A good way to handle this is to set up a common “lab” area, which nowadays can be in the form of a virtual environment, that the IT folks can use to tinker with new software or procedures. By policy, IT leadership must enforce desktop standards, and the IT folks have to adhere to those standards as well. One of the best arguments for this, is that if the IT staff are not running a standard image, how can they effectively troubleshoot an end-user issue? Meanwhile, the lab can be a sandbox for tinkering.

There needs to be a policy in place against privileged access of confidential information, except in the case that it’s work-related. In the “bad old days” of the early to mid 90′s, there were lots of IT folks, especially at smaller companies, that would go in and read the CEO’s e-mail or other documents, because they figured no one would ever find out. The good news is that Sarbanes-Oxley, GLB, PCI, HIPAA, and a host of other regulatory measures have forced a level of maturity on the IT industry as a whole. A true IT professional would NEVER breach the company’s trust by accessing confidential data without authorization, but having audit measures in place helps “keep the honest people honest”.

Speaking from an IT leadership role, the IT folks need to be informed of the policy, informed of a zero-tolerance disciplinary policy, and FIRED immediately (with immediate termination of access) if they break the policy. There should be a special onboarding process for IT folks, and a yearly general review of departmental policies and procedures.

Many times, IT folks use their personal memory sticks or USB drives to copy data because it’s expedient, not for any other reason. It is a minor investment to purchase small form factor (known as 2.5″) USB hard drives for every IT staffer, which can be reformatted so that it can use Microsoft (EFS) encryption, or purchase a 3rd-party encryption tool. If you give the IT staff effective tools that simplify their job, they will use them, and keep the company’s data safe at the same time.

Sometimes there is a huge disconnect between IT and the rest of the business. Helping every IT staffer understand how the company makes money, their role in the company, and how they contribute to revenue is vital. Helping them understand the value of the data they protect and the role in protecting that data allows people to see the “big picture”. Once IT feels that it has a “stake” in the business (“….and THAT’s how you get your paycheck….”), then IT will be more proactive in practicing security rather than just IMPLEMENTING it, and often they will find innovative ways to help protect the company’s data.