"You can't wait for government to do it for you," he said. "Government does have value to add in intelligence and tactics. But everyone has to be part of the battlefield."
That, he said, would help to mitigate a "sense of powerlessness" he observes in many organizations. He said one executive told him that his company didn't even know what was on its network, and figured, "if we don't know, the bad guys don't know."
"That's a sense of disempowerment," he said. "We need to let people know they can have an effect."
Chertoff said there are three major components to risk management: Threat, vulnerabilities and consequences.
Threats, he noted, come from criminals seeking to profit from things like stolen IDs and credit cards, hackers, nation states and insiders (or those who are able to pose as insiders.
The damage, he said, can range from personal embarrassment to the loss of intellectual property to damage to the nation's infrastructure or even the global financial system. While people might assume that even hostile nation states don't want a global financial meltdown, "in a world of sanctions, the intent could be to destroy," he said. "We need capability to defend against that. All you have to do is go back to 2008 to know how fragile the trust in the global financial system is."
Regarding vulnerability, he said each organization needs to determine what its priorities are. "What can you live without, or repair? You need an internal architecture that reflects that," he said, adding that security must be rigorous both outside and inside, since a perimeter will "slow people down, but it won't stop them. You need to do continuous monitoring to know what's going on.
Finally, addressing consequences means knowing, "how you are going to deal with the reality that you are going to be breached."
This, he said, requires a "crisis management playbook" that everybody knows and is regularly rehearsed. His firm, he said, has regularly found in client companies that many people, "thought they knew the plan but didn't. That's critical for resiliency."
That and teamwork with others facing the same threats, he said, means, "you will have every reason to think you will survive anything thrown at you."
Obstacles to effective collaboration remain, however, according to others at the event. William Guenther, CEO and founder of Mass Insight Global Partnerships, which launched and supports ACSC, said in opening remarks that while collaboration is a worthy goal, most companies, "have a hard time finding talent," even in a region as prestigious academically as New England.
But, at a panel discussion later in the morning, where there was also talk of collaboration, Katie Moussouris, chief policy officer, HackerOne, suggested one, "giant, untapped reserve of talent is hackers, if we're interested in hearing from them instead of prosecuting them."
Sign up for CIO Asia eNewsletters.