[jessaustin]

Of course the "security" to which CIOs refer is not DLP or anything cool like that (I'm not implying that DLP works, only that it's cool) but rather their own job security. IT is a cost center, and CIOs only survive when they can account their costs to other parts of the business. If e.g. marketing, sales, and accounting can honestly say they don't need anything that IT is providing, IT might not be around much longer.

From an actual security standpoint, it makes sense to really evaluate how secret your data need to be, and then set up an infrastructure to support that. Individual customer demographic data should be absolutely secret, but that doesn't just mean that marketing people shouldn't upload it to Dropbox so it's easier to pull into their abominable Access DB. That means that the only people who ever see it are CSRs while they're actually talking to the customer. Then IT can add value by isolating CSR desktops on their own 802.1X-secured wired network, while providing a more open network for their other work, and encouraging a shred-all-post-it-notes policy.

I think IT can make legitimate security arguments, but these can't start with "gosh Dropbox is terrible!" Dropbox and other cloud services are used because they are useful. Rather than depriving the individual employee of useful services, find services the business as a whole needs but doesn't realize it needs.