With the increase of data breaches by several companies and organizations, the SEC, FTC, and other agencies are considering tougher cyber security regulations and rule making policies to force companies to increase their info security. On the other hand, the National Institute for Standards and Technology (NIST) recently released a voluntary Risk Management Framework after a year of collaboration between the private and public sectors. This roundtable will look at what this voluntary framework is really designed to do, discuss the framework's strengths and areas for improvement, and discuss how organizations can focus LESS on "compliance" and paperwork exercises and MORE on risk and tangible information security improvement.