"Develop comprehensive email security strategies that address both inbound and outbound vulnerabilities; Actively monitor, assess and address email vulnerabilities on an ongoing basis – new threats appear daily; Include email vulnerability assessment in an overall threat analysis, looking at threats across email and the Web as well as across desktops, laptops, servers and networks."
The report demonstrates a circular/specious argument by pointing out the differences between what "best in class" organizations are doing versus the rest. If one takes the trouble to wade through the report to find out how "best in class" organizations are identified, one finds (surprise surprise) that they are those who demonstrate the very practices that are called out. This is like me lining up a bunch of people against a wall by height, then making a big song-and-dance about the fact that the people towards one end of the bunch are 'height advantaged' or 'height challenged' (depending on which end I'm talking about) compared to the rest.
Of course the report is replete with plenty of impressive-looking statistics and graphs which are no doubt being quoted as fact ... by those email security companies who 'sponsored' the study.
Good thing it's free.
[STBO = Statin The Bleedin Obvious]