and goes on to say:

some evidence points at the fact that security pros are no better than regular IT users about complying with policies that they see as "stupid."

So we can (1) chide ourselves for not being good enough about security and vow to do better or (2) admit our policies don't fit the needs of our organizations.

Defining a policy is not a one way street where the Word come down from on high. We can't just look at compliance requirements to create an adequate policy, we have to have policies that fit with business needs as well. We can imagine a set of policies so stringent that the business can't operate and it goes under. OK, that's the extreme but what is the proper balance?

For starters, we need to account for the way people work and the demands on their time. A IT pro who needs to finish a proposal, hold a staff meeting, deal with a project overrun, and tend to a sick child at home while making the other child's school play that night is going to do some work at home. Simply saying "don't copy documents to USB flash drives" only meet the compliance needs, it doesn't meet the business needs of the organization. A better option is to use encrypted USB drives and create a policy that says "don't copy documents to unencrypted USB flash drives." Also, provide laptops so reduce thechances that those documents will end up on a malware infested home computer shared with downloading crazed teenagers.

When developing policies we need to look beyond regulations and compliance requirements to the other requirements, too.