber Mettle!

#CyberMettlePodcast #NIST #CybersecurityFramework #CSF2 #SmallBusinessCybersecurity #MFA #CyberResilience #VendorRisk #SupplyChainSecurity #GRC #Cybersecurity

NIST small business cybersecurity, NIST CSF 2.0, cybersecurity framework 2.0, small business cyber resilience, multi factor authentication small business, NIST quick start guide, supply chain cybersecurity, vendor risk management, cybersecurity for SMBs, NIST cybersecurity resources, small business ransomware preparedness, cybersecurity inventory crown jewels, NIST OLIR informative references

Online exploitation doesn’t look the way most people expect.

In this episode of The Cyber Mettle Podcast, hosts Omar Sangurima and Alyson Laderman are joined by cybersecurity professional and parent Jessica Weiland to unpack how online grooming, sextortion, and digital exploitation actually begin, often through games, chat features, and apps children and teens use every day.

Rather than focusing on fear, this conversation focuses on awareness, trust, and practical guidance. The panel explains how manipulation typically escalates gradually, why kids don’t always recognize danger in digital spaces, and how silence and shame increase harm.

Topics discussed include:

• How online grooming starts inside gaming platforms and chat tools

• Why children don’t perceive avatars as real people

• Sextortion scams targeting teens and young adults

• AI-generated images, permanence of online content, and consent

• App permissions, privacy erosion, and becoming “the product”

• Social-engineering tactics that affect both kids and adults

• How parents can have age-appropriate, non-shaming conversations

• Why pausing under emotional pressure is a critical digital safety skill

This episode is designed for parents, guardians, educators, and anyone responsible for helping young people navigate digital environments safely.

Listener discretion advised.

If this conversation resonates, please follow, rate, and share the episode to help more families start these conversations earlier.

00:00 — Intro: Why this is a “special episode”

01:20 — Welcome + guest setup (Jessica Weiland)

01:44 — Disclaimer + topic framing: sexploitation online / kids + connected toys

03:17 — Jessica intro: cybersecurity + parenting + how this evolved from AIM to today

05:08 — How gaming changed: from closed games to always-on social interaction

06:50 — Start early: why digital safety conversations begin around age 5–6

08:56 — “Stranger danger” online: Minecraft example + circle of trust

10:03 — Kids don’t see “people” behind avatars

12:10 — How manipulation starts: harmless questions → personal details (doxing parallels)

14:07 — What to share online: social media, “private” apps, screenshots, permanence

16:14 — “Trust no one until you can verify” (practical boundary-setting for kids)

18:55 — AI + image manipulation: why “the internet is forever” is even harder now

19:16 — The rule: if you feel unsure, end the conversation and tell a trusted adult

20:12 — Consent framing: body + information + boundaries

23:30 — Permanence: why consent becomes “effectively permanent” once shared online

25:00 — Platforms + incentives: why takedowns don’t fix what spreads

27:25 — App permissions: why games ask for camera/photos/contacts (and what that means)

29:23 — Real-world sextortion scam example: dating app → fake “underage” claim → extortion

32:57 — “People don’t rise to panic…”: why training/conversations matter before crisis

33:48 — Pause under pressure: emotional triggers are the attacker’s advantage

35:35 — Suicide risk + why shame/silence make outcomes worse

36:33 — Social engineering lens: this impacts adults too (and that’s the point)

41:09 — Call to action: share what’s worked for your family (comments)

44:52 — Monitoring and parental controls: transparency + teachable moments

47:06 — Tools + being present: approvals, room supervision, and explaining what’s “not normal”

49:21 — Additional risk area: tech misuse in domestic violence / coercive control contexts

50:38 — Final takeaways: curiosity, verification, and asking “why does this need Wi-Fi?”

52:53 — Close: meet kids where they are + verify identities + wrap up

Thinking about the Shared Assessments CTPRA certificate? Omar breaks down what’s actually tested, including SIG, standardized control assessments, and risk tiering, plus what surprised him. Also: proctoring, time management, pricing, and who this cert is really for.

Welcome to the first episode of Cert Corner, a new Cyber Mettle segment where Omar shares practical, experience-based breakdowns of security and risk certifications.

In this episode, Omar walks through his recent experience taking the Shared Assessments Certified Third-Party Risk Assessor (CTPRA) exam—what the content focuses on, what the exam style feels like, and what you should realistically expect if you’re considering it.

Topics include:

• The CTPRA vs. CTPRP (assessor vs. practitioner/architect perspective)

• Why Shared Assessments emphasizes the SIG (Standard Information Gathering questionnaire)

• The role of SCA (Standardized Control Assessment) and evidence-based validation

• Risk tiering and how to defend tiering logic to business stakeholders

• Exam logistics: 120 questions / 3 hours, proctoring experience, and pacing

• Price/value considerations (including when it’s worth self-paying vs. employer-sponsored)

• Prep course notes and what made the training effective

Questions about CTPRA or CTPRP? Drop them in the comments.

Is there really a cybersecurity talent shortage, or are we defining “entry-level” wrong?

Jennifer Cutler-Scotti joins The Cyber Mettle Podcast to challenge the pipeline myth, explain how experiential learning fills real gaps, and outline what industry, academia, and government must do together to prepare the next generation of cyber professionals.

