How many people do you have working to protect your data, systems and networks? Go ahead, count them up. We'll wait. Finished? Here's the bad news: Unless you've just counted every person in your organisation — not your IT department, but your entire enterprise — it's not enough. You need them all. Every secretary and salesman. Every receptionist and researcher. Every executive and engineer. Every manager and maintenance guy. You need them all on board. You need every one of them looking out for the information that's critical to your business. Do they have to be security experts? Of course not. You have an IT security team for that. But that's not enough. Look, we've all inherited our ideas about IT security from a simpler time. The data was in the glass house. We guarded it. Simple, right? No. It wasn't that simple. It wasn't enough then, either. Information was all over the organisation, in reports and notebooks, filing cabinets and desk drawers. Crooks and spies and hackers wormed their way in and walked away with critical information, even if they never got near the datacentre. Occasionally, we caught them in time. Usually we just learned about it later. Often, we never found out at all. The IT security team wasn't enough then. It's certainly not enough now. That's OK. You can get everyone else working for IT security too. But it's going to require some changes. First, you've got to understand that IT security pros aren't enough. Then you've got to understand that the rest of your organisation isn't the enemy. Your fellow employees may be a security problem, but they're not intent on destroying their jobs. Not most of them, anyhow. They're only a problem because they think IT security means a collection of annoying rules telling them they can't open a picture of Aunt Margie attached to an email message. That's the wrong end of the telescope. IT security is about protecting critical company assets, the information that's the lifeblood of the enterprise: customer data, financial information — everything that helps make the company successful and competitive. It's in every employee's interest to protect those assets — every employee except for the few crooks, spies and hackers on the inside. And except for those internal threats, it's not hard to get people to understand that IT security is in their interest. And that they have a part to play — a major part, one that in aggregate dwarfs what the IT security pros can do. They know how things are supposed to work. They know what looks a little odd. They know what rules will always be bent, what corners will always be cut. And they represent hundreds or thousands of eyes and ears and brains that can filter out the ordinary business and help spot the real threats. With a little support from you, a little explanation, a little training, they'll do it. They'll be glad to. Not because it's in their job descriptions, but because it's in their interest. That's the easy part. The hard part? It's for your IT security people to adjust to this strange new world in which thousands of employee eyes, ears and brains help them do their jobs. But they can do that. It's in their interest, too. The threats are out there — in greater numbers, with more sophistication and variety, and delivering orders of magnitude more attacks against you. To beat them, you need all the help you can get. You need the help of everyone in your organisation. And that's something you can count on.