Summary4 min read

Hacking Humans – "COBIT (noun) [Word Notes]"

Podcast: Hacking Humans (N2K Networks)
Episode Date: February 24, 2026
Subject: Deception, influence, and social engineering in cybercrime—introducing and explaining the COBIT IT governance framework.

Episode Overview

This episode explores "COBIT"—a key IT governance framework—by breaking down its origins, purpose, application, and what distinguishes it from other frameworks. Practical context and anecdotes from industry experts illustrate how COBIT serves as a vital standard for IT organizations, especially in governance, audits, and alignment with business objectives.

Key Discussion Points & Insights

1. Definition and Purpose of COBIT

[00:44] B:

Spelling Out the Acronym:

"The word is cobit. Spelled C for control, O and B for objectives, I for information, and T for technology."
Definition:

"An IT governance framework developed by ISACA."
Use in Organizations:

"The organization used the COBIT framework to coordinate its IT operations."
Core Purpose:
- COBIT provides a standardized approach to governing enterprise IT, crucial for ensuring internal cybersecurity controls are in place and effective.

2. Importance in IT Security Auditing

[01:13] B:

Expert Perspective (via Edwin Covert):
- IT security auditing is the process of independently verifying the existence and efficacy of internal cybersecurity controls.
- Auditing cannot occur without standards—COBIT serves as one such standard.
Framework Hierarchy Explained:

"IT security auditing components align as a pyramid:
- Laws at the top
- Best practice frameworks
- Control objectives
- Specific controls at the base"

3. COBIT vs. Other Frameworks

[02:44] B:

Origins:
- Created by ISACA (founded in 1969 for IT governance guidance).
- First released in 1996, with ongoing updates (latest: COBIT 2019).
Distinct Features:
- Not primarily a security or process management framework, but an enterprise-wide IT governance and management framework.
“COBIT 2019 isn’t a framework for organizing business processes, managing technology, making IT-related decisions, or determining IT strategies or architecture. Rather, it’s designed strictly as a framework for governance and management of enterprise IT across the organization.”
– (citing Sarah White, CIO Online)
Clarification:
- Not to be confused with "COVID-19, the scary virus we've been dealing with."

4. Making IT Governance Relatable for Business Leaders

[04:14] C: Mark Pardee’s Anecdote

Simplifying COBIT:

“My dad’s a little over 80 years old and he asked me what I do now and I was trying to explain what governance is, what IT governance is and how Cobit ties into that. That it's a framework, it gives me a structure to work within for creating policies and procedures and the different practices. And he's not technical at all. So it really forces me to look at it from a business language that he understands versus a technical language.”
Bridging Technical and Business Understanding:

“When we’re talking to business leaders, we don’t talk about Cobit. We talk about the Principle and the goals cascade and tying IT work to what’s important to the business and the enablers around processes and people and skills and culture... So if you can relate that to my dad in this case, then I know our CEO and our C suite people are going to understand it.”

Notable Quotes & Memorable Moments

“In order to audit something, there needs to be a standard to audit against. COBIT is one of those standards.”
– (B, [01:34])
“COBIT is not specifically a security framework, but an IT management framework that has some security components.”
– (B, [02:15])
“COBIT 2019 isn’t a framework for organizing business processes...it’s designed strictly as a framework for governance and management of enterprise IT across the organization.”
– (B quoting Sarah White, CIO Online, [03:20])
“So COBIT lends itself to that. When we're talking to business leaders, we don't talk about COBIT. We talk about the Principle and the goals cascade and tying IT work to what's important to the business and the enablers around processes and people and skills and culture.”
– Mark Pardee, [04:42]

Timestamps for Important Segments

00:44: Introduction and spelling of "COBIT"
01:13: IT security auditing’s need for standards
02:15: COBIT’s scope and history
03:20: Key differences from other frameworks (Sarah White quote)
04:14–05:28: Mark Pardee's personal anecdote on explaining COBIT to business leaders

Summary

This "Word Notes" episode offers a deep dive into what COBIT is, why it matters, and how it fits into modern IT governance and auditing. It also shows the practical challenge of communicating technical frameworks in business terms so that leadership really gets their value—an essential social engineering skill in the world of cybersecurity.

Loading summary

Transcript5 lines

[00:02]
A
You're listening to the Cyberwire Network powered by N2K. This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed Sponsored Jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsor job credit@ Indeed.com podcast. Terms and conditions apply.
[00:44]
B
The word is cobit. Spelled C for control, O and B for objectives, I for information, and T for technolog. Definition an it governance framework developed by isaca. Example sentence the organization used the COBIT framework to coordinate its IT operations, Origin and context. In a 2021 LinkedIn essay by Edwin Covert, at the time of this episode, the director of risk Assessments and testing at Warner Bros. Discovery, he explains that experts define IT security auditing as those independent activities undertaken to verify whether an organization's internal cybersecurity controls are in place and functioning as intended. But, he says, in order to audit something, there needs to be a standard to audit against. COBIT is one of those standards. In the essay, Mr. Covert describes how IT security auditing components align as a pyramid of concepts that begin at the top and flow down into each other. The pyramid starts with the official laws at the top, followed by best practice frameworks. These generate control objectives and finally, at the base of the pyramid, the specific controls designed to meet the objectives. COBIT is not specifically a security framework, but an IT management framework that has some security components. IT was created by ISACA, an international nonprofit founded in 1969 to provide guidance and education for governing IT systems. COBIT was released in 1996 and was originally meant to help financial auditors deal with the proliferation of IT systems. ISACA has released updated versions of the COBIT framework over the years, with the most recent being COBIT 2019. Not to be confused with COVID 19, the scary virus we've been dealing with for the past few years. According to Sarah White at CIO Online, one major difference between COBIT and other frameworks from the International Standards Organization, the National Institute of Standards and Technology, and the Information Technology Infrastructure Library is that COBIT 2019 isn't a framework for organizing business processes, managing technology, making IT related decisions, or determining IT strategies or architecture. Rather, it's designed strictly as a framework for governance and management of enterprise IT across the organization. End quote. Nerd Reference Mark Pardee, back in 2016, was the it Governance Program manager for a company called Dart Container. As of this episode, he's still there. He said back then that when he explains what Cobit is to his leadership team, he likes to think of his 85 year old dad as the receiver of the information.
[04:15]
C
My dad's a little over 80 years old and he asked me what I do now and I was trying to explain what governance is, what IT governance is and how Cobit ties into that. That it's a framework, it gives me a structure to work within for creating policies and procedures and the different practices. And he's not technical at all. So it really forces me to look at it from a business language that he understands versus a technical language. So Cobit lends itself to that. When we're talking to business leaders, we don't talk about Cobit. We talk about the Princip and the goals cascade and tying it work to what's important to the business and the enablers around processes and people and skills and culture. And those are the things that make sense to the business leaders. And so if you can relate that to my dad in this case, then I know our CEO and our C suite people are going to understand it.
[05:28]
B
Word Note is written by Tim Nodar, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard. The mix, sound design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.
[05:50]
D
Foreign. If you only attend one cyber security conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco.