- Major Studies
- Advisory Reports
- Valuation Data
When it comes to security breaches, perhaps IT executives should look in the mirror. Our latest survey shows that an awful lot of companies are, inadvertently, admitting to not doing as good a job with security as they should.
The Computer Economics annual survey of IT management best practices finds that security and risk management practices dominate the list of the top five most-mature best practices. That’s good. However, what is not so good is the low percentage of IT organizations that have adopted these crucial security practices formally and consistently. Only about half or fewer of our respondents do so, which means the majority of organizations admit that their security and risk management practices are “informal” or “inconsistent.” In other words, there is a lot of room for improvement.
This year’s IT Management Best Practices study gives us deeper insights into how IT companies are putting crucial best practices into action. In previous years, we only asked whether they were applying each best practice partially or fully. This year, we gave practitioners three choices: practicing informally, practicing formally but inconsistently, or practicing formally and consistently. These options allow us to see the maturity of each best practice.
Figure 3 from the full study shows that IT security policies tops our list of the most-mature practices. But even here, only 51% of those who have IT security policies in place say their security policies are formal and consistent. From there, the situation goes down hill. For example, only 42% of IT organizations conduct IT security compliance audits formally and consistently.
In addition to security, other top-line findings from our annual report show that IT organizations continue to embrace many key best practices such as IT policies and procedures, IT strategic planning, IT change control board, software change management, and disaster recovery planning.
“IT security best practices continue to be widely adopted, which you would expect, considering the massive breaches that keep happening, such as the recent Equifax debacle,” said Tom Dunlap, director of research at Irvine, Calif.-based Computer Economics. “However, it is striking how many IT organizations treat critical security practices informally or inconsistently. Things are not going to get better until IT organizations raise the bar on these disciplines.”
In the full study, we examine the growth and maturity of 32 IT management practices. Some of these are well-established disciplines and are widely accepted. Others are gaining traction among leading-edge organizations. Still other practices are being widely promoted by tool vendors and consultants but only rarely adopted, and it remains uncertain whether they will endure. Our goal in this study is to provide IT executives with real-world data on how widely each practice is implemented, a basis for comparing their organizations with their peers, and a means of identifying emerging best practices.
This study is now in its 13th year. Each year, we ask IT organizations in our annual survey to what extent they have adopted a selected list of IT management best practices. Survey participants have five response choices: