Rogue devices, rogue applications, rogue services--it is becoming a very familiar refrain. The latest indicator: A survey from Cisco last week found that a majority of security professionals see employees ignoring policies and using devices and software that their IT departments do not support.

The survey, which looked at the security impact of personal gadgets and social networking in the workplace, found that employees consistently (Cisco's word) are finding ways around security policies. A whopping 68 percent of those surveyed said that employees use unsupported social networking applications, but many reported heavy use of unsupported collaboration, P2P and cloud applications as well.  More than half said social networking is one of their organization's three greatest security risks.  More than a third reported that their company lost data or experienced a breach (my emphasis) because of employees using unsupported devices.  

The lesson, in Cisco's view, is that you better find the technologies--and resources--to support personal devices and applications because they will be used regardless. "The best strategic approach is to focus less on restricting usage and more on effective solutions to ensure highly secure, responsible use," said Fred Kost, Cisco's director of security solutions.

Cisco, of course, has products to help you address these issues, but ultimately do they address the real problems? Consumer technologies evolve faster than the IT department budget, and it could be a constant game of catch-up trying to accommodate the latest rogue gadgets and widgets. Ultimately, rogue IT use constitutes not so much a failure of technology, but a failure of policy and policy enforcement.

In Cisco's survey, nearly 75 percent of the IT security pros said that overly strict policies have a negative impact on hiring and holding on to employees in their twenties. Not to sound callous, but is this truly a huge problem? The unemployment rate, after all, continues to hover around 10 percent, with 15 million people out of work. What's more, it is the very young set that seems to be having the toughest time finding jobs. Perhaps this presents a golden opportunity to establish some meaningful security policies and enforcement mechanisms.

Seriously, is it overly strict to expect workers not to transmit company data over non-approved devices? Is it Draconian, really, to make Facebook off limits during work hours? I may be old school, but it seems that employees have always learned to work within reasonable company boundaries. Too harsh? Please let me know. - Caron