Articles

Never-fail best practices when hiring a security researcher 2022

Micki Boland is a global cyber security warrior and evangelist with Check Point Technologies’ Office of the CTO. Micki has over 20 years in ICT, cyber security, emerging technology and innovation. Micki’s focus is helping customers, system integrators, and service providers reduce risk through the adoption of emerging cyber security technologies. Micki is an ISC2 CISSP and holds a Master of Science in Technology Commercialization from the University of Texas at Austin, and an MBA with a global security concentration from East Carolina University.

In this interview, expert Micki Boland discusses how to hire the best talent when it comes to cyber security researchers. Discover how to evaluate a security researcher’s background, see essential soft skills, learn about how to ascertain value, and how to keep security researchers enthusiastic about their roles.

What hard skill sets do CISOs require of cyber security researchers?

Cyber security researchers typically need a software development background, including the ability to code in multiple languages, knowledge of software architectures, software engineering, trusted computing, operating systems, embedded systems, hardware integration, networking, and reverse engineering. Security researchers also need extensive QA testing experience, computer forensics, and experience using a variety of offensive security tools.

What soft skill sets are invaluable for cyber security researchers?

Two hugely important soft skills for cyber security researchers are curiosity and problem solving. Another crucial soft skill is the ability to effectively communicate complex subjects both verbally and in written communications.

Once hired, how can security researchers prove their value to an organization?

Security researchers that are hired to find bugs and flaws that introduce security vulnerabilities in the organization’s own products and solutions will prove their value by finding security holes in software and code versions before they are released to the public. These teams may also engage in pen testing the organization’s systems and networks.

Sometimes, as in the example of a security firm, cyber security researchers are free to operate and have unlimited hunting ground to find bugs, and hunt security flaws and vulnerabilities of open source code and software, and can sometimes more extensively test specific software, hardware and integrations within the auspices of their own lab.

Finding security flaws provides “street cred” for the security firm, and extends industry “good will”. The cyber security research team must find the security hole, directly and discretely approach the vendor to provide their research and findings using responsible disclosure, and give the vendor the opportunity to fix the security bug or flaw. These cyber security researchers then get to claim finding the security vulnerability and publish their research about the vulnerability. This includes how it was discovered, specifics of what was tested, results of disclosure, and potential fixes or mitigations. Some security firms sell their security research services to enterprise organizations that seek security research activities against their own software, platforms and networks.

How can security researchers communicate their findings to relevant parties?

Cyber security researchers can discretely approach relevant parties to disclose their research and findings, giving the opportunity for the party to take action to fix or mitigate the security vulnerability. This is responsible disclosure and the onus is on the relevant party to take action, formulate a timeline, provide fix or mitigation and effectively communicate to the public.

