Management: Best Practices

IT MANAGEMENT
BEST PRACTICES
2018 / 2019
2082 B u s i n e s s C e n t e r D r i v e , S u i t e 2 4 0 | I r v i n e , CA 92612
T elep h o n e ( 9 4 9 ) 8 3 1 - 8 7 0 0 | w w w . c o m p u t e r e c o nomics.com
IT Management Best Practices 2018/2019
Computer Economics provides research and advisory services on the strategic and financial
management of information technology. Our clients include IT end-user organizations and major
consulting firms in North America. Our IT Spending and Staffing Benchmarks study, published annually
since 1990, is the definitive source of IT benchmarking data.
Other annual studies include Technology Trends, an assessment of technology adoption, spending, and
economic experience; IT Outsourcing Statistics, which provides data on the use of and experience with
IT outsourcing; IT Management Best Practices, which measure adoption trends of strategic IT practices;
and IT Staffing Ratios, a series of benchmarking studies with metrics for 16 IT job functions.
In addition to these major studies, we publish IT management advisories on various issues of

concern to IT managers. These reports are made available through our website. For further
information on our custom benchmarking services, website subscriptions, advisory reports, and other
services, please contact our office or visit our website at www.computereconomics.com.
U U
Contact Information:
Address: 2082 Business Center Drive, Suite 240, Irvine, CA 92612, USA
Telephone: +1 (949) 831-8700
www.computereconomics.com
© 2018 Computer Economics, Inc. All Rights Reserved.
ISDN: 0-945052-98-7
Unauthorized reproduction or distribution in whole or in part in any form, including photocopying,

faxing, image scanning, e-mailing, or making available for electronic downloading is prohibited
without written permission from Computer Economics. Prior to photocopying items for internal or
personal use, please contact Computer Economics, Inc. All trade names, trademarks, or registered
trademarks are trade names, trademarks, or registered trademarks of their respective owners.
Information contained in this publication has been compiled from sources believed to be reliable, but
the accuracy of this information is not guaranteed.
Computer Economics disclaims all warranties and conditions with regard to the content, express or
implied, including warranties of merchantability and fitness for a particular purpose, nor assumes any
legal liability for the accuracy, completeness, or usefulness of any information contained herein. Any
reference to a commercial product, process, or service does not imply or constitute an endorsement
of the same by Computer Economics. This publication is designed to provide accurate and
authoritative information in regard to the subject matter covered. It is sold or distributed with the
understanding that Computer Economics is not engaged in rendering legal, accounting, or other
professional service. If legal advice or other expert assistance is required, the services of a competent
professional person should be sought.
Table of Contents for Full Report
IT MANAGEMENT BEST PRACTICES 5
Introduction 5
How We Measure Best Practices 6
Understanding the Best-Practice Profiles 7
Major Findings 8
IT GOVERNANCE BEST-PRACTICE PROFILES 13
IT Strategic Planning 14
Executive IT Steering Committee 20
IT Project Portfolio Management 25
Project Management Office 30
IT Change Control Board 35
Organizational Change Management 40
IT FINANCIAL MANAGEMENT BEST-PRACTICE PROFILES 46
IT Personnel Time Tracking 48

Service-Based Cost Accounting 53
Chargeback of IT Costs 59
Showback of IT Costs 64
IT Service Catalog 69
Benchmarking IT Spending Levels 75
IT OPERATIONAL MANAGEMENT BEST-PRACTICE PROFILES 80
IT Policies and Procedures 81

Enterprise Architecture 86
IT Infrastructure Library (ITIL) 91
IT Asset Management System 97
Bring Your Own Device 102
User-Satisfaction Surveys 108
IT Performance Metrics 113
IT SECURITY AND RISK MANAGEMENT BEST-PRACTICE PROFILES 118
Security Policies 120

Data Classification and Retention 125
IT Security Compliance Audits 131
Security Incident Management 136
Disaster Recovery Planning 141
Disaster Recovery Plan Testing 146
Business Continuity Planning 151
APPLICATION DEVELOPMENT BEST-PRACTICE PROFILES 156
System Development Life Cycle 157

