What are information security rules for, if not for breaking? If nobody breaks your rules, then how will you know the true impact of such a violation?
It is naive to think that the user community is sitting idly by and following the rules and policies. You can be sure they are busy finding ways to get around your controls, and often they are forced to do so to become more productive.
I often hear IT departments being referred to as Dr. No, and this doesn't have to be the case.
Both technology and user sophistication are growing exponentially, and the trick is to find a way to harness this energy for the benefit of the company.
Obviously, these developments are also creating information security risks exponentially as well, and this is the tension you need to manage.
An obvious technique is to use pilots. I see in the not so distant future a realistic demand from the user base to bring their own equipment on a structural scale.
To truly understand what this means and how we can deal with it, I bought a Mac laptop and brought it into the office and simply asked my team to make it work.
I asked them to imagine this was brought in by a new employee and part of that persons contract was the use of their own equipment.