Progress in IT Security Practices Mixed but Not Improving Overall

September, 2019

Computer Economics has released its major annual study on 34 IT management best practices, and one important category–IT security and risk management–is showing mixed results. Adoption of one vital IT security best practice is down, while others are up or flat.

The bad news is that IT security policies appear to be going in the wrong direction. Figure 3 from our full study, IT Management Best Practices 2019-2020, shows that IT security policies are a mature practice, with 54% saying their security policies are formal and consistent. The fact that most organizations have IT security policies is expected, since such policies are often mandated by corporate standards or industry regulations. But it is disappointing that only 54% of them establish them formally and consistently. What is more disappointing is that the percentage is down from 57% last year. This is surely one reason that we continue to see devastating, high-profile security breaches every year.

BestPrac fig 3 web - Progress in IT Security Practices Mixed but Not Improving Overall

Security incident management, at 51%, is third on this most mature list, but at least it is moving in the right direction. It was at 48% maturity last year. Security incident management is a process to record, track, and resolve security incidents. When a security incident takes place, an organization will have a response team in place and clearly defined procedures for managing the incident. But again, only about half of IT organizations formally and consistently respond to and manage security incidents.

Penetration testing, at 44%, is new to our survey. Not seen on this figure is IT security compliance audits, which is unchanged from last year at 42%. Both of those bear watching in the coming years, as they are important disciplines.

“Because so many security practices are in the top five, on the surface it appears companies are emphasizing security,” said Tom Dunlap, director of research for Computer Economics, an Irvine, Calif.-based research firm. “Unfortunately, it isn’t really true. Security practices that aren’t adopted formally and consistently leave major security risks. Security practices are most definitely not optional.”

Some of 34 best practices are well-established disciplines and are widely accepted. Others are gaining traction among leading-edge organizations. Still other practices are being widely promoted by tools vendors and consultants but are only rarely adopted, and it remains uncertain whether they will endure. Our goal in this study is to provide IT executives with real-world data on how widely each practice is implemented, a basis for comparing their organizations with their peers, and a means of identifying emerging best practices.

This study is now in its 15th year. Each year, we ask IT organizations in our annual survey to what extent they have adopted a selected list of IT management best practices. Survey participants have five response choices:

  • No Activity: We are not practicing this discipline in any way.
  • Implementing: We are in process of implementing this best practice.
  • Practicing Informally: We do not have formal policies or procedures for this discipline, but we do practice it in an informal or ad-hoc manner.
  • Practicing Formally but Inconsistently: We have formal policies and procedures for this discipline, but we do not follow them consistently or to the extent that we should.
  • Practicing Formally and Consistently: We have formal policies and procedures for this discipline and we follow them consistently. This is the maturity level.

The best practices in the study are as follows:

  • IT governance practices: IT strategic planning, IT steering committee, IT project portfolio management, project management office, IT change control board, organizational change management, and enterprise architecture.
  • IT financial management practices: IT personnel time tracking, service-based cost accounting, chargeback of IT costs, showback of IT costs, IT service catalog, and benchmarking IT spending levels.
  • IT operational management practices: Server OS standard images, desktop standard images,  IT Infrastructure Library (ITIL), IT asset management system, bring your own device, user-satisfaction surveying, and IT performance metrics.
  • IT security and risk management practices: IT security policies, data classification and retention, two-factor authentication, IT security compliance audits, penetration testing, security incident management, disaster recovery planning, disaster recovery testing, and business continuity planning.
  • Application development practices: system development life cycle, agile development, software change management process, DevOps, and post-implementation audits.

The full study is designed to increase the awareness of IT leaders concerning what are the best practices in IT management, provide benchmarks against which an IT organization can compare its own adoption and practice level, and justify investments to improve an organization’s IT management practices.


This Research Byte is a brief overview of our report on this subject, IT Management Best Practices 2019-2020. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).