Two-Factor Authentication Among Least Mature Best Practices

March, 2022

Enterprises have spent much of the past decade increasing their cybersecurity budgets with mixed success. Perhaps if they spend more time on best practices, they would have better results. Five of the IT security and risk management best practices included in our latest IT Management Best Practices study are among the least mature, with two-factor authentication (2FA) topping the list. Without these core security disciplines,  organizations willingly ignore some of their best risk mitigation tactics. Moreover, the continued shift to a hybrid work model makes 2FA, and these other practices, even more important as enterprises rush to secure a changing perimeter.

This is one of many key takeaways from our IT Management Best Practices study, which analyzes 33 best practices. In this year’s study, we have added three new disciplines: IT vendor governance, cloud governance, and insider risk assessment. Figure 3 from the full study shows that 2FA is the least mature best practice, with a maturity rating of 14%. While IT security compliance audits and IT personnel time tracking tie for second place at 17%.

Top 10 Best Practices 1030x687 - Two-Factor Authentication Among Least Mature Best Practices

“The lack of two-factor authentication exposes  key systems to unwarranted access when an end user’s device is compromised,” said Reneece Sterling, a research analyst for Computer Economics, a service of Avasant Research, based in Los Angeles. “Strong implementation of two-factor authentication can close this security gap and minimize risk.”

What do we mean by practice maturity? It means the percentage of survey respondents who apply a particular practice formally and consistently. Take IT security training, number four on our least mature list with an 18% maturing rating. Eighteen percent of companies formally and consistently mandate IT security training. This means a whopping 82% of survey respondents have not implemented consistent security training. This might mean that these respondents train staff irregularly without any formal documentation, or perhaps there is no training program set up. This is quite concerning; IT security training is a relatively easy best practice to implement and can mitigate internal risks. Organizations without a well-designed IT security training program are open to unnecessary exposure.

Or take bring your own device (BYOD), fifth on this list at 19%. Nineteen percent of respondents say they apply this best practice formally and consistently. But that means 81% of companies do not consistently and formally allow their employees to use their own devices to perform company tasks. Without a BYOD policy, organizations are responsible for providing IT hardware for staff. This will increase IT operation costs that could have been allocated elsewhere. For our analysis of the rest of the least mature practices, see our full study.

Some of the 33 best practices in our full study are well-established disciplines and are widely accepted. Others are gaining traction among leading-edge organizations. Still other practices are being widely promoted by tools vendors and consultants but are only rarely adopted, and it remains uncertain whether they will endure. Our goal in this study is to provide IT executives with real-world data on how widely each practice is implemented, a basis for comparing their organizations with their peers, and a means of identifying emerging best practices.

This study is now in its 17th year. Each year, we ask IT organizations in our annual survey to what extent they have adopted a selected list of IT management best practices. Survey participants have five response choices:

    • No Activity: We are not practicing this discipline in any way.
    • Implementing: We are in process of implementing this best practice.
    • Practicing Informally: We do not have formal policies or procedures for this discipline, but we do practice it in an informal or ad-hoc manner.
    • Practicing Formally but Inconsistently: We have formal policies and procedures for this discipline, but we do not follow them consistently or to the extent that we should.
    • Practicing Formally and Consistently: We have formal policies and procedures for this discipline, and we follow them consistently. This is the maturity level.

The best practices in the study are as follows:

    • IT governance practices: IT strategic planning, IT project portfolio management, project management office, organizational change management, enterprise architecture, IT vendor governance, and cloud governance.
    • IT financial management practices: IT personnel time tracking, service-based cost accounting, chargeback of IT costs, showback of IT costs, IT service catalog, benchmarking IT spending levels, and monitoring software licenses.
    • IT operational management practices: IT Infrastructure Library (ITIL), IT asset management system, bring your own device, user satisfaction surveys, and IT performance metrics.
    • IT security and risk management practices: IT security training, data classification and retention, two-factor authentication, IT security compliance audits, penetration testing, security incident management, disaster recovery planning, disaster recovery plan testing, business continuity planning, and insider risk assessment.
    • Application development practices: agile development, DevOps, website accessibility, and post-implementation audits.

Our full study is designed to increase the awareness of IT leaders concerning what are the best practices in IT management, provide benchmarks against which an IT organization can compare its own adoption and practice level, and justify investments to improve an organization’s IT management practices.


This Research Byte is a brief overview of our report on this subject, IT Management Best Practices. The full report is available at no charge for subscribers, or it may be purchased by non-clients directly from our website (click for pricing).