Why should employees follow the security policy when the CSO and the rest of the security staff don't? If they don't follow it or the corporate rules then why should anyone else? The same goes for HR. Both departments together act like and work like the mob and senior management cannot be bothered. You know that this happens in your company as well - admit it.

Nothing new here. Same excuses have been used for speeding tickets for a long time.

1) I didn't know that was the speed limit.
2) I didn't think this was being enforced - I see others speeeding all of the time.
3) I was in a hurry to a meeting / grandma's house and I just had to speed.

Security has to make sense. Blocking Web sites, disallowing admin rights to PCs, etc only work when there are real reasons to do so. Also, security has to COMPLEMENT the business mission. Employees have tasks to accomplish, and security must ensure that those tasks can BE accomplished.

As there are two sides to every story, putting a barrier in place without a proper explanation is simply the wrong way to go about things. Also, knowingly going around a policy in the name of doing business is actually doing BAD business.

When some employee doesn't follow the company policy, claiming it doesn't let them do their job, that is the point that management should start an assessment of exactly what that person is doing and why they are doing it that way. Most of the time, the employee is not doing the best thing - they are doing the only thing they know how to do. There is the natural opportunity to improve the process and correct a policy vioation.

In other cases, it's a problem with management itself. For example, when the policy (or compliance) says to limit the websites that regular employees can visit, yet management goes around that policy by logging in for the users, management create a multiplicity of responsibility avoidance: 1). they are allowing employees to use improper credentials, and 2).they aren't identifying the sites users need (not doing their job). In short, they are doubly breaking the policy for both themselves and the employee. For the employee, they certainly can't get away with saying, "but management let me do it" if they knew it was wrong or not allowed in the first place. I have lived through this problem many times.

In a well run business, the right way should hopefully be the easiest way - policy should preferentially focus in that direction; however, that doesn't mean that the policy should always follow the easiest method. It should also emphasize the most controlled methods when necessary.