IT Pros, by their nature, are highly computer literate. They know how to manage their computers, so why not allow them to bring their own laptops to the office and use them for work?
Increasingly attackers aren’t attacking systems directly. They are attacking the people that manage those systems. If you can get the credentials of the Systems Administrator, you don’t really need to exploit any zero day vulnerabilities to get access to the organization’s resources.
In some organizations, administrative privileges are partitioned into silos. Those organizations are the exception rather than the rule. In most organizations, administrators tend to have the “master keys to the kingdom”. Get hold of the admin credentials and the world, or at least the world within the organization’s IT infrastructure, is your oyster.
One of the big issues around BYOD is that of computer security. You can (mostly) block people from visiting strange sites and opening odd attachments when they are on-site. They moment they are at home things become a little more freeform. With BYOD, people own the devices they use. And that means that when they are “off the clock” they do whatever they heck they want with them. And why shouldn’t they? With BYOD, the user owns the device.
Consider the following. Last week, reports came out that one of the most popular adult sites on the internet had been serving up malware. I’m going to delicately dance around the question of whether IT Pros ever visit adult sites and instead go with “you should assume that people visit popular sites and that IT Pros are people” (even though some of them would prefer to be super cool transforming lego space robots).
Are some IT Pros diligent enough to be 100% protected from all possible attack vectors from the sites they visit? Maybe. Are all IT Pros diligent enough that you can assume that their personal machines are immune from the threat of being compromised by malware?
I’ll leave that one for you to answer yourself.
Part of an organization’s holistic security strategy should be ensuring that IT Pros (and Developers) only perform privileged management tasks on computers that are used only for that specific purpose. That means that the management computer is just as locked down as the server it is used to manage. Just as an administrator hopefully wouldn’t surf adult sites using the built in version of IE when they’ve RDP’d into an Exchange Server to a mailbox export, they probably shouldn’t be RDPing into the same Exchange Server using a laptop that they used to surf adult sites from the privacy of their home.
And I’m not just picking on adult sites. Jamie Oliver’s cooking website was serving up malware recently. It can happen to pretty much any site - which is why a "browse what you want" approach on an administrator workstation isn't a great security strategy.
BYOD is pretty much incompatible with the idea of “locked down administrator workstation”. That probably means that the computer that IT Pros are using most of the time to do their job shouldn’t be the one that they use in their off hours to do whatever the heck they want.