That's a pretty big question. A recent blog post by Nate Beran ("Who are we to decide?") and subsequent Google+ discussion got me thinking about that. Nate nails the point about IT being a poor business enabler. We take it upon ourselves to save the users from themselves, often rendering the user unable to do their job.
I take a slightly different perspective on what we should do about it. I agree with Nate that we're not the police. We've taken an assumed/outdated mandate from the old paradigm, and continue to enforce it in a completely different business world. Find me an IT shop that has never rejected a request due to an exaggerated or out-of-context risk.
My take is that, ultimately, IT should be the technology investment advisor/planner. We take time to understand the business goals, and help management determine the level of risk tolerance. Then we offer advice around how to meet those goals and mitigate risk. The executive team and the board decide what to do with the advice. If we've become the trusted advisor, they'll run with our advice more often than not.
Like their partners in Finance, IT takes on a dual role of investment adviser and operational implementer. At times we'll need to be the operational enforcer, also like Finance. Unlike the old paradigm, we now have a board level mandate, based on real choices. IT enforcement can stay away from the petty concerns like whether an account executive can use Evernote, and even less petty concerns like BYOD. If the proper risk analysis has been done, management has already determined the scope of BYOD. IT doesn't need to be the gatekeeper.
This may take some time, because most IT shops are pretty good at macro level risk assessment, we tend to be lousy at the micro level. We apply the same level of rigor to both contexts -- the old paradigm. We've got a lot of learning to do.