This is a WSJournal Q&A with Samar Ali, an attorney at Bass Berry & Sims who also is a professor of law at Vanderbilt and previously worked in the Obama administration on counterterrorism and cybersecurity issues.

Ms. Samar speaks about why companies shouldn’t rely on the government to protect them against cyberattacks, and what they should be doing to take responsibility for their own defense.

Was it wrong for companies to assume to the government could protect them from cyberattacks? How has the government’s approach fallen short?

Ms. Ali: The government’s role in cybersecurity is a bit controversial because the global digital environment primarily is owned by the private sector. That makes it difficult for what the government can and cannot do. We are used to relying on the government, relying on the intelligence apparatus, to protect us from attacks coming from other countries or from individuals living outside the U.S. But the government can’t prevent all cyberattacks, it just can’t. We cannot rely on that.

Part of the defense rests with us as individuals and in the private sector. We need to get smarter on international threats, to think about how we protect ourselves. The government will do what it can, it will use diplomatic measures…it will try to create consequences for governments trying to break into private companies’ accounts. But it has to be realistic about what it can and cannot do.

What do companies need to do then?

Ms. Ali: There are four key players that should be at the table and three types of plans companies should have to deal with a cyberattack—a “before” plan, a “during” plan and an “after” plan. You need a tech expert, usually the chief information officer or the chief technology officer; a legal representative, usually the general counsel; someone from the executive suite, usually the chief operating officer; and someone from public relations. And maybe a human resources person for the individual training component and to think about disciplinary actions if someone breaches the cybersecurity policy. Each person brings a different skill to the table and all those skills are necessary for approaching cybersecurity.

Companies cannot just throw technology at the problem but that doesn’t mean they should leave the door unlocked. Even if you have a lock and somebody can break that lock, that doesn’t mean you don’t lock the door. You try to get the best alarm system but you also do other measures that are preventative—and those won’t be foolproof, either.

What else should they do?

Ms. Ali: Every person in the company should be getting trained around how to manage cybersecurity, especially on the “before” plan because each employee plays a role in that process. People, when they take their laptop or iPad on a business trip, need to be aware if they are signing into their bank account or a client account. If they are accessing company devices outside the U.S., what does that mean? What kind of risk exposure has that created? A lot of people don’t understand that.

People need to analyze, what is my risk level, what is my level of vulnerability? Ask why someone would want to hack you. If you are a bank and you say our software prevented 100 hacks today from IP addresses coming out of China, ask why they are trying to get in. Maybe they are trying to copy you, trying to learn. Or maybe they’re trying to get information to sell on the black market. If they are coming from Russia, is it the government there looking to control or influence, or individuals from seeking monetary gains?

Make cybersecurity a board priority. On boards that I sit on I ask how many people in the room know our cyber plan? Many are not yet comfortable with that terrain for discussion…but we need to make it our point to become experts. It can be intimidating at first but I don’t think the learning curve is as high as everyone thinks. When addressing cybersecurity, leadership and management are the keys. If you have a travel policy, there needs a section on cybersecurity. What electronics are you taking in and taking out of that country? Should you instead get a cell phone upon arrival? If you are using your own phone, make sure to turn the GPS off. There are best practices for everybody and there are best practices per industry.

[You may need a WSJ subscription to the read the entire piece.]