@Mother Hubbard
We are all drones in one way or another. The difference between the IT staff and the drones from other departments is that our jobs involve access to the controls over those computers, and the ability to restrict, or un-restrict access to information. We are just as replaceable as any of the other cogs in the great machine of business.
Yet, just as I would not be granted access to the payroll records of our company, nor the production statistics or budgets, the staff don't get to turn off their Virus Scanners. Most people would love to know what Bob over in Cube 27 makes. They would love to know where the money in the company goes, and why their department didn't get what they asked for.
Segmentation of responsibilities and duties however means that everyone who is not a member of the IT department is simply "other" in terms of access. Even within the IT department, different members have differing levels of access to different resources.
Anyone who tries to circumvent security precautions simply for their convenience *is* the enemy. Just as my trying to obtain payroll records or information would make our accountants hunt us in the night with pointy sticks.
The greatest threat to the company's information security right now is me, because I have the most access. In order to mitigate the damage any one person could do, you start with the person with the most access, and find ways to remove their ability to break or copy everything. Every truly critical piece of information I could get access to requires someone else to sign in as well. This is to ensure that I can't go check the payroll records, or view the budgets. Backups are segmented, with no member of the IT department able to purge all copies of a backup set, as well as the main systems.
Security is impossible to achieve in an absolute fashion. It's all about mitigating risk. My statements are not to be taken that I view my staff (or myself) as something other than disposable or replaceable. It's simply our job to make sure that the OTHER disposable, replicable elements of the company don't delete anything important, or make off with the digital gold.
Since that's what the job is, and since is the livelihoods of my staff and myself on the line, anyone and everyone that is a potential threat to that is the enemy. You want to believe that security can come from trust, and friendship, goodwill and fluffy bunnies, well, I can’t stop you in believing that. Hell, you might even be right, and I may very well be wrong.
I will, however, continue to view everyone with suspicion, and operate as close to the principle of least privilege as I can get away with. Sales drone #84 does not require access to the SQL server. Marketing Droid #31 does not require access to the customer Credit Card information accounting keeps for monthly billing. Accounting droid #7 does not require access to the manufacturing software. At no point do any of the disposable cogs need access to facebook, youtube, or randompornsite.com. The fewer of them there are, the fewer there are to worry about, and the fewer there are trying to break the rules.
Understand that outside of work, I am quite a nice fellow, gregarious, friendly, sociable, kind to my neighbours, and helpful to my friends. In the workplace, however, it isn’t personal, it’s business. My job is to make sure they don’t cost me, or anyone else in the company, our jobs.
Very few people like that idea, but very few companies take security seriously enough. How many millions of records lost by how many different companies and governments in the past 8 months alone?
Just thoughts…