Most IT professionals understand the need to work late from time to time. Suggest it’s a normal part of the profession, though, and you’ll get an earful. If I were a cynical sort, I’d think many IT professionals just aren’t happy without something to complain about.

Several weeks ago, I listed IT being a ghost town at 5pm as one of seven warning signs of a complacent IT organization. Not, I hasten to add, a certain diagnostic — just a warning sign. Into the fray steps Steve Delahunty:

“I had a … boss who complained that people were complacent … The problem was that when he left he didn’t peek into every cubicle and office. The lack of people around the halls in his view meant there was nobody there late. But also, we now can all work as easily at home as from the office. Meaning that I would often get online at night and see so many of my staff on their instant messenger clients it was like we were almost fully staffed online at 9pm with many folks working on work projects.”

Which brings up two points. The first is to be careful how you interpret what you see … and don’t see. Just as a doctor, facing a patient with a high fever, has a lot more work to do before reaching a diagnosis, a manager facing empty cubicles needs to dig in a bit before reaching a diagnosis of complacency.

The second is the subject of this week’s missive (credit where it’s due: it’s a recommendation by my partner, Steve Nazian): If you haven’t developed an instant messaging strategy for your company — one that facilitates its use while building in secure design, not one that locks it down — you’re creating, not preventing, a security hole.

We have more than two decades of experience managing and mismanaging personal technologies. Personal computers, electronic mail, remote system access, contact management software, personal digital assistants, Blackberries … it’s always depressingly the same:

1. IT forbids their use.

2. They leak in through the windows and side doors anyway.

3. A few employees are disciplined for violating company policy.

4. A rational executive somewhere in the business raises a huge stink about IT preventing employees from doing their work.

5. The CIO, recognizing the political liability of trying to keep the tide from coming in any longer, develops a strategy for managing the new technology instead of banning it.

This time it’s instant messaging. If you try to prevent it, employees will figure out a way to use it anyway. And once again, because their use is illicit, the workarounds will almost certainly create security holes. It’s akin to the well-known consequence of requiring strong passwords and forcing frequent changes: Post-It notes containing the hard-to-remember passwords stuck to computer monitors throughout the company.

There are still, in this industry, those who think the goal of security is to create an environment in which intrusions are impossible. If you’re one of these people, I can help. It’s actually quite easy. You can achieve it with three simple steps:

First, disconnect your internal network from the Internet. Second, disconnect all personal computers from the internal network, remove all disk drives and USB ports, and make printers illegal. And third, ban laptop computers from the enterprise altogether.

Of course, you’ll prevent employees from performing any useful work, but that’s just the unfortunate and unavoidable side effect of making the enterprise secure. It’s the nature of the beast. Security creates friction in business processes. The more secure you are, the higher the cost and slower the pace of doing business.

The best IT professionals put into practice what IT executives advise the rest of the company: They use information technology to maximize their own effectiveness. The best employees elsewhere in the company do likewise. Isn’t that the whole point of information technology — to help individual employees, workgroups, departments, divisions, and the enterprise as a whole work more effectively?

Instant messaging is simply the latest of the many tools available for enhancing personal effectiveness. In dealing with it, you have two choices.

You can either embrace it, and in doing so promote the very healthy attitude it represents. Or you can try to prevent it. Which is to say: You can either encourage a good attitude and improved security, or a bad attitude coupled with security holes.

Sad to say, far too many IT executives, faced with these alternatives, will instinctively choose the latter.