Agile Development 162
Software Change Management Process 167
DevOps 172
Post-Implementation Audits 178
INNOVATION BEST-PRACTICE PROFILES 183
IT Participation in Business Strategy 184

IT Leadership for Digital Transformation 189
IT R&D Budget 195
Innovation/Ideation Portal 200
APPENDIX 206
Benchmarking IT Management Best Practices 206

Methodology and Sample 207
IT MANAGEMENT BEST PRACTICES 2018/2019
IT Management Best Practices

Introduction
Much of the mission of the IT organization is to automate and improve business processes
throughout the enterprise, but the IT organization itself also needs process disciplines and
automation. The best-run IT organizations seek to continually optimize and improve IT management
processes.
IT as a business function has evolved and matured over a period of decades, and today it is no longer
necessary for IT organizations to reinvent the wheel. Although best practices need to be tailored to
fit the organization, certain disciplines show up again and again in the best-run IT organizations. At
the same time, these disciplines are continually evolving. The movement from waterfall software
development to agile development is one example. The transition from traditional software change
management to DevOps is another. In other cases, new practices are needed to accommodate new
technologies, such as bring-your-own-device policies to respond to the widespread adoption of
mobile technology. IT leaders, therefore, must continually evaluate their internal processes to ensure
they are keeping pace.
In this study, we examine the growth and maturity of 35 IT management practices. Some of these are
well-established disciplines and are widely accepted. Others are gaining traction among early
adopters. Still other practices are being widely promoted by tool vendors and consultants, but they
are only rarely adopted, and it remains uncertain whether they will endure. Our goal in this study is to
provide IT executives with real-world data on how widely each best practice is implemented, a basis
for comparing their organizations with their peers, and a means of identifying emerging best
practices.
This study is now in its 14th year. Each year, we ask IT organizations in our annual survey to what
extent they have adopted a selected list of IT management best practices. Survey participants have
five response choices:
 No Activity: We are not practicing this discipline in any way.
 Implementing: We are in process of implementing this best practice.
 Practicing Informally: We do not have formal policies or procedures for this

discipline, but we do practice it in an informal or ad-hoc manner.

© 2018 COMPUTER ECONOMICS, INC. UNAUTHORIZED DISTRIBUTION OR REPRODUCTION IS PROHIBITED.
PAGE 5
 Practicing Formally but Inconsistently: We have formal policies and procedures for
this discipline, but we do not follow them consistently or to the extent that we should.
 Practicing Formally and Consistently: We have formal policies and procedures for
this discipline and we follow them consistently.
The responses enable us to determine how widely a discipline has been adopted, how formally and
consistently it is being practiced, and how quickly it is likely to grow. By comparing current-year
responses with those from prior years, we also can assess the growth trajectory of a best practice.
To simplify the presentation, we have grouped the practices into six major categories: IT governance
practices, IT financial management practices, IT operational management practices, IT security and
risk management practices, application development practices, and innovation practices. While the
boundaries between these best-practice categories can overlap, the categories provide an opportunity
to discuss the selected practices within the context of related practices. We present our key study
findings by category at the beginning of each section.
How We Measure Best Practices

Our assessment of the practices is primarily based on three concepts: practice rate, practice level, and
maturity.
 The practice rate is the percentage of organizations that have adopted a practice, even
if just informally. For example, if for a given best practice 20% of the respondents are
practicing it informally, 20% are practicing it formally but inconsistently, and 40% are
practicing it formally and consistently, then the practice rate is 80%. The practice rate
does not include companies that are planning to implement the practice but have not yet
done so. We report the practice rate for the composite sample, by organization size, and
by sector.
 The practice level is an indicator of how fully the practitioners have adopted a best
practice. For a given best practice, the practice level is the percentage of adopters that
are practicing it “formally and consistently” (as opposed to informally or inconsistently).
Continuing the previous example, if the best practice has been adopted by 80% of the
sample (the practice rate), but only 40% of the adopters are practicing it formally and
consistently, the practice level is 40%. While some best practices may be widely adopted,
the practice level could still be low because it is only practiced informally or
inconsistently.
 The maturity of a practice is simply the percentage of respondents that have adopted
that best practice “formally and consistently.” We report this metric in the adoption

