The other option is to let go of the policing activities, manage the core back office through a subsidiary group (much like a strategic HR director manages payroll but does not let that define her core value), and redefine the bulk of IT as internal technology consulting. I believe this is the best choice for most companies -- both for IT and the business departments. Here's how it could unfold:
The CIO should stop managing security, compliance, and governance for the company. Security, compliance, and governance -- all of which really mean risk management -- are the whole company's business, not a technology problem. They should be a horizontal function like HR or legal, addressing physical, information, financial, and strategic security concerns in a unified way based on assessing the risks likely to matter and the costs of reducing them. Today, security is (ineffectively) treated as a disease best cured by throwing technology straitjackets around people and processes at almost any cost, not in a thoughtful, considered, holistic manner that it should. Compliance and governance are often treated the same way.
Security, compliance, and governance have become a technology game that IT can only lose -- and that the business has happily ceded, so they're no longer a business problem. But like productivity, they are a business problem and should be owned by the business as a whole. Even if a CIO was willing to give them up, he or she likely won't find anyone who wants to pick up that set of radioactive matter.
But there's hope. As technology has democratized, users and business units want control over the technologies they work with. Let them have it -- along with the security, compliance, and governance ownership. That has to be the trade-off: If you in the business departments want to be treated like adults, act like one. Only then will we in IT stop treating you like a toddler crawling along a cliff. (Yes, you can call us when the car breaks down or you get lost.)
Obviously, a CIO needs to support security, compliance, and governance needs -- determined by others -- where technology can help, especially around the core assets that will likely reside in the data center. For example, IT should help implement policies on data access, auditing, and manipulation based on the risk profiles and, thus, permissions the company (not iT) decides it needs -- this basic policy-based management should be in place anyhow.
But supporting security, compliance, and governance doesn't mean taking responsibility for them, any more than an accounting department takes responsibility for the spend decisions of a business manager. Accounting audits spending, looking for exceptions to legal requirements and corporate policy; IT's role for security, compliance, and governance should be the same in those areas where technology has a role. But no more.
Getting IT out of the police game will go a long way to moving IT out of the "no" modality.