Cyber security, to be successful, has to be a \u201cteam sport,\u201d former Homeland Security secretary Michael Chertoff told attendees of the Advanced Cyber Security Center (ACSC) Conference at the Federal Reserve Bank of Boston Tuesday morning.Chertoff, cofounder and executive chairman of the Chertoff Group, who gave the keynote speech at the conference, titled \u201cLeft of Boom: How and where to invest across the kill chain,\u201d said organizations that go it alone, and especially those that focus only on prevention to maintain their security from cyberattacks are \u201cdoomed.\u201dNot that this was a surprise to an audience that included numerous information security experts who have been preaching that message for some time. They are familiar with the image Chertoff invoked of the \u201cM&M\u201d defense \u2013 hard on the outside but soft on the inside \u2013 and that most of the past year\u2019s catastrophic high-profile breaches have been caused either by insiders or attackers who compromised insiders.They are also aware that the attack surface is almost unlimited in an \u201cInternet of Things\u201d (IoT) world with an explosively expanding number of smart embedded devices.\u201cThe architecture of the Internet creates level of connectivity that is radically different from the way we live our physical lives,\u201d Chertoff said, noting that physical document dissemination requires either, \u201can affirmative action on our part,\u201d or theft.With the Internet, \u201ceverything is connected by default,\u201d he said, \u201cso things in your study can become part of the wider world. The camera in your PC can literally create Big Brother in your own room.\u201dAdd to that everything from BYOD in the workplace to apps that allow users to adjust the heat, lock the doors and more in their homes, wearable medical devices, smart cars, critical infrastructure and aviation, and it is clear that, as Chertoff put it, \u201cyou\u2019re not going to eliminate risk \u2013 this is about managing risk.\u201dDone effectively, he said, it could reduce the damage from breaches from catastrophic to a nuisance level.But so far, even managing risk has not been going so well. Chertoff noted many \u201cvery adept\u201d organizations that have been breached during the past year.Look at JP Morgan, which is at the forefront of cybersecurity,\u201d he said. \u201cAnd we\u2019ve been reading stories about breaches at the White House and Russians penetrating a whole host of targets including electrical grid.\u201dStill, Chertoff said he was bringing, \u201can encouraging message.\u201d He said Boston and the New England region \u201chas the intellectual firepower\u201d to improve risk management through teamwork. \u201cThat\u2019s symbolized by this group,\u201d he told the audience.\u201cYou can\u2019t wait for government to do it for you,\u201d he said. \u201cGovernment does have value to add in intelligence and tactics. But everyone has to be part of the battlefield.\u201dThat, he said, would help to mitigate a \u201csense of powerlessness\u201d he observes in many organizations. He said one executive told him that his company didn\u2019t even know what was on its network, and figured, \u201cif we don\u2019t know, the bad guys don\u2019t know.\u201d\u201cThat\u2019s a sense of disempowerment,\u201d he said. \u201cWe need to let people know they can have an effect.\u201dChertoff said there are three major components to risk management: Threat, vulnerabilities and consequences.Threats, he noted, come from criminals seeking to profit from things like stolen IDs and credit cards, hackers, nation states and insiders (or those who are able to pose as insiders.The damage, he said, can range from personal embarrassment to the loss of intellectual property to damage to the nation\u2019s infrastructure or even the global financial system. While people might assume that even hostile nation states don\u2019t want a global financial meltdown, \u201cin a world of sanctions, the intent could be to destroy,\u201d he said. \u201cWe need capability to defend against that. All you have to do is go back to 2008 to know how fragile the trust in the global financial system is.\u201dRegarding vulnerability, he said each organization needs to determine what its priorities are. \u201cWhat can you live without, or repair? You need an internal architecture that reflects that,\u201d he said, adding that security must be rigorous both outside and inside, since a perimeter will \u201cslow people down, but it won\u2019t stop them. You need to do continuous monitoring to know what\u2019s going on.Finally, addressing consequences means knowing, \u201chow you are going to deal with the reality that you are going to be breached.\u201dThis, he said, requires a \u201ccrisis management playbook\u201d that everybody knows and is regularly rehearsed. His firm, he said, has regularly found in client companies that many people, \u201cthought they knew the plan but didn\u2019t. That\u2019s critical for resiliency.\u201dThat and teamwork with others facing the same threats, he said, means, \u201cyou will have every reason to think you will survive anything thrown at you.\u201dObstacles to effective collaboration remain, however, according to others at the event. William Guenther, CEO and founder of Mass Insight Global Partnerships, which launched and supports ACSC, said in opening remarks that while collaboration is a worthy goal, most companies, \u201chave a hard time finding talent,\u201d even in a region as prestigious academically as New England.But, at a panel discussion later in the morning, where there was also talk of collaboration, Katie Moussouris, chief policy officer, HackerOne, suggested one, \u201cgiant, untapped reserve of talent is hackers, if we\u2019re interested in hearing from them instead of prosecuting them.\u201dShe acknowledged that much of what hackers do is illegal, but said, \u201ca lot of them want to do the right thing \u2013 report a vulnerability and get it fixed. There needs to be a better way \u2013 we shouldn\u2019t incentivize them to stay quiet, but to join the team of defenders.\u201dMoussouris, who previously worked for Microsoft, cited that company\u2019s move about a decade ago to recruit hackers from Poland who called themselves LSD (Last Stage of Delirium) after they discovered a vulnerability that led to the release of the Blaster worm.\u201cThat was a really progressive move on Microsoft\u2019s part,\u201d she said.