PAGE 6
profile for each practice. In addition, we also calculate the relative maturity for each of
them against the others to produce our maturity ratings of low, moderate, or high. The
scale is based on the lowest and highest maturity values in the study. A low rating would
fall in the bottom third of the scale, a moderate rating in the middle third, and a high
rating in the top third. The analysis provides a basis for comparing and contrasting the
practices in the Major Findings section and in the maturity profiles as discussed below.
Understanding the Best-Practice Profiles

Within each section, we present profiles on each best practice. The profiles are comprised of five
charts, as follows:
 Maturity Profile: The first chart sets the context for assessing the practice rate, practice
level, and maturity by providing ratings of low, moderate, or high. The ratings are based
on a comparison among all 35 practices in the study.
 Practice Rate Trend: Many of the best practices have been included in our annual
study for a number of years. In the practice rate trend chart, we show how the practice
rate has been changing over time. The number of years in the trend charts can vary,
depending on how long the practice has been in the survey.
 Adoption Profile: The adoption profile shows the percentage of organizations at each
adoption stage. The stages as previously mentioned are: no activity, implementing,
practicing informally, practicing formally but inconsistently, and practicing formally and
consistently (the maturity level).
 Practice Rate and Level by Organization Size: Organization size often influences the
adoption of a particular management practice. This analysis breaks the sample into size
categories: Large organizations have IT operational budgets of at least $20 million,
midsize organizations from $5 million up to $20 million, and small organizations less
than $5 million.
 Practice Rate by Sector: This chart shows practice rates by sector.

PAGE 7
Major Findings
Our top-line findings show that IT organizations continue to embrace many of the key best practices
such as IT strategic planning, IT policies and procedures, security policies, software change
management process, and disaster recovery planning. Many other practices out of our total of 35,
however, remain immature and not fully embraced, including DevOps, ITIL, IT service catalog, and
post-implementation audits.
In this section, we examine the top five most practiced, top five least mature, and the top five most
mature.
Top Five Most Practiced

Our top practices revolve around one of two major categories—basic practices that touch all areas of
the IT department such as strategic planning—and those that involve risk management. As shown in
Figure 1, three best practices are the most practiced: IT strategic planning, IT policies and
procedures, and security policies. About 86% of organizations have embraced these best practices.
Next on the list is software change management process, at 84%. This process is the establishment of
formal controls over how new systems or system changes are introduced into the production
environment.
Rounding out the top five most popular, at 83%, is disaster recovery planning. As each new natural
disaster or widespread power outage hits, organizations are reminded that they need to routinely
update and test their disaster recovery plans or risk business disruption.

PAGE 8
Top Five Least Mature

As noted in the introduction, we define the maturity rate as simply the percentage of organizations
that have adopted a given best practice formally and consistently. While some best practices enjoy
consistent use throughout many organizations, some are only practiced in an ad hoc way or by only a
small percentage of organizations.
As shown in Figure 2, the least mature best practice is post-implementation audits, which has a mere
4% of respondents practicing it formally and consistently. The use of post-implementation audits is
hardly a new practice, but many organizations tend to skip this final step of the implementation
process, particularly when they are struggling with more pressing concerns. Of these top five least-
mature practices, we judge post-implementation audits as the one that is the most obvious as an
opportunity for all IT organizations. It is a low-cost best practice, easy to implement, and has
immediate tangible benefits. It is a shame that it is not more broadly practiced formally and
consistently.
Next on the list is innovation/ideation portal at 5%. An innovation/ideation portal is a company-

wide system allowing workers to submit ideas/suggestions and vote on ideas of others so that the
most popular can be prioritized. This is the first year we have included this best practice in our
survey.
Two practices earn a 6% maturity rating: IT R&D budget and IT service catalog. With the former,
the IT organization has a defined budget for researching, developing, and conducting pilot projects
for new technologies that may or may not ultimately be adopted by the organization. As for the IT
service catalog, it is a foundational element of IT service management, and it plays an important role

