IT is all about control and protection. Always has been. That's not a side-effect, it's the main feature.
What are the primary goals the IT dept. is set up by management?
- make sure all data stays intact and accessible to authorized users, and only them
- make sure no data can be created, manipulated or exported by authorized users without an audit-able log trace
- make sure all authorized users can do the work they are supposed to do and evolve infrastructure with evolving work requirements
- keep costs of all that down to a sane minimum, without compromising the first 3 goals
- keep internal and external (clients, contractors, partners) IT morale as high as possible, without compromising all the other goals
To make any of this possible, control over hard- and software is the pivotal element. With unlimited funds, IT could support any device with any software. On a budget, all expenses are better spent on improving on the first 3 goals, business-wise, rather than the last.
Depending on the company's line of business, the first goals can be weighted very differently and result in vastly different trade-offs between security and usability.
- Defense contractors would rather have the entire network and all users shut down than to lose one kilobyte of secret data. Employees turn over rarely, but trust is never full and can be revoked in seconds. Staff has no freedom. Absolute secrecy is key.
- Media and graphics company would prefer to let all doors open than to miss an important shipping date or flashy presentation meeting with an important client. Some staff have extreme turn-over rates, new staff is not trusted, but still has many freedoms. Flexible creativity is key.
- Power-and-utilities want a third and fourth line of backup connectivity to never ever have a service interruption. Turn-over is low, employee and employers trust each other fanatically, long into weekends, night shifts and retirement if needed. Continuous uninterrupted operation is key.
IT has to adjust for these different goals, but only the "media" scenario can work without heavy-handed control without going miles and miles over budget.
Except when different scenarios are key to different sub-companies, but somehow the entire consortium requires everyone to adhere to the exact same policies, probably extending over several thousands of employees and dozens of companies across half the planet's time zones. That can never work as intended and will probably never cease to annoy the hell out of everyone involved except the highest CIO of the holding company, making their job safe for all eternity. (Any resemblance to the hallmarks of Marxist economies are NOT at all coincidental in an enterprise that includes many time zones and multiple or all business domains in them)