Gary Scarborough
Authored Comments
If you want to know why IT policies are the way they are, then you need to move up the food chain to the CEO/CIO/"Whoever Makes the Decisions". IT policies are in place largely as a CYA for the company and for the IT staff. This is needed mainly because of the law and because we as IT are usually the ones held responsible.
How much freedom your users have largely depends on how much you can trust them. Freedom and Security compete for priority. The stakes are the well being of the company and its employees. As an IT person, the more freedom I give a user on their machine, the more trust I must have that the user will not do something wrong. If that user is the accountant, their machine may contain all the company's financial records and well as the records of every single employee. Is exposing that kind of information to a breech going to be an acceptable outcome in return for allowing the end user full control over their computer? Of course not.
But there can be a balance. For there to be a balance, you CEO/CIO/Whoever needs to realize that you can set up a secure environment where your users are empowered. But that takes time and money. OS's like Linux allow the user full use of the system without the need to be the administrator. Something many Windows programs still can't handle. You also need some training. Its not unreasonable to expect your users to learn new job skills. Security needs to be included in them.
Part of the problem is that people are using Windows. Sorry, but you can not use that OS and expect the common user to be able to NOT get infected with something. Windows also lacks the tools to allow a user to add software from known good sources. With Linux, you can give the users permissions to install anything in any repo you have configured their system to use. That could be the regular public ones, or a single corporate repo.
I also think part of the problem is lack of IT funding. If you want people to be innovative and they need more IT help, you need to hire more IT people. I see way too many examples, my employer included, that short change the IT budget to save money. At that point, the niceties go out the window and you just do what you have to do to survive. If you have to chose between the servers and end users, the end users are going to lose every time.