“Employees’ disregard of corporate IT policies
will increase as long as the policy is too rigid or impractical to
allow them to get their jobs done.”
Full article online here.
In my opinion, this is one of the most important things of all. Information security is a function to enable the organisation to go about its business with an awareness of the risks it faces in doing so. In the business of making a profit, organisations will take risks and do things that we would consider to be insecure. It is not the role of infosec to put the kibosh on plans or prevent people from working. If people can’t get their jobs done without having to find a way to circumvent policy then the policy is wrong. Change it.