Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity News

4 Challenges to Address in Corporate Cyber War

We are fighting a cyber war and need to take proactive steps to protect ourselves and our companies as the virtual bullets fly.

By David Elfering, Ron Woerner
Corporate cyber war

Ron Woerner

Corporate cyber war

David Elfering

Corporate cyber war
Corporate cyber war
September 1, 2014

We are fighting a cyber war and need to take proactive steps to protect ourselves and our companies as the virtual bullets fly.  The best place to learn about handling warfare tactics is the U.S. Army, as their Field Manual FM 5-0, The Operations Processprovides many insights that enterprise security executives can use to defend their territory (assets) in this time of war.

The foreward from FM 5-0 tells the same story in the cyber world as it does in the physical world. It says: “The environment in which we conduct operations is characterized by four clear trends: growing uncertainty, rapid change, increased competitiveness, and greater decentralization. Given these trends, our leaders must expect and be prepared to confront a variety of complex problems, most of which will include myriad interdependent variables and all of which will include a human dimension.” 

This was very evident in April 2014 when many cybersecurity professionals were busy checking and patching information systems, networks and websites. The Heartbleed bug turned into one of the biggest Internet security threats of all time when more than half a million widely trusted websites became vulnerable to criminals lurking online. The simple software flaw in OpenSSL gave crooks an open door that sent thousands of enterprise security professionals scrambling to address this wide-ranging vulnerability. 

Flawed software, however, barely scratches the surface of today’s threats to the enterprise. Cybercrime cost U.S. companies an average of $11.5 million in 2012, according to a study by the Ponemon Institute, up 26 percent compared with the previous year. Cybercrime continues to grow and show increasing signs of hurting our nation’s critical infrastructure.

A look through Army FM 5-0 reveals strategies for combating Cyber War within a corporate environment. 

 

Challenge #1:

Command and Control

Peter Drucker once wrote: “Effective executives don’t make a large number of decisions. They concentrate on important ones...” In Army FM 5-0 terms, “Commanders are responsible for planning.”

That’s a pretty simple but profound observation, one that escapes many of us brought up in an age that prizes management rather than leadership.

Establishing the proper command and control for security is now seen as an essential business function, especially after the recent Target breach. However, equally important is the authority to act in the best interests of the organization. All too often there is a gray area between the enterprise security executive’s responsibilities and his/her level of authority. It’s common for security professionals to have authority over decisions such as updating security software releases. They also typically have the power to suggest new technologies and recommend ways to strengthen security for the company. However, when it comes to acting on those recommendations, they are often powerless to make the final decision and move things forward. Yet, they are left holding the bag when breaches happen.

This must change. Organizations need to designate a single qualified and competent individual who can take command and have the ability to lead the security of the enterprise.

           

Challenge #2:

Prioritizing Risk

“When commanders embrace opportunity, they accept risk. It is counterproductive to wait for perfect preparation and synchronization.”

“Given the nature of operations, the object of planning is not to eliminate uncertainty but to develop a framework for action in the midst of it... The measure of a good plan is not whether execution transpires as planned but whether the plan facilitates effective action in the face of unforeseen events.”

Authority does not translate into unlimited resources to tackle every possible security risk.  Every minute, of every hour, of every day, a major financial institution is under attack. The U.S. Department of Energy fends off more than 10 million attacks every day.  The U.S. government sees 15,000 cyber attacks each day. And, companies are attacked an average of two million times a week.

When you consider how many attacks are attempted every day, it’s astonishing more security breaches don’t occur. With so many threats, it’s not realistic to expect 100-
percent security. Breaches happen.

Establishing command and control gives the power to professionals so they can properly assess the risks and determine which threats pose the greatest danger and must be considered a high security priority. Authority also requires that they identify potential threats that may be considered “acceptable risks” to the organization – meaning they are worth keeping an eye on, but don’t warrant a significant security investment. This is where thinking like the enemy comes into play – who would want to harm your organization and why? How would threat actors exploit vulnerabilities and breach security?

Once security professionals have identified organizational threats, they must then prioritize and defend.  Prioritization starts by assessing each risk individually and its potential impact to the organization should a breach occur. 

  • What is the size of the breach – how many potential records are exposed or compromised?
  • What is the cost of the breach to the organization?
  • What is the impact to the company – reputation, customer churn?
  • How long would it take for the company to recover from the breach?

By quantifying the total impact of the breach, security professionals can build a strong business case for prioritizing the largest security threats.  So, don’t be your own worst enemy – prioritize the biggest risks and prepare for the inevitable security breach.

 

Challenge #3:

The Changing Battlefield

“Military operations are characterized by the continuous, mutual adaptation of give and take, moves and countermoves among all participants. The enemy is not an inanimate object to be acted upon but an independent and active force with its own objectives. While friendly forces try to impose their will on the enemy, the enemy resists and seeks to impose its will on friendly forces… As all sides take action, each side reacts, learns, and adapts.”

You can’t do business in a bubble – you can’t protect everything all of the time. No matter how well you plan, breaches happen. And, when you’re faced with a breach, it’s critical you have a plan that enables you to respond quickly and effectively. 

By simply knowing you can’t fend off every intruder – that your security will fail at some point – you’re already ahead of the game. Next, you will need to analyze everything and develop an action plan. Answering the following questions will get you started:  

  • How do you know when there’s a real or potential breach?
  • Where do you look for breach information in your systems? 
  • Are you logging the right information?  
  • What’s your process for validating the information? 
  • What’s the process for escalating? 
  • When do you get law enforcement involved? 
  • How do you work with law enforcement?  
  • Do you have the right staff in place for conducting a cyber-investigation? 

Now dig deeper and plan even more. The CIO Cyberthreat Response & Reporting Guidelines document is a good resource for organizations looking for guidance on what to include in a quick response plan, what to report and when to contact law enforcement.

Everybody is vulnerable. Failure is inevitable. The battlefield is continually changing. That’s why it’s critical to understand that something will go wrong. And, when it does, you’d better know exactly what steps to take to stem the losses. In other words, you need to know how to fail. 

 

Challenge #4: 

Establish Effective Policies

“Effective planning incorporates the concept of mission command... concentrates on the objective of an operation and not on every detail of how to achieve that objective.”        

Policy is a framework of intent. This is an ongoing evolution of the concept of principle-based agreements with other key people. Doing this relies on emotion as much as logic. People need emotional buy-in for them to internalize an idea. To do that requires us to enable them to lead from the middle. Anything less wastes a precious commodity – the power of people to be creative and be multipliers of strategic intent. Moreover, being overly dictatorial can actually cripple execution, create more risk rather than less and imbue the body of our companies with antibodies against the overly prescriptive rules. The Henry Ford factory model for mass production is not effective for most knowledge-worker centered workplaces of the 21st Century.

As a practical example, consider the security risk issues of cloud computing in its many guises. You could simply write out a one-line policy – “No” - or perhaps a treatise on what is allowable under most of the cloud-based scenarios you can think of. Either policy is effectively null before the first email goes out the door. Let’s focus on our intent. We want to make sure the risk is assessed and logical decisions are made. Business can be affected, sensitive or critical data lost, etc. Reaching out to a cross-domain group to meet, discuss the risks and explore the technology applications will enable them to understand the security intention (protecting corporate interests) and allow us to better understand their business needs/plans. The best possible outcome is to magnify the security intention by creating a strategy network of change agents who use policies to guide actions, not dictate them.

Doing this enables those change agents to apply their business domain expertise in concert with our security intent. They will feel and be empowered. We can impart a shared sense of urgency on a specific issue or initiative. It flattens hierarchy, and in our current, dynamic business conditions this is a change for the better. Overly obsessive micromanagement in the form of rigid hierarchy is not effective at creating change. People will fear violating rules that were created in an isolated management vacuum.

The Army Field Manual FM 5-0 on the Operations Processprovides enterprise security executives with many relevant considerations in fighting today’s cyber war. If we are not learning from those who have gone before us, we are not formulating plans for effective action. Furthermore we are not equipping our organizations to operate in the fog of war. 

 

About the Authors: Ron Woerner is a noted speaker and writer in the security industry and the Director of the M.S. Cybersecurity program at Bellevue University. He is a Certified Information Security Professional (CISSP) and Certified Ethical Hacker (CEH). David Elfering is an enterprise information security leader for a Fortune 1000 transportation company. He built the information security department from scratch; building tactical and strategic scope. His current work is transitioning from best practice to business practice through focus on security framework. 

KEYWORDS: cbersecurity news cyber espionage cyber risk mitigation cyber warfare hackers security challenges

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Ron Woerner is a noted speaker and writer in the security industry and the Director of the M.S. Cybersecurity program at Bellevue University, an award-winning leader in educating adult learners online and in the classroom. He has 20 years of corporate experience in information technology and security, and he has worked for HDR, TD Ameritrade, ConAgra Foods, Mutual of Omaha, CSG Systems and the State of Nebraska. Ron earned his B.S. in computer science from Michigan State University and his M.S. in information resources management from Syracuse University. He is a Certified Information Security Professional (CISSP) and Certified Ethical Hacker (CEH).

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
close

1 COMPLIMENTARY ARTICLE(S) LEFT

Loader

Already Registered? Sign in now.

Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Education feature image

    Educating Employees to Build Better Cyber Security

    See More
  • Employees over a computer

    4 Ways to Improve IT Collaboration

    See More
  • Generic Image for Cyber Security

    Hire a Hacker: A 2013 Security Imperative

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • Hospitality-Security.gif

    Hospitality Security: Managing Security in Today's Hotel, Lodging, Entertainment, and Tourism Environment

  • 9780367339456.jpg.jpg.jpg

    Cyber Strategy: Risk-Driven Security and Resiliency

See More Products
×
Ron Woerner
David Elfering

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!