I’ve noticed a couple different models for IT, both as someone who’s helped run it, and as an employee who’s been, er, subjected to it.

Both have the overall goal of controlling costs and ensuring security, but they’re done in two different ways.

Command and control

The basic premise of this model is that most users aren’t to be trusted, and that IT needs to exert careful control over what technologies are used, and how they are used. Features of this model include prohibitions on what types of software can be used.

Software is selected based on its suitability for control, not based on its usefulness to the user. Policies (for example, password lockouts or mandatory monitoring software) are picked the same way.

For example, you might work at a place where you’re required to use Box (inferior user interface, better security and control), instead of Dropbox. This can be enforced in different ways, for example by requiring certain access levels in order to install software, by denying reimbursements for non-approved software, or other ways.

The strategic model

This model assumes that users are honest and rational, if not always fully-informed, in pursuit of their goals.

In this model, IT is viewed as a strategic partner for achieving business (and employee) goals, rather than as a gatekeeper for technologies. They recognize that flexible policies can promote company efficiency.

As an example of this model, you as a user might be given free rein to install whatever software you want, in order to do your job. Site licenses have to be used when they’re available, but otherwise it’s assumed that users know what they need. Individual managers are responsible for controlling expenses, and policies are set at the minimum prudent level. For example, two-factor authentication is required for email accounts, but passwords don’t have to contain punctuation marks.

Can you tell which model I prefer?

The strategic model frees IT to focus on helping employees get their job done, rather than distributing software and hardware. Think less mall security guard, and more business consultant. It also improves employee morale, since employees are trusted to make their own decisions.

Pratically speaking, this model also recognizes that it’s impossible to prevent employees from going around policies to some extent.