IT Security is the health & safety of the IT world. Not that people die of it if something goes wrong, or have to visit the occupational health nurse, but in the sense that it stops all discussions because “surely, no-one can be opposed to better health & safety regulation?” Likewise, IT security can be used to squash any dissenting views because “surely, no-one can be opposed to better IT Security?”
Except when the proclaimed added security is a cover to meet no opposition for whatever IT feature you want to introduce. You don’t like people using Dropbox to keep documents on the cloud ? Declare it a security risk and ban the use of a Dropbox. You don’t like people accessing their personal emails during work ? Declare GMail unsafe (which by the way takes some chutzpah) and ban its use.
But even when the issue is real security, sometimes the medicine is worse than the disease. Take for instance the scanning of your hard drive which is scheduled to start at 10am every Tuesday : for people with a standard XP machine (in short, most people) the limited amount of CPU means that for the rest of the working day your machine will be slow as hell.
And when there’s a breach, did it happen through these well-advertised security failures ? No. The latest one I encountered came from someone plugging in an infected USB stick, and McAfee hadn’t been set up to vet such devices for anything dodgy. I half expected that from then on USB ports would be disabled, but presumably even the security experts thought that was a measure too far.
Still, whenever a new measure was announced, my cynical self could help search for ulterior motives. Not that it would help you to complain anyway. Not when you receive a snotty email identifying you as one of a select group of people who had the audacity of using Dropbox for the simple reason that it was useful.