Over a year after I first wrote about the exposure draft, COSO \u2013 the same organization that provides the internal control framework used to assess controls for financial reporting and therefore Sarbanes-Oxley compliance for most public companies, has issued the final version of its \u201cEnterprise Risk Management\u2014Integrating with Strategy and Performance (COSO-ERM).\u201d Because the framework is very likely to be used by risk management functions in communicating with executives and board committees, it makes sense for information security practitioners to be aware of language and the approach to risk management used to align and consistently deliver technology risk information to decision makers and those responsible for governance.Not a replacement for security frameworksCOSO-ERM is not a replacement for existing information security frameworks nor has it been designed to work with these frameworks. COSO-ERM is a business framework that is intended to consider critical business issues to ensure alignment with strategic business objectives and focuses on risk management rather than internal control.\u00a0 It does not specify controls or provide checklists as would the major information security frameworks. Rather COSO-ERM focuses on the ability to enable business to manage risk to an acceptable level within its risk appetite constrains.It is this focus that can provide the opportunity to enable technology risk management functions to demonstrate value to their organizations. For example, many technology risk functions will conduct risk assessments leveraging NIST\u2019s \u201cGuide for Conducting Risk Assessments SP 800-30 Rev. 1.\u201d Results of the assessment are used to implement organizational security programs as described in NIST\u2019s \u201cManaging Information Security Risk SP-800-39.\u201d Most information security professionals recognize the reputable and quality of the content of these two publications to enable information security officers to manage their organization\u2019s technology risk. However, these same professionals are challenged when communicating these risks on a business enterprise level to executives and board members.Speaking board language by using five components having twenty principlesTechnology risk professionals will appreciate how COSO-ERM can help them translate technical challenges into strategic considerations that executives and board members can understand. Although not necessarily directed to information security, technology risk management professionals can use its guidance to develop effective and business accepted information programs and strategies. The framework is divided into five components with each having between 3 to 5 principles that provide a consistent process enabling communication of cybersecurity issues into practical business considerations.\u00a0The five components and how their principles can be used to enhance cyber protection and information security programs include:Governance and culture\u00a0This component sets the tone at the top (C-suite) level including ethics and behaviors.\u00a0 This risk area is most challenging to risk professionals as their influence over these issues may be limited in the boardroom or amongst executive management.\u00a0 As a result, these professionals navigate away from these critical issues. Yet, these issues drive overall company culture and eventually the success of any information security management program. Facilitating the board\u2019s ability to oversee information security, developing an effective program, helping to ensure an appropriate culture, translating core business values into risk management strategies, and ensuring that capable individuals are involved with the program \u2013 both within the information security function itself as well as key end users represent five of the twenty principles in the framework.\u00a0Strategy and objective setting\u00a0Given the organization\u2019s strategy a risk appetite should be developed to define what risks the organization is willing to assume to achieve its intended objectives. This component challenges many technology risk professionals as it requires executives and boards of directors to balance security with availability (e.g., customer service) concerns. In addition to risk appetite, this component includes principles addressing analyzing business context, evaluating alternative strategies and formulating objectives.PerformanceThe third component addresses traditional cyber or information security risk assessments performed by most technology risk management functions. For many professionals this component represents the core practices of what they do. It includes principles of identifying risk, assessing the risk\u2019s severity, prioritizing risks, designing and implementing responses and developing risk registers or portfolio views of risk. By encouraging professionals to think beyond this component only, and use the other components including aligning to business strategies and performance expectations, provides these professionals with the opportunities to effectively communicate at the board level.Review and revision\u00a0Risk assessment is not a one-time event. Rather, the three principles of this component \u2013 assessing change, reviewing risk and performance and pursuing improvements into the ERM program, helps ensure the continued relevancy of the assessments results.\u00a0Information, communication and reporting\u00a0Many security functions have added lots of logging and monitoring tools to their portfolios during the past year. These tools create lots of data that somehow need to be converted into actionable information for appropriate business managers. The three principles associated with this component do just that \u2013 leveraging information and technology, communicating risk information and periodic reporting.Technology risk professionals continue to increase their influence within organizations.\u00a0 By adapting their products and services to the needs of their stakeholders and communicating in terms that these stakeholders understand, these professionals stand a much higher probability of achieving their program objectives.