Security Dominates Survey of IT Management Best Practices

September, 2017

When it comes to security breaches, perhaps IT executives should look in the mirror. Our latest survey shows that an awful lot of companies are, inadvertently, admitting to not doing as good a job with security as they should.

The Computer Economics annual survey of IT management best practices finds that security and risk management practices dominate the list of the top five most-mature best practices. That’s good. However, what is not so good is the low percentage of IT organizations that have adopted these crucial security practices formally and consistently. Only about half or fewer of our respondents do so, which means the majority of organizations admit that their security and risk management practices are “informal” or “inconsistent.” In other words, there is a lot of room for improvement.

This year’s IT Management Best Practices study gives us deeper insights into how IT companies are putting crucial best practices into action. In previous years, we only asked whether they were applying each best practice partially or fully. This year, we gave practitioners three choices: practicing informally, practicing formally but inconsistently, or practicing formally and consistently. These options allow us to see the maturity of each best practice.

Figure 3 from the full study shows that IT security policies tops our list of the most-mature practices. But even here, only 51% of those who have IT security policies in place say their security policies are formal and consistent. From there, the situation goes down hill. For example, only 42% of IT organizations conduct IT security compliance audits formally and consistently.

BestPrac fig 3 - Security Dominates Survey of IT Management Best Practices


In addition to security, other top-line findings from our annual report show that IT organizations continue to embrace many key best practices such as IT policies and procedures, IT strategic planning, IT change control board, software change management, and disaster recovery planning.

“IT security best practices continue to be widely adopted, which you would expect, considering the massive breaches that keep happening, such as the recent Equifax debacle,” said Tom Dunlap, director of research at Irvine, Calif.-based Computer Economics. “However, it is striking how many IT organizations treat critical security practices informally or inconsistently. Things are not going to get better until IT organizations raise the bar on these disciplines.”

In the full study, we examine the growth and maturity of 32 IT management practices. Some of these are well-established disciplines and are widely accepted. Others are gaining traction among leading-edge organizations. Still other practices are being widely promoted by tool vendors and consultants but only rarely adopted, and it remains uncertain whether they will endure. Our goal in this study is to provide IT executives with real-world data on how widely each practice is implemented, a basis for comparing their organizations with their peers, and a means of identifying emerging best practices.

This study is now in its 13th year. Each year, we ask IT organizations in our annual survey to what extent they have adopted a selected list of IT management best practices. Survey participants have five response choices:

  • No Activity: We are not practicing this discipline in any way.
     
  • Implementing: We are in process of implementing this best practice.
     
  • Practicing Informally: We do not have formal policies or procedures for this discipline, but we do practice it in an informal or ad-hoc manner.
     
  • Practicing Formally but Inconsistently: We have formal policies and procedures for this discipline, but we do not follow them consistently or to the extent that we should.
     
  • Practicing Formally and Consistently: We have formal policies and procedures for this discipline and we follow them consistently.

The best practices in the study are as follows:

  • IT governance practices: IT strategic planning, IT steering committee, IT project portfolio management, IT change control board, organizational change management, and project management office.
     
  • IT financial management practices: IT personnel time tracking, service-based cost accounting, chargeback of IT costs, showback of IT costs, IT service catalog, and benchmarking IT spending.
     
  • IT operational management practices:  IT policies and procedures, IT Infrastructure Library (ITIL), IT asset management system, bring your own device, user-satisfaction surveying, and IT performance metrics.
     
  • IT security and risk management practices: IT security policies, data classification and retention, IT security compliance audits, security incident management, disaster recovery planning, disaster recovery testing, and business continuity planning.
     
  • Software development practices: system development life cycle, agile development, software change management, software metrics, enterprise architecture, post-implementation audits, and DevOps.

This study is designed to increase the awareness of IT leaders concerning what are the best practices in IT management, provide benchmarks against which an IT organization can compare its own adoption and practice level, and justify investments to improve an organization’s IT management practices.


This Research Byte is a brief overview of our report on this subject, IT Management Best Practices 2017-2018. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).