Speaker Deck

Top-down vs. Bottom-up Risk Governance

by shah

Published June 20, 2017 in Technology

This deck was presented live at the Federal Computer Security Manager’s Forum Offsite on Tuesday, June 20th at NIST Headquarters in Gaithersburg, MD.

Background
Risk management can be done top-down, bottom-up, middle-out, or some combination. Many of our government institutions have insecure systems because they confuse compliance with security when reviewing their enterprise as well as cybersecurity risks.

Key Takeaways
* Tie cybersecurity risks to enterprise risks
* Understand where compliance ends and where security begins or vice-versa
* Evaluate risk management frameworks from other countries to see where we’re lacking or more advanced