PAGE 9
in IT financial management. It has garnered attention recently, but the practice to this point is rarely
implemented.
At 8% is IT Infrastructure Library (ITIL), which is a framework of policies, procedures, and

concepts for IT management best practices. ITIL is often associated with the concept of IT service
management but is applicable to a wide range of IT processes. The maturity of ITIL is low because
few organizations implement ITIL in its entirety but rather adopt it for selected areas where the need
is greatest.

PAGE 10
Top Five Most Mature

In the current climate of high-profile privacy and security breaches, it is no surprise that three
security practices dominate the top five most-mature list. What might be more surprising is the low
percentage of IT organizations that have adopted these crucial security practices formally and
consistently. Only about half or fewer of our respondents can say they do, which means the majority
of organizations need improvement in their security and risk management practices.
Figure 3 shows that security policies tops our list of the most-mature practices, with 57% saying their
security policies are formal and consistent. The fact that most organizations have IT security policies
is not surprising, since such policies are often mandated by corporate policies or industry regulations.
But it is disappointing that only 57% of them establish them formally and consistently. Perhaps this
is one reason that we continue to see little progress against high-profile cyberattacks.
Security incident management, at 46%, is second on this most-mature list. Security incident
management is a process to record, track, and resolve security breaches. When a security incident
occurs, an organization will have a response team in place and clearly defined procedures for
managing the incident. Security incident management is especially important for companies such as
banks and retailers that hold sensitive customer information. But fewer than half of IT organizations
formally and consistently respond to and manage security incidents.
Disaster recovery planning garners 45% on the maturity ranking. This best practice entails plans and
processes to ensure recovery of systems and data in the event of disruption. It is discouraging that
fewer than half of organizations plan for disaster recovery formally and consistently.

PAGE 11
IT security compliance audits are next on the top maturity list, at 42%. Periodically auditing users and
IT staff to ensure that security policies are followed is a mandate for any organization that is serious
about IT security, particularly those managing personal information such as patient healthcare
records and those processing credit card and other financial transactions. Yet again, the fact that only
42% of IT organizations formally and consistently audit security compliance is discouraging.
The fifth most-mature practice is IT policies and procedures, at 41%. The best IT organizations not
only document a complete set of needed policies and procedures, but they also regularly update them
as business conditions or the IT landscape changes. This is a foundational practice for any IT
organization, and it is difficult to imagine why any would not maintain IT policies and procedures
formally and consistently.

PAGE 12
IT Governance
Best-Practice Profiles
This section presents trends for IT management best practices in the governance category. IT
governance practices help align the IT organization’s objectives and priorities with those of the
business and ensure that proper controls are established and maintained. Six of the best practices in
the study are in this group, as shown in Figure 4. The practices are ranked by their relative maturity
level, which is determined by comparing them with one another in terms of the percentage of
organizations that are practicing them formally and consistently.
Three of these practices are rated as moderate in maturity: IT change control board, executive IT
steering committee, and IT strategic planning. Year-over-year practice rates and levels are relatively
stable.
Project management office and IT project portfolio management are less-mature practices in this
group, as both have maturity ratings on the high side of low, relative to other best practices overall.
Organizational change management also gets a low maturity rating.

PAGE 13
IT Strategic Planning
IT strategic planning is a critical activity for every organization. Typically, the process involves
understanding the organization’s business strategy; assessing the gaps between IT capabilities and
business needs; establishing overall objectives for IT; developing an action plan; monitoring and
reporting the results; and revising the plan on a regular basis. Increasingly, however, alignment
between the business strategy and IT strategy is a two-way street. IT strategy needs to align to the
business, but at the same time IT capabilities can be leveraged to transform the organization’s
business model. “Digital transformation” is a popular term describing an IT-enabled business
strategy.
To be practicing formally and consistently, an organization must have an IT strategic plan that spans
multiple years. A multiyear IT plan takes a three- to five-year view, focuses on what new systems and
IT capabilities need to be implemented, what business and IT processes need to be transformed, and
how the IT organization needs to be developed to better serve the business. Without a multiyear
approach, it is difficult for IT organizations to undertake initiatives that stretch beyond the current
budget cycle or do not offer immediate payback despite supporting a longer-term strategy.

