Top-down vs. Bottom-up Risk Governance

Top-down vs. Bottom-up Risk Governance

This deck was presented live at the Federal Computer Security Manager’s Forum Offsite on Tuesday, June 20th at NIST Headquarters in Gaithersburg, MD.

Risk management can be done top-down, bottom-up, middle-out, or some combination. Many of our government institutions have insecure systems because they confuse compliance with security when reviewing their enterprise as well as cybersecurity risks.

Key Takeaways
* Tie cybersecurity risks to enterprise risks
* Understand where compliance ends and where security begins or vice-versa
* Evaluate risk management frameworks from other countries to see where we’re lacking or more advanced


Shahid N. Shah

June 20, 2017