Top-down vs. Bottom-up Risk Governance

Top-down vs. Bottom-up Risk Governance

This deck was presented live at the Federal Computer Security Manager’s Forum Offsite on Tuesday, June 20th at NIST Headquarters in Gaithersburg, MD.

Background
Risk management can be done top-down, bottom-up, middle-out, or some combination. Many of our government institutions have insecure systems because they confuse compliance with security when reviewing their enterprise as well as cybersecurity risks.

Key Takeaways
* Tie cybersecurity risks to enterprise risks
* Understand where compliance ends and where security begins or vice-versa
* Evaluate risk management frameworks from other countries to see where we’re lacking or more advanced

3962189473d062fdc76ce9a07cbe89fd?s=128

Shahid N. Shah

June 20, 2017
Tweet