Admiral Michael Rogers, the director of the National Security Agency, said he expects a major cyberattack. \u201cIt\u2019s only a matter of the \u2018when,\u2019 not the \u2018if,\u2019 that we are going to see something dramatic.\u201d Many other security experts would agree with him:\n\nJohn Masserini, the charismatic Chief Information Security Officer at Miami International Holdings, recently told a gathering of 200+ Chief Security Officers that, \u201cEvery day Chief Information Security Officers wake up and worry, \u2018Is today going to be THE Day?\u2019\u201d\nSteven Young, VP Security & Risk Management and CISO at Kellogg Company, is similarly candid when he explains, \u201cSecurity never ends. It is a boxing match that goes on forever. It is just one big beating.\u201d\nEddie Schwartz, the former Chief Security Officer at RSA, liked to open his talks about information security with a slide featuring one white pawn arrayed against all the black chess pieces.\n\nWith quotes and images like this in mind, I queried boards of directors, senior executives, CIOs, and line of business directors as to what they were thinking and doing about information security. I specifically asked if we would ever reach a point where someone knowledgeable about the threat landscape would be able to sleep at night. All agreed that the path to less worry involves not only shrinking the attack surface [infosec speak for giving the bad guys a smaller target] but broadening the defense team [i.e., engaging the entire enterprise in the security endeavor]. Let\u2019s take a look at that second point, because broadening the defense team involves you. And me. In fact, to put the matter bluntly, we all work in information security now.\nInformation Security is Everybody\u2019s Business NowThere was a time \u2013 not so long ago \u2013 when information security issues were perceived as being the sole purview of a small cadre of hyper-specialized \u00fcber-geeks. This is no longer the case. Information security, if it is to be effective, has to be perceived by all \u2013 ALL employees \u2013 not as someone else\u2019s job or, worse, an activity that is standing in the way of them achieving their personal and institutional objectives.\nMark Connelly, the award-winning CISO at Thomson Reuters Corporation, has spun up at least three global security organizations in his career. One of the keys to success is demonstrating, first to key executives and then to the entire enterprise, that good security \u201cenables them to be successful.\u201d Masserini at Miami International Holdings says you know you have turned the corner on information security when executives start calling and asking, \u201cWe want to do this. What are the risks? Can you help us move forward?\u201d\nInvest Intelligently by Investing in PeopleFollowing the media frenzy associated with the Target and Home Depot breaches last year, projections indicate that annual security spending is growing at close to double digit rates, with expenditures associated with data loss prevention increasing three times as fast as general security spending. Karen Green, the CIO at Brooks Rehabilitation, says the question is not availability of investment, it is \u201cWhat\/where do we spend now versus six months from now, a year from now?\u201d\nIn answer to that question, Eddie Schwartz believes that much of the money invested to date in the security space is being mis-spent. Schwartz is adamant that firewalls, intrusion detection, anti-virus \u2013 most of the things that traditional security people have historically invested in \u2013 \u201care completely worthless against nation-sponsored attacks, determined criminals, anonymous or determined insiders \u2013 COMPLETELY WORTHLESS.\u201d\nSteven Young at Kellogg is an engineer. He loves architecture and has assembled an impressive and technically-sophisticated security team. That said, he is very focused on the human element: the behavioral element of information security. He told me, \u201cI don\u2019t think there is a bad dollar you can spend in awareness and training. I really don\u2019t.\u201d The 30,000 employees at Kellogg are recognized as the first line of cyber-defense.\nThe official mission of the security organization at Kellogg is \u201cpartnering with the business to help them deliver their goals in a secure manner.\u201d Similarly, in 2010, Malcolm Harkins, Vice President of the Information Technology Group, Chief Information Security Officer, general manager of Information Risk and Security at Intel and author of Managing Risk and Information Security, changed the mission of Intel\u2019s security team to \u201cProtect to Enable.\u201d Harkins explains that in the new world of information security, \u201crather than focusing primarily on locking down assets, the mission of the information security group must shift to enabling the business while applying a reasonable level of protection. To put it another way, we provide the protection that enables information to flow through the enterprise.\u201d Such protection can never take place apart from people.\nWhen our distant ancestors left the trees for the savannah, they needed to develop a new set of survival skills to cope with their new environment. Modern workers have also entered a new environment: a totally digitized world. To ensure both safety and survival, we all have to recognize our personal responsibility for information security.\nThis article was originally published on Forbes.