Question: "I'm struggling to determine the right balance between being "big brother" and being a responsible enforcer of corporate policy. What is a reasonable approach for phasing in oversight in a way that can minimize concerns for my users?"
There are three different types of users you have to consider. The first group just wants to be able to do their job. They are likely to appreciate your efforts at keeping them secure, but don't want you to interrupt their efforts. For these folks your goal should be the same as theirs.
The second group wants to be able to do whatever they want on the network regardless of the risks, and feels you are unreasonable to restrict their use of everything from instant messenger to peer-to-peer tools, third party e-mail, mobile devices, games, etc. With these users the best approach is to force them to show a business use case to explain why the company should invest resources to accommodate these actions. If they cannot, then the answer is simply no.
The third type is a little bit more difficult. This is the group that wants to be innovative in doing their job. They want to take advantage of things like social networking tools, instant messaging with true business intent, YouTube for marketing, and the like. This is where a little bit of discretion comes in. You need to accurately assess their intention and then work with them to create a solution that meets both your needs and theirs.
Start by identifying the user requirements. Look at what they are trying to accomplish rather than how to accomplish it. Once you have this identified, look for solutions to their needs that also maintain security. Be open to new ideas. Poll your staff, colleagues or consultants. If you begin to dig in your heels and become defensive, so will your users. Show them you are working towards your interests openly and they will be likely to do the same.
Once you have a tenable solution, have a few of your users try it. If they do not like something, see if it is possible to alleviate their concerns. This may not always be possible, in which case you should explain the risk it will cause, and why you cannot allow that risk to exist. Your only goal should be to give them what they want while maintaining the company security. The last thing you should be doing is telling the business why they cannot run their departments the way they see fit. They are the
So, to the question of playing "Big Brother". Put systems in place that can provide you with security and the ability to review anything that can become a risk to the company, but do not make a habit of reviewing the user's activity on a specific basis unless requested to do so by your legal or human resources department. Again, your primary focus is on keeping risk to a minimum. Let the business management determine what it feels is the appropriate use of company resources.
The views and opinions I express here are my own and not necessarily those of the company I work for or any of its associates.