近期，PwC正式发布了这份。PwC称：现在的安全威胁就像天气一样难以预测。相比于其他企业，PwC，德勤之类的公司做调研分析还是比较厉害的。

这份报告采访了9600名受访者，其中20%来自亚洲。调查发现：【注：我只谈我比较感兴趣的地方】

1. 70% of executives across industries and markets worldwide are confident in the effectiveness of their organization’s information security practices… They have an effective strategy in place. They consider their organizations proactive in executing it. And their insights into the frequency, type and source of security breaches has leapt dramatically over the past 12 months.
2. Some evidence points to a “crisis in leadership” and dangerous deficits in strategy. Capabilities across security domains are degrading. And security-related third-party risks are on the rise.
3. The two most important business issues or factors driving their information security spending were economic conditions and the need to ensure business continuity and disaster recovery.
4. About half of the respondents are deferring security projects and reducing spending on IT security.
5. Approximately 80% or more of respondents can provide specific information about security event frequency, type, and source. prevention, detection and web-related technologies, three sets of capabilities across regions, industries and organizational size, are attracting more sunshine this year than any single other core security-related area
6. About half believe that the security spending drought will ease at some point in the next 12 months.
7. The most sophisticated, adaptive and persistent class of cyber threats is no longer a rare event. 【PwC的调查进一步证明了新型威胁，】In the few short months since the survey was launched on February 10, 2011, for example, leading organizations worldwide have been targeted by Advanced Persistent Threat attacks. These entities include national governments, nuclear laboratories, security firms, military contractors and an international organization that oversees the global financial system. Yet APT isn’t just a threat to the public sector and the defense establishment. It’s an increasingly urgent issue for the private sector as well. This year, significant percentages of respondents across industries agreed that APT drives their organization’s security spending. These included 43% of consumer products and retail respondents, 45% of financial services respondents, 49% of entertainment and media respondents and 64% of respondents from the industrial manufacturing sector. Only 16% of respondents say their organization’s security policies address APT. In addition, more than half of all respondents report that their organization does not have core capabilities directly or indirectly relevant to countering this strategic threat—such as penetration testing, identity management technology or a centralized security information management process.【PwC在设计调查问卷的时候，在问受访者是否有应对APT等信息威胁的能力的时候，设计了5个选项：1）网络访问控制；2）身份管理；3）员工安全意识培训；4）集中化安全信息管理流程；5）***测试。可见，PwC是这样来看待应对新型威胁所应具备的能力的。】
8. What are the greatest obstacles to effective information security? Leaders point to the lack of capital, among other factors—and shine the spotlight hottest at the “top of the house.”
9. Mobile devices and social media represent a significant new line of risk— and defense. New rules are in effect this year for many organizations, though not yet the majority.
10. More than four out of ten respondents report that their organization uses cloud computing【至少调查显示企业高层主管们对云计算还是比较喜欢的，下面那个调查发现也说明了这点】—69% for software-as-a-service, 47% for infrastructure-as-a-service and 33% for platform-as-a-service.
11. Has the cloud improved security? More than half (54%) say it has, 23% believe that security has “weakened” and 18% see no change. What about the greatest risks to cloud computing strategies? The largest one is perceived to be the uncertain ability to enforce provider security policies. Others include inadequate training and IT auditing, questionable privileged access control at the provider site, the proximity of data to someone else’s and the uncertain ability to recover data, if necessary
12. The study includes a definition of a leader in information security. A leader has:

An overall information security strategy in place;

Their CISO or equivalent security leader reporting to the “top of the house”—i.e., either the CEO, the CFO, the COO or legal counsel;

Both measured and reviewed the effectiveness of its information security policies and procedures within the past year; and,

An understanding of exactly what type of security events have occurred over the past 12 months.

Leaders are reporting half as many incidents, on average (1,274 per year vs. 2,562 for all survey respondents). Yet they’re encountering significantly higher levels of exploitation—of data (45% vs. 26%), of mobile devices (36% vs. 23%), of applications (30% vs. 20%), of systems (40% vs. 29%) and of networks (40% vs. 28%).They’re also much more likely to suspect that the attacks are initiated by employees (38% vs. 32%), former employees (41% vs. 26%) and hackers (50% vs. 35%).

Key takeaways for me include the observation that many have confidence in their IT security, yet the threat presented by APT, social media, and mobile has not been satisfactorily addressed. At the same time as technology is presenting new risks, spending on security continues to be reduced. The pressure to improve efficiency must be immense.

此外，在亚欧美对比方面，亚洲依然是最热衷于在信息安全领域投资的地区，我想，这根亚洲的经济发展与信息化建设阶段都有关系。

【参考】