If people shouldn't have access to data or shouldn't be able to store it locally, that control should reside at the data level. If IT has to essentially retroactively control the data once it gets to an endpoint (a PC, a smartphone, an email message, a piece of paper), it's already too late.
But IT grew up with an endpoint mentality, starting with its roots in mainframes more than 50 years ago. Those computers were hugely expensive and fragile, so only a few beknighted people had any access to them. Their data was also confined to a handful of people, and the number of endpoints was very limited and thus controllable. That ingrained mentality is why I'm not shocked that the endpoint control impulse persists.
That number, though, began to expand in the 1980s when the first PCs were placed in businesses. Suddenly, there were computers that IT (then called MIS or data processing) didn't control. I remember the fears of IT back in those days, but also the liberation that businesspeople experienced when they no longer had to beg at the altar of IT to get the information needed to do their jobs. Guess who won?
The endpoint control metality should have died then, but it didn't. IT glommed on to the client/server notion as a way to convert PCs back into dumb terminals. It sort of worked, at least enough for the endpoint control mentality to stick around. In the early days, PCs were very expensive, so they could be justified only for a limited number of staff, and the notion of email outside of universities and defense agencies didn't begin to take hold until the very late 1980s.
By the mid-1990s, pretty much all white-collar workers had PCs and email, but the notion of endpoint control remained because these computers were in offices with limited connectivity beyond their business. In the late 1990s, however, laptops had became common and the Internet was nearly universally available. That's when IT notion's of endpoint control should have died. Instead, it remained, despite the obvious disconnect and all the stories of laptops and CDs containing sensitive information being lost or stolen from someone's car -- showing the futility of IT's approach.
Then the iPhone debuted in 2007, doing to cell phones and BlackBerrys what PCs did to mainframes: making them obsolete. In terms of control, the cat was already out of the bag on the desktop, and now it was freed up in mobile.
Changing the control mind-set to be data-based
It's only been in the last year or two that this endpoint control mentality has begun to change. I know CIOs at several large, conservative, security-minded organizations that have stopped trying to fight the unwinnable war at the endpoints and have moved back to controlling data at the source, using well-established technology such as certificates, encryption, permissions policies, and in some cases thin clients to manage the access. They've stopped worrying about this device or that device. If a device meets the policy requirements, and the user has the right permissions, the appropriate data access and usage are allowed; if it doesn't, the access isn't permitted. That device could be a home PC, a terminal at an Internet café, an iPhone, a Xoom, or whatever.