As I moved through my career in Information Security I became aware of a trend, the only time I was looped in was when I was expected to say no.   I believe if a company is going to rely on Information Security to be the arbiter of what is allowed and not allowed is not going to succeed.   I prefer a policy of contextual security, many people feel this is a naive approach because it forces security to understand the requirements and propose a solution that is a secure advancement of a solution to a business problem.  This approach requires a bit of a shift of the thought process for most security professionals.

The traditional approach of prevention is still valid but it must be augmented with controls that allows detection of breaches as early as possible.   Just in time detection has been around for a while with technologies like fire-eye and wildfire.  I also like technologies that look into the crime networks for signs of our data being sold or utilized.

We must be able to implement controls that allow the business to expand, not clinging to traditional blocking strategies.   Lets face it people wasted time at work long before the Internet was created.   The key is to allow the business to decide what is appropriate and find ways to secure it, you can minimize risk not eliminate it.

The concept of adult supervision is, in my opinion, dead for as a charter for Information Security.