Then there are those who have been made bitter by years of having to answer the same questions over and over about basic operational functions. A decision that takes me seconds to make could take hours and multiple whiteboards to properly explain.
Rarely does IT have the time to craft restrictions arbitrarily. Rules are usually in place because of an incident that happened somewhere in the past. Some faith and willingness to listen is needed on both sides!
When most people think of Sarbanes-Oxley regulations, they tend to think of accounting. Yes, Sarbanes-Oxley imposes much accounting burden on an organization. However, it also imposes much IT regulation. For example, when I had a typical lowly help desk position (provisioning equipment, managing printers, and so on) at a publicly traded corporation some years ago, few of my non-IT coworkers likely realized that my name and signature were included on an annual binding report to the federal government.
It is never the case that I'm being arbitrarily restrictive. However, simple requests for things like LogMeIn and password loosening, if granted, could have landed me in federal prison. Just how much jail time should an IT person be willing to do to accommodate the latest must-have tool to not be labeled as a "productivity killer"?
Aside from the harsh rules in effect for the IT departments of public corporations and their contractors and the IT departments of all medical facilities and their contractors by the government, every organization has rules that make it function. All back-end tech has rules and best practices that we follow if we desire to have the mail server do fancy things like function after a reboot.
Why should IT take on the penalty of failure?
I've also argued for a rebalancing of the IT-user relationship, suggesting that users need to take on more responsibility as the price for having more freedom and trust. Silverman says that may sound nice, but IT is nonetheless likely to get the blame -- and the axe. And he says that even well-meaning users simply don't know enough to know they're causing issues or what the implications are:
You've stated that IT requires excessive levels of testing, assurance, preparation, and control that simply is not possible, as users will simply work around us when do that level of diligence and make our efforts for naught. That illustrates the lack of understanding between clients and their IT colleagues
Like your everyday cop, we keep the peace and help establish balance. On one side are regulations that require all business to be conducted in locked-down clean rooms. On the other are employees trying to keep up with competition and modern-day life, who sometimes fail to think of the long-term consequences that their actions might bring. I don't see the logic in allowing an employee, eager for a good next revue, be the determining factor for how to secure and provision access to company assets.
When inevitable problems break out, sometimes you get the chance to learn from an incident. Other times, it is an immediate game-over, with no going back. Either way, the first people to be blamed or questioned are in IT. Unless the responsibility and blame is placed elsewhere (which I realize you do advocate), I don't think it unreasonable for IT to maintain controls that ensure safety. Anyone whose primary job is not managing information technology can always, rightfully or not, make the case that they didn't realize their folly and walk away with their reputation intact. IT doesn't get that pass. Sadly, few outside of IT who have not been through a bloody nightmare realize all that good safety entails.