• United States




Aligning cybersecurity strategy and performance with updated COSO ERM guidance

Sep 25, 20175 mins
Data and Information SecurityIT LeadershipRisk Management

Recently released COSO-ERM framework provides guidance to enable cyber and information security professionals to communicate risks and threats in language that stakeholders can understand and take action on.

risk complexity tightrope
Credit: Thinkstock

Over a year after I first wrote about the exposure draft, COSO – the same organization that provides the internal control framework used to assess controls for financial reporting and therefore Sarbanes-Oxley compliance for most public companies, has issued the final version of its “Enterprise Risk Management—Integrating with Strategy and Performance (COSO-ERM).” Because the framework is very likely to be used by risk management functions in communicating with executives and board committees, it makes sense for information security practitioners to be aware of language and the approach to risk management used to align and consistently deliver technology risk information to decision makers and those responsible for governance.

Not a replacement for security frameworks

COSO-ERM is not a replacement for existing information security frameworks nor has it been designed to work with these frameworks. COSO-ERM is a business framework that is intended to consider critical business issues to ensure alignment with strategic business objectives and focuses on risk management rather than internal control.  It does not specify controls or provide checklists as would the major information security frameworks. Rather COSO-ERM focuses on the ability to enable business to manage risk to an acceptable level within its risk appetite constrains.

It is this focus that can provide the opportunity to enable technology risk management functions to demonstrate value to their organizations. For example, many technology risk functions will conduct risk assessments leveraging NIST’s “Guide for Conducting Risk Assessments SP 800-30 Rev. 1.” Results of the assessment are used to implement organizational security programs as described in NIST’s “Managing Information Security Risk SP-800-39.” Most information security professionals recognize the reputable and quality of the content of these two publications to enable information security officers to manage their organization’s technology risk. However, these same professionals are challenged when communicating these risks on a business enterprise level to executives and board members.

Speaking board language by using five components having twenty principles

Technology risk professionals will appreciate how COSO-ERM can help them translate technical challenges into strategic considerations that executives and board members can understand. Although not necessarily directed to information security, technology risk management professionals can use its guidance to develop effective and business accepted information programs and strategies. The framework is divided into five components with each having between 3 to 5 principles that provide a consistent process enabling communication of cybersecurity issues into practical business considerations. 

The five components and how their principles can be used to enhance cyber protection and information security programs include:

Governance and culture 

This component sets the tone at the top (C-suite) level including ethics and behaviors.  This risk area is most challenging to risk professionals as their influence over these issues may be limited in the boardroom or amongst executive management.  As a result, these professionals navigate away from these critical issues. Yet, these issues drive overall company culture and eventually the success of any information security management program. Facilitating the board’s ability to oversee information security, developing an effective program, helping to ensure an appropriate culture, translating core business values into risk management strategies, and ensuring that capable individuals are involved with the program – both within the information security function itself as well as key end users represent five of the twenty principles in the framework. 

Strategy and objective setting 

Given the organization’s strategy a risk appetite should be developed to define what risks the organization is willing to assume to achieve its intended objectives. This component challenges many technology risk professionals as it requires executives and boards of directors to balance security with availability (e.g., customer service) concerns. In addition to risk appetite, this component includes principles addressing analyzing business context, evaluating alternative strategies and formulating objectives.


The third component addresses traditional cyber or information security risk assessments performed by most technology risk management functions. For many professionals this component represents the core practices of what they do. It includes principles of identifying risk, assessing the risk’s severity, prioritizing risks, designing and implementing responses and developing risk registers or portfolio views of risk. By encouraging professionals to think beyond this component only, and use the other components including aligning to business strategies and performance expectations, provides these professionals with the opportunities to effectively communicate at the board level.

Review and revision 

Risk assessment is not a one-time event. Rather, the three principles of this component – assessing change, reviewing risk and performance and pursuing improvements into the ERM program, helps ensure the continued relevancy of the assessments results. 

Information, communication and reporting 

Many security functions have added lots of logging and monitoring tools to their portfolios during the past year. These tools create lots of data that somehow need to be converted into actionable information for appropriate business managers. The three principles associated with this component do just that – leveraging information and technology, communicating risk information and periodic reporting.

Technology risk professionals continue to increase their influence within organizations.  By adapting their products and services to the needs of their stakeholders and communicating in terms that these stakeholders understand, these professionals stand a much higher probability of achieving their program objectives.


Joel Lanz is the founder and principal of Joel Lanz, CPA, P.C., a niche CPA practice focusing on information and technology governance, risk, compliance and auditing. Prior to starting his practice in 2001, Joel was a technology risk consulting partner at Arthur Andersen (1995-2001) and a manager at Price Waterhouse (1986-1991). He currently serves as a reference member of the American Cancer Society's audit committee. His industry experience includes a job as vice president and audit manager at The Chase Manhattan Bank (1991-1995) and senior IT auditor positions at two insurance companies (1981-1986).

Joel currently chairs the AICPA’s Information Management and Technology Assurance Executive Committee and previously chaired the AICPA's CITP credential committee (IT specialist certification for CPAs) and co-chaired the AICPA’s Top Technology Initiatives Task Force. Joel's prior contributions to professional organizations include serving as chairman of the New York State Society of CPAs Technology Assurance and Information Technology Committees.

Joel is a member of the editorial board of The CPA Journal. He frequently speaks at professional society and industry conferences, including the AICPA, NYSSCPA and IIA, and he is an adjunct professor at New York University’s Stern School of Business and at the State University of New York's College at Old Westbury.

Joel holds a BBA in accounting and an MBA with a focus on information systems from Pace University's Lubin School of Business Administration.

The opinions expressed in this blog are those of Joel Lanz and do not necessarily represent those of IDG Communications Inc., or its parent, subsidiary or affiliated companies.