I came across an interesting article which illustrates the growing challenges in IT security.
“The IT guys have been told to do one job, so they [lock things down and] rule out the use of Google docs. And the workers are told to do another job, to get their work done, so they start using Google docs, and the power balance is moving away from the IT guys,” says Josh Klein, co-author of Hacking Work, a guide on how to “break stupid rules for smart results”.According to a survey by networking firm Cisco, 41% of workers break corporate IT policies, saying that “they need restricted programs and applications to get the job done – they’re simply trying to be more productive and efficient”.
Judging by my personal experiences, I’d say most companies will go for the productivity and efficiency. Employee efficiency helps the company to move and adopt faster. Not only it usually means more money, but from the security point of view it makes the company a faster moving target.
Also, with this approach, a lot of security issues will be moved from a company level to an employee level. Similar to how training evolved. Companies still train employees, but a lot of skills are just expected from the employee and it’s up to him or her how and when to acquire those skills. For example, nobody really trains employees to process email, search the web, or operate a telephone. A quick display of the interface and a “you’ll figure it out, and let me know if you don’t” is usually enough.
Similarly, I think, many of the security issues will be passed on to the employee. The company will just expect him to run antivirus software, spam filters, basic firewalls, secure passwords, and such. With that, IT departments will have more resources to focus on protecting centralized resources – web servers, databases, etc.