What is the IT Department Afraid Of?

In a world where the rules of engagement are constantly changing and the boundaries are constantly in flux it's sometimes easier to hang steadfastly on to what we've done in the past.

In this new world we believe we are right because we "know better" that is in the past this was bad and therefore now it must still be bad right?
I remember aeons ago one of my previous bosses demonising email access unless you had a VPN, a work supplied laptop and a work supplied router.

After I took over his role I considered his resistance and I couldn't find any reason to maintain it. Why? Well consider the following:

• Does easier access to email systems enable the flow of information, enhance communication and collaboration? Yes
• Are the rewards greater than the risk? Most likely
• What is the risk of someone actively targeting our company that they would tail our staff around in the hope that they would go to an internet cafe , log into our networks, not log out and give away some critical piece of information? With Educated users? Pretty low I'd say

Now this may appear as blasé but I've worked in the security game in the past and know that to penetrate someone's systems this way takes 3 things, persistence, skill with a mixture of luck and bloody mindedness, it's not like in the movies because your average high level Executive's password is not the name of his favourite pet.

Today I was challenged by one of my guys that we should restrict a method of access to systems to other employees because it was classified as an exception to our security policy, it bypassed our standard method of access and even though it was audit-able would not be initially tracked in our currently run of VPN metrics.

Now I admit I felt a little pressured, I initially thought well I don't have a problem with this, what is it that makes it's so wrong? Is the world going to end if I do this? What is so wrong since another member of staff (including myself has this access).

Now I initially paused to reflect and assess if what was being asked of me was such a bad thing. The only think I could come up with was this decision was motivated by fear, fear of lack of control, have we got to the stage that we do not trust our colleagues so much that we think that giving them additional control will cause our companies to come down in flames?