PAGE 14
Maturity Profile
IT strategic planning is well-established and enjoying healthy, regular use. Strategic planning earns a
high practice rating and a moderate practice level rating, Figure 5 shows.
This practice, therefore, enjoys a moderate maturity rating relative to other practices in this study. It
is a positive sign that IT organizations today are focused on long-term, strategic initiatives, even if
just informally. However, more formal and consistent practice is warranted.

PAGE 15
Practice Rate Trend

Figure 6 shows that 86% of organizations have IT strategic plans, which is almost the same as last
year but noticeably higher than the 72% rate in 2016. The practice rate for IT strategic planning is
high and is likely to remain so.

PAGE 16
Adoption Profile
Figure 7 shows the percentage of organizations at each adoption stage this year. The three green bars
make up the practice rate: 24% are practicing IT strategic planning informally, 26% are practicing
formally but inconsistently, and 36% are practicing formally and consistently (the maturity level).
Another 8% are implementing the practice for the first time. The remaining 6% report no activity.

PAGE 17
Practice Rate and Level by Organization Size

As described in the introduction, the practice rate is the percentage of organizations that have
adopted this best practice, even if just informally, and the practice level is the percentage of the
adopters that are practicing this discipline formally and consistently.
Organization size has only a small influence on the adoption of IT strategic planning. Large
organizations are the practice leaders: 91% of them practice IT strategic planning at least on an
informal basis, compared with 83% of midsize organizations and 85% of small organizations, Figure
8 shows.
When it comes to practice level, the influence of organization size is modest but notable. Midsize
organizations tend to do IT strategic planning more formally and consistently than other
organizations, with a 53% practice level. Thirty-three percent of small organizations and 40% of large
organizations that have adopted IT strategic planning are doing so formally and consistently.

PAGE 18
Practice Rate by Sector

The financial services sector makes the most use of IT strategic planning. About 92% of financial
services organizations have IT strategic plans, Figure 9 shows. Other sectors where IT strategic
planning is common include the professional/technical services sector at 89%, manufacturing sector
at 88%, and the government/nonprofit sector with an 86% rate.
IT strategic planning is least pervasive among the construction/trade services sector, where 67% of
organizations have IT strategic plans. But clearly, the majority of organizations in all sectors have
adopted IT strategic planning.

PAGE 19
Appendix
Benchmarking IT Management Best Practices
The analysis of the IT management best practices provided in this study provides one source of
guidance for IT managers in developing their IT organizational disciplines. We recommend the
information provided in this report be used as “best-practice benchmarks.” For each practice listed
in this study, review whether or not the discipline is being practiced and, if so, at what level
(informally or formally, inconsistently or consistently). Then, compare with the benchmark
organizations and ask the following questions:
 Are the practices identified as having high practice rates in place within the organization?
If not, it may be appropriate to rank the IT organization as lagging in these widely
adopted practices.
 If the organization already is practicing the most highly adopted practices, are they being
practiced formally and consistently? If the practice is informal or inconsistent, ask
whether improving disciplines around the practice would yield further benefits. This
may reveal opportunities for improvement.
 Identify where the organization stands in relation to the practices that are showing the
most rapid growth. For those not yet practiced, consider more research or a pilot
program to further understand how they could improve the effectiveness of IT
processes.
Finally, the results presented in our study provide ammunition for justifying an investment in
implementation of these best practices. Use the practice rate and level statistics as evidence of the
direction other organizations are taking to improve the performance of the IT function.

PAGE 20
Methodology and Sample

The survey was conducted from January to May 2018. We identified and selected participants by
making solicitations to specific organizations in the U.S. and Canada that met our criteria for
organization size and industry sector. As the survey progressed, we monitored response volume by
industry and organization size and adjusted our survey-solicitation activities accordingly to ensure
that the stratification of the survey sample was within acceptable bounds. Surveys were conducted
using an online survey tool or by electronic form.
A total of 173 IT organizations in the U.S. and Canada participated in the IT Management Best Practices
study. Figure A-1 displays the key demographics for organizations in the sample.
Key Demographics of Composite Sample

25th 75th
Metric Percentile Median Percentile
IT Operational Spending $4.0M $9.9M $35.8M
IT Staff Headcount 14 37 124
Users 450 1,443 5,300
Server OS Instances 50 193 500
Business Applications 7 19 80
Source: Computer Economics, 2018 Figure A-1
We also assess the sample by sector. Manufacturers made up 22.3% of the sample; government and
nonprofit organizations, 18.9%; financial services, 13.6%; professional/technical services, 13.1%,
retail and wholesale distributors, 10.1%; hospitals/health systems, 5.8%; construction and trade
services, 5.3%, and other sectors, 10.7%.

PAGE 21

Management: Best Practices

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Management: Best Practices

Загружено:

Авторское право:

Доступные форматы

IT MANAGEMENT

In addition to these major studies, we publish IT management advisories on various issues of

© 2018 Computer Economics, Inc. All Rights Reserved.

Unauthorized reproduction or distribution in whole or in part in any form, including photocopying,

IT GOVERNANCE BEST-PRACTICE PROFILES 13

IT FINANCIAL MANAGEMENT BEST-PRACTICE PROFILES 46

IT Personnel Time Tracking 48

IT OPERATIONAL MANAGEMENT BEST-PRACTICE PROFILES 80

IT Policies and Procedures 81

IT SECURITY AND RISK MANAGEMENT BEST-PRACTICE PROFILES 118

Security Policies 120

APPLICATION DEVELOPMENT BEST-PRACTICE PROFILES 156

System Development Life Cycle 157

INNOVATION BEST-PRACTICE PROFILES 183

IT Participation in Business Strategy 184

Benchmarking IT Management Best Practices 206

IT Management Best Practices

 No Activity: We are not practicing this discipline in any way.

 Implementing: We are in process of implementing this best practice.

 Practicing Informally: We do not have formal policies or procedures for this

IT MANAGEMENT BEST PRACTICES 2018/2019

How We Measure Best Practices

IT MANAGEMENT BEST PRACTICES 2018/2019

Understanding the Best-Practice Profiles

 Practice Rate by Sector: This chart shows practice rates by sector.

IT MANAGEMENT BEST PRACTICES 2018/2019

Top Five Most Practiced

IT MANAGEMENT BEST PRACTICES 2018/2019

Top Five Least Mature

Next on the list is innovation/ideation portal at 5%. An innovation/ideation portal is a company-

IT MANAGEMENT BEST PRACTICES 2018/2019

At 8% is IT Infrastructure Library (ITIL), which is a framework of policies, procedures, and

IT MANAGEMENT BEST PRACTICES 2018/2019

Top Five Most Mature

IT MANAGEMENT BEST PRACTICES 2018/2019

IT MANAGEMENT BEST PRACTICES 2018/2019

IT MANAGEMENT BEST PRACTICES 2018/2019

IT MANAGEMENT BEST PRACTICES 2018/2019

IT MANAGEMENT BEST PRACTICES 2018/2019

Practice Rate Trend

IT MANAGEMENT BEST PRACTICES 2018/2019

IT MANAGEMENT BEST PRACTICES 2018/2019

Practice Rate and Level by Organization Size

IT MANAGEMENT BEST PRACTICES 2018/2019

Practice Rate by Sector

IT MANAGEMENT BEST PRACTICES 2018/2019

IT MANAGEMENT BEST PRACTICES 2018/2019

Methodology and Sample

Key Demographics of Composite Sample

IT MANAGEMENT BEST PRACTICES 2018/2019

Вам также может понравиться