Bring Your Own Device policies were adopted by enterprise IT organizations under pressure from employees and leadership who wanted to use their personal devices for work and did not want to carry two phones. The policies were designed hastily, implemented with tools that were not ready for the management requirements they needed to meet, and left in place with minimal review as the security landscape changed around them. The result is a policy category that most IT security professionals acknowledge as a significant exposure and most organizations decline to address because addressing it requires telling employees they cannot use their personal devices for work.

Corporate laptop procurement has not kept pace with the changes in how knowledge workers use their devices. The procurement criteria that dominated enterprise laptop purchasing for the past fifteen years — Windows compatibility, Intel processor, specific RAM and storage tiers, corporate image support — are still driving purchasing decisions in organizations where the actual requirements have shifted materially. The mismatch produces laptops that are enterprise-manageable but mediocre for the work employees actually do.

The four-year PC refresh cycle that became standard in enterprise IT during the 2010s was a budget optimization made under specific conditions: hardware improvements were incremental, Windows 7 was stable, and the marginal productivity gain from newer hardware was not large enough to justify more frequent refresh. Those conditions no longer hold. The PC refresh cycle at many organizations has stretched to five, six, and in some cases seven years without a corresponding assessment of whether the extended cycle is actually saving money.