00:00 – Introduction & guest overview 01:13 – Welcome to the Cyber Mettle Podcast 02:58 – Jennifer Cutler-Scotti’s background and role at Texas A&M 05:05 – “What do you want to be when you grow up?” framing cyber careers 06:34 – People roles vs technical roles in cybersecurity 08:25 – Why communication skills matter even for technical roles 09:09 – Experiential learning and the “other education” at Texas A&M 10:27 – Student clubs, certifications, and peer-led training 11:21 – Internships, apprenticeships, and hands-on exposure 12:38 – The entry-level job problem: 2–3 years required 14:26 – Translating unpaid experience into resume value 16:37 – Why career fairs don’t solve the problem 18:28 – Industry engagement beyond recruiting 20:14 – Where the disconnect between industry and academia happens 24:00 – Are entry-level cyber roles disappearing? 26:08 – Cyber readiness, cost barriers, and small businesses 27:43 – Real-world student cybersecurity assessments 31:03 – Risk prioritization, budget realities, and human behavior 33:52 – Why textbooks can’t keep up with cyber reality 40:37 – Why cybersecurity education must start earlier 42:35 – Teaching security before systems are built 45:58 – The future of cyber, AI, and data science careers 49:55 – Industry, academia, and government alignment gaps 54:16 – Training, retention, and investing in people 56:36 – Final reflections and call to engage students

Lawyers often get called when everything has already gone wrong. In this episode of The Cyber Mettle Podcast, Omar Sangurima and Alyson Laderman explain why that mindset is backwards. Drawing on decades of legal and cybersecurity experience, they unpack why lawyers aren’t your enemy, why prevention matters more than cleanup, and why legal professionals and cyber teams think far more alike than most people realize. This is an honest, practical conversation about trust, risk, and why having the right experts on your side early can change everything.

CHAPTERS

00:00 – Welcome to The Cyber Mettle Podcast 02:30 – Why lawyers have such a bad reputation 04:20 – Lawyers as bearers of bad news 06:00 – Media portrayals and the “villain lawyer” trope 08:00 – Why prevention is cheaper than litigation 11:00 – Lawyers, cyber professionals, and shared thinking models 14:30 – Personal stories: business, contracts, and buying a home 17:00 – Specialization in law, medicine, and cybersecurity 20:00 – Choosing the right lawyer for the right job 23:30 – Courtroom experience and real-world nuance 27:00 – Why lawyers are trained to learn anything quickly 30:00 – The danger of lying to your lawyer 33:00 – AI, ChatGPT, and legal reality checks 36:00 – Instant gratification vs real legal thinking 39:00 – Emotional weight and responsibility of legal work 42:00 – Lawyers as allies, not friends-for-hire 45:00 – Gray areas, judgment, and real-world decision-making 49:00 – Final thoughts: why lawyers belong on your team Be sure to subscribe, so that you don't miss the latest episodes of The Cyber Mettle Podcast.

AI doesn’t usually fail loudly. It drifts — quietly, gradually, and often invisibly.

In this episode of The Cyber Mettle Podcast, Alyson Laderman and Dr. Omar Sangurima are joined by cybersecurity and AI security leader Aby Rao to unpack the risks organizations overlook when they treat AI as a one-time implementation instead of a living system.

The conversation moves beyond hype to explore why AI requires continuous governance, how model drift undermines business goals, and why “responsible AI” often lacks clear ownership inside organizations. The panel also tackles shadow AI, data leakage risks, and what small and mid-sized businesses can realistically do without enterprise-level tooling.

The episode closes with a forward-looking discussion on where AI adoption is headed in 2026, including why GenAI will become table stakes, where agentic AI has limits, and why AGI remains the true wildcard.

This is a practical, leadership-focused discussion for executives, security professionals, legal teams, and anyone responsible for deploying AI in real organizations, not just talking about it.

00:00 – Introduction & Episode Focus Why AI maintenance, not novelty, is the real leadership challenge

01:00 – Aby Rao’s Background in Cybersecurity & AI From IAM and cloud security to AI risk and governance

02:10 – AI Doesn’t Break — It Drifts Why model drift is more dangerous than outright failure

04:00 – “Set It and Forget It” Is a Myth Why AI requires continuous operations, not one-time installs

05:00 – Measuring Success: Goals, KPIs, and Drift Indicators How organizations should track whether AI is still doing what it was designed to do

07:00 – Governance, Audits, and Independent Oversight Why AI ecosystems need external perspectives—not just builders

08:30 – Responsible AI: Everyone’s Job, No One’s Owner The accountability gap holding organizations back

10:30 – Ethics, Incentives, and the Missing Role of AI Ownership Why “responsible AI” struggles without clear leadership

12:00 – Regulation, Liability, and Why Case Law Will Matter How accountability will likely be enforced before legislation catches up

14:00 – Healthcare, Bioethics, and Where AI Ethics Already Exists Why some industries are ahead of others on ethical guardrails

15:30 – Frameworks vs. Reality Why NIST AI RMF helps—but isn’t enough on its own

16:00 – Start With Business Goals, Not Technology Why buying AI first and figuring out value later is risky

18:00 – AI Isn’t New—We’ve Been Automating for Years Reframing AI as evolution, not revolution

20:00 – Shadow AI and Data Leakage Risks How employees quietly introduce risk using unsanctioned tools

21:30 – AI DLP and Monitoring Without Policing How organizations can detect misuse without killing productivity

23:30 – Practical Advice for Small Businesses Affordable steps: training, secure browsers, and awareness

25:30 – AI in 2026: What Changes and What Doesn’t GenAI as table stakes, agentic AI’s ceiling, and AGI’s potential impact

28:30 – What Aby Is Watching Next Tracking AI maturity, leadership ownership, and real-world execution

29:30 – Closing & Where to Find More from Aby Rao