The thoughts and ramblings of Martin Mckeay

Tag: industry report

You don’t have to be an expert, but it helps – Team82 State of XIoT 1H22

Only one Too Long; Did Read post this week, The State of XIoT report for 1H 2022 by Claroty’s Team82. The content and analysis of this report was uneven. There is a lot to commend the team for, but also significant sections that left me shaking my head. This is a reimagining of previous reports, so it’s hopeful that future Claroty reports will build on the better aspects of this one.

Regwall: Yes, https://claroty.com/resources/reports/state-of-xiot-security-1h-2022

Target Audience: IoT (or XIoT) experts

Length & Read time: 35 pages, 30-60 minutes, longer if you are not an IoT expert. I finished reading the report in 75 minutes but required extra time to review some of the terminology and the Purdue Model.

Grade: B. Despite some parts being hard to digest, this has more going for it than most.

Overall Impression: I dislike the creation of new initialisms/acronyms in reports, but I think Claroty can get away with it this time. ‘XIoT’ stands for the Extended Internet of Things, meaning medical devices, video cameras, embedded devices, and a whole host of other general connected ‘things’. However, the report often uses the initialism for many of these things without clarifying what they mean and how they are used in the report. Lack of definition is a reoccuring theme of the report, from defining terms, to explaining the statistics used, to plots with no titles or captions.

Be prepared to spend some time identifying and understanding the most important parts of this report on your own. Most of the text is a reading of the visualizations, with confusing context and analysis. It may be because IoT/XIoT isn’t my main area of interest, but I think it’s because I don’t like having plots read at me. The writers left too much to the reader to figure out.

Despite the uneven delivery of the report, I still suggest reading it if you’re interested in IoT in its myriad forms. Several sections contain Key Events and are worth reading on their own. More than anything else, it’s the Mitigations/Remediations section I would point readers at, starting on page 22. Not only does Team82 give specific suggestions, they provide data to show why specific recommendations should be the reader’s priority. This section is why think the report is above average, but in need of tender loving care and focus to make it truly shine.

Continue reading

I wanted to like this report, but … – Fortinet Global Threat Landscape Report 1H 2022

The Thursday edition of ‘Too Long; Did Read’ focuses on Fortinet’s Global Threat Landscape Report for the first half of 2022. In my experience, 7-8 weeks to go from data collection to a published report is a relatively tight deadline, but it means this data is still timely. I applaud Fortinet for making this report available without having to register, which is a rarity. The failure of this report is the use of the term, “prevalence”. I suspect most readers have never seen this term used in its data science context and no effort is made to clarify what it means. My suggestion is to read the text, but generally ignore the plots and graphs.

RegWall: No! https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-1h-2022.pdf

Target Audience: Technical, primarily for readers in the IPS space.

Length & Read time: 17 pages, 30-45 minutes. Taking notes, I spent 75 minutes with this report, with additional time researching prevalence in statistics.

Grade: C, average for the security industry.

Overall Impression: I was excited to read this report when I first saw it, but found myself becoming more confused as I read through the text and tried to make sense of the data visualizations. The Overview and Key Highlights section sums up the main talking points, but most lack the specificity I’d like to see.

If you only have a few minutes to devote to the report, read these sections: ‘Vulnerabilities in OT’, pages 7 & 8; ‘Ransomware Roundup’, pages 12-14. I also liked the review of wipers targeting the Ukraine and spilling over into other countries, pages 14-16. But I can’t recommend the report due to difficult to understand data representation choices.

Continue reading

’50 Shades of Blue’ or ‘Red Hot Mess’ from CyberTheory

My ‘Too Long; Did Read’ review of the ‘CISO Engagement and Decision Drivers Study‘ from CyberTheory is, by necessity, much more negative than I’m generally comfortable writing, but it truly deserves the treatment. Despite the title of the study, it barely talks about engagement with CISOs in any meaningful way. It might be useful to a Marketing team, but is almost impossible to decipher and misses its target. Due to the colors chosen for the plots and graphs of the report, any hope of the reader drawing intelligence from the study is quickly drowned in in a sea of blue ink.

To be clear, I’ve worked with and known much of the team at the Cyentia Institute and respect them greatly. I’ve followed their work for years and know what they’re capable of. I wouldn’t spend the time needed to read the report from front to back and comment on it if I didn’t know, beyond a shadow of a doubt, they are capable of something much better than what’s shown in this report. Please look away, Wade and team!

Overall Impression – When I review a report, I’m examining three aspects: A) What data is the report drawing on, B) How was the data analyzed, and C) How was the data visualized. I’m also looking at how it was laid out and edited, but that’s generally a minor part of my analysis. The CISO Engagement report fails, or nearly fails, on every one of these measurements. The data and the visualizations are rendered useless by the color choice, and the analysis is window dressing with key words thrown into the mix. I’m looking for guidance on how to use the data, rather than generic SEO feedback.

Who should read this? Marketing and content creation teams might gain some insight from this report. It is primarily aimed at people trying to connect to CISOs after all. I would suggest that marketing teams skip straight to page 22 (or is it 39?) and the section titled ‘Reaching Your Audience’. There are a significant number of ‘Marketing Takeaways’ that may contain nuggets of wisdom for their consumption.

Security professionals should avoid reading this report. We’re not the target. If you’re interested to see what an SEO driven content team thinks will grab your attention, dive in. But you’d better like blue and cyan, because there are no other colors to choose from in the CISO Engagement study.

Continue reading

PwC Survey – Decent report, too little analysis

I’m repurposing the initialism ‘TL: DR’ to mean ‘Too Long: Did Read’. I have been writing industry reports since 2015 and reading them far longer, which gives me a wealth of experience to assess the content of industry reports so you don’t have to.

I’m kicking off this series with the PwC’s Global Economic Crime and Fraud Survey 2022. I found this report while reading Lori MacVittie’s monthly newsletter, The Tech Menagerie. As my friends in Boston would say, Lori is ‘wicked smaht’ and someone you should follow. Note: none of my friends actually talk like that unless they’re making fun of their own home town.

Overall impression – This not a cybersecurity report, it’s a report for CFOs, CMOs, and other executives looking for information about fraud in the industry. It’s worth reading for a security professional because it reflects the concerns those executives are worried about. Survey data is one of my least favorite ways to build a report, but PwC is correct in framing this as opinions, rather than facts.

My key takeaway from the report is the rising concern about hackers and cybercrime among executives across all industries. My key complaint is the lack of analysis in the report. ‘Here’s the data’ is different from ‘Here’s what the data means.’ I’d give this report a solid B, which could have been an A with additional analysis.

Continue reading