Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ManagementSectorsSecurity Leadership and ManagementGovernment: Federal, State and Local

Over the Horizon: Emerging Security Threats and Risks to the Enterprise

What issues, concerns and risks will you be facing in the near future?

By Michael Chertoff
Michael Chertoff Security Magazine October 2017

Secretary Michael Chertoff speaks at a recent The Chertoff Group Security Series, a community building event to discuss important national security and risk management issues, highlight innovation, and network with leading practitioners, policy makers, investors, and thought leaders.  Photo courtesy of The Chertoff Group

October 1, 2017

We are entering a period of time when we are going to see an uptick in the number of security threats, both physical and in cyberspace. There is an increasing global unrest. Over the past few months what we’ve seen electorally, in the U.S., but also in Europe and in other parts of the world, has been a manifestation of that. This has also been reflected in physical violence and inspired acts of terrorism, as we have tragically seen in Charlottesville and Barcelona. We will see this manifest online, too. For those of us in the security space, we have to raise our game to meet the growing demand for innovative security tools and strategies. As I learned during my time as Homeland Security Secretary, planning, equipping, training and exercising are what will prepare you to face unexpected threats.

In today’s business world, IT has become more ubiquitous than ever; much sensitive data is now online. Cyber connections are pervasive in every aspect of commercial activity. We use the internet to execute financial transactions, maintain customer and business data, manage financial and Human Resources functions and to direct operational activities, including industrial control systems. The new age of innovation is profoundly changing the economy through technology-driven tectonic shifts including social media, big data analytics, cloud mobility and the Internet of Things. Unfortunately, this golden age has enabled a new class of bad actors to take advantage of security vulnerabilities in these platforms, creating new risk in the form of cyber threat.

Consider the way businesses’ threat surfaces have evolved. Many unvetted endpoints access your networks under bring-your-own-device policies. Businesses depend upon subcontractors, and in so doing take on their vulnerabilities as well. The supply chain is also vulnerable to a variety of cyberattacks, and the Internet of Things makes its own considerable and increasing contributions to this threat surface.

 

Threat Actors

As much as we are seeing greater vulnerabilities across networks, we are seeing more threat actors as well. Cyber risk affects virtually every kind of enterprise. Those who carry out threats have almost every type of motivations imaginable: terrorists, “hacktivists,” disgruntled employees or customers. When you factor accidental or negligent leaks of data, and the multiplying access points to information networks, the loss is potentially staggering.

The scale of the theft of data has dramatically expanded in recent years. Yahoo lost a billion user accounts in two operations – one of them involved the engagement of two Russian Intelligence Officials. The involvement of Russian spies suggest this was partly designed to further espionage activities. We’ve seen massive disruptions to business operations through “ransomware,” including the WannaCry, Petya and NotPetya episodes. The WannaCry attack ravaged computers at hospitals in England, universities in China, rail systems in Germany, even auto plants in Japan. Additionally, a large pharmaceutical company had 75,000 machines affected by the malware and lost critical research.

These ransomware attacks have scaled from mere nuisances to material adverse business events. Over the past two months, thanks to Petya, FedEx reported ‘‘material’’ financial impact, Merck reduced its full-year 2017 GAAP EPS’ and Mendelez, a snack and candy manufacturer, reported a three-percent reduction in the company’s second quarter growth.

Incidents like WannaCry, Petya and NotPetya caused massive disruptions to enterprises worldwide on an unprecedented scale and indicate a rise in nation-state actors involved in driving these kinds of attacks. We are now dealing with nationstate actors who are more sophisticated and whose motivations may not be as easy to anticipate as criminals.

So how do we secure enterprises in a risk environment that is increasing in the surface area of attack and as the nature and the number of threat actors and the scale of what they are able to do continues to expand?

We need to start with the presumption that you are indeed going to experience a cyber intrusion. It is not a matter of “if” but “when,” and we must focus on how to continue business operations, despite being under attack.

 

Risk Management, not Risk Elimination

Cybersecurity is about risk management, not risk elimination. Complete prevention of attacks is impossible; what is realistic is an in-depth security approach that operates layered defenses, rapidly mitigates harm and fosters resiliency and recovery.

Consider the human immune system as a model of resilient security. While our bodies repel many bacteria, viruses and contaminants, some will inevitably be ingested. Our healthy immune systems are designed with that expectation. They characterize the nature of the bacteria or other foreign matter, and destroy those that are harmful. Our cyber networks as well need to repel many attacks, but anticipate that some will succeed in penetrating. For those, we want to be able to resist, recover and learn. Indeed, as human we protect ourselves in part through immunization, which is in effect a form of information-sharing with our immune systems. Likewise, information-sharing ought to play a role in security in network security analogous to that which immunization plays in public health.

In risk management, we ask who are the threat actors, what are the consequences and what are the vulnerabilities. What you need to consider when you think of today’s cyber threats to your enterprise is how to protect the things that matter to your enterprise the most and to ensure that you apply a risk management approach that informs all functions of an organization and incorporates a variety of techniques. All organizations, regardless of size or industry, must identify those valuable assets that support critical business functions in a risk-based process. Organizations must link assets to business goals. This allows you to determine what information and information assets are important to the business.

 

The Ten Commandments of Cybersecurity

I’d recommend Ten Commandments for approaching cybersecurity:

  1. Know your perimeter. That means knowing, minimally, who is supposed to be allowed in. The perimeter is not enough, but we do need to survey endpoints and other actors.
  2. Establish segmentation to protect more sensitive types of data, and reflect that segmentation in appropriate allocation of administrative privileges.
  3. Establish strong access controls and identity management. The password is no longer good enough; every enterprise needs stronger methods of authentication.
  4. Employ continuous monitoring and diagnostics.
  5. Balance convenience against security. (And note that it’s a balance – too much emphasis on either can be dangerous.)
  6. Encrypt data at rest and in motion.
  7. Plan and monitor for the malicious insider threat.
  8. Consider and plan for the innocent, non-malicious insider threat. Here the key is training and exercising. (Behavioral monitoring and analysis can help here.)
  9. Design your network as a whole for security. Configure devices securely (and ask whether every device needs to be connected).
  10. Develop and exercise a sound incident response plan.

 

Dealing with Boards & Management

In today’s digital economy, you simply cannot have an effective digital or growth strategy without a tightly interwoven cybersecurity strategy. Security is now being perceived as a competitive differentiator and will continue to be a market distinguisher as technologies and threat continue to evolve in the years to come. But how do security practitioners convey this to management and the board?

It is valuable to have the CISO and CSO up to the board to walk members through what we’ve been seeing over the last quarter in terms of nature of attacks, reconnaissance, security trends and how we rank in terms of maturity. This can drive the CISO and the CSO and the entire security organization to assure that they have got a good story to tell.

When I was at DHS, I met with President Bush every week to go over the threat matrix. In preparation for the meeting, everybody in the relevant departments – the IC, DHS, FBI – made sure that word went out that we were going to be meeting with the President. It energized people to execute their responsibilities efficiently and fully. As a management tool, having someone come in to report to the board with metrics, is a good way to motivate them.

Boards care about risk management, value creation and metrics. We need to empower board members and management. Don’t inundate the board with solutions or with unexplained data. Manage their expectations, and present them with understandable options as they manage enterprise risk. Most important, remember that while cybersecurity has technical aspects, fundamentally it is about human beings – both those who threaten us and those who have to secure us.

Finally, we need to keep the information fresh. CISOs don’t underestimate the power to educate through current events. Make it risk-focused – this is a language that Boards understand.

 

The Next Wave: The Internet-of-Things, Artificial Intelligence and International Norms

As we move into a period of more wirelessly connected so-called “smart devices,” security needs to be built into the device from inception. We are currently in a state where smart devices deployment are running far ahead of any general security awareness. Currently, the IoT requires every consumer to validate whether the device has reasonable security, and that’s an approach that’s destined for failure. The IoT should be like food at the grocery store. You rely on safety regulations as a reasonable assurance that what you are consuming is safe. As with food safety (we don’t vet every piece of produce we buy at the supermarket for cleanliness or safety) there’s a proper role for regulation with IoT security. At a minimum, standards for IoT smart devices should allow changing passwords, updating and patching vulnerabilities. Regulation, properly applied, can actually foster a more secure IoT sector, and thereby actually promote more widespread adoption and use.

Finally, the shape of international conflict is evolving in cyberspace. Our core internet infrastructure, our global trading system and the financial system could be all be at risk in a global conflict. We need to think of the internet as a global commons, like the sea, and, as we’ve done for that commons, we should evolve laws of armed conflict that protect the essentials – critical infrastructure – from malicious destruction. There are, of course, difficulties in doing so. For example, deterrence, a cornerstone of security, depends upon attribution of malicious activity, and attribution in cyberspace is notoriously difficult. But the public debate is essential, invaluable and inescapable.

KEYWORDS: C-suite security counterterrorism cyber risk mitigation Department of Homeland Security Internet of Things (IoT) security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Michael chertoff
The Honorable Michael Chertoff is Co-Founder & Executive Chairman of the Chertoff Group. As Secretary of the U.S. Department of Homeland Security from 2005 to 2009, Secretary Chertoff led the country in blocking would-be terrorists from crossing our borders or implementing their plans if they were already in the country. He also transformed FEMA into an effective organization following Hurricane Katrina. At The Chertoff Group, Secretary Chertoff provides high-level strategic counsel to corporate and government leaders on a broad range of security issues, from risk identification and prevention to preparedness, response and recovery. Before heading up the Department of Homeland Security, Secretary Chertoff served as a federal judge on the U.S. Court of Appeals for the Third Circuit. Earlier, during more than a decade as a federal prosecutor, he investigated and prosecuted cases of political corruption, organized crime, corporate fraud and terrorism – including the investigation of the 9/11 terrorist attacks. Secretary Chertoff is a magna cum laude graduate of Harvard College (1975) and Harvard Law School (1978). From 1979-1980 he served as a clerk to Supreme Court Justice William Brennan, Jr. In addition to his role at The Chertoff Group, Secretary Chertoff is also senior of counsel at Covington & Burling LLP, and a member of the firm’s White Collar Defense and Investigations practice group.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cloud

    The biggest threats to enterprise cloud networks (and how to avert them)

    See More
  • cybersecurity breach

    The election’s over, but threats to government and critical infrastructure don’t stop

    See More
  • keys-cyber-enews

    The Security Vulnerabilities Emerging from the Coronavirus Pandemic

    See More

Related Products

See More Products
  • facility manager.jpg

    The Facility Manager's Guide to Safety and Security

  • The-Complete-Guide-to-Physi.gif

    The Complete Guide to Physical Security

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

See More Products

Events

View AllSubmit An Event
  • August 7, 2025

    Threats to the Energy Sector: Implications for Corporate and National Security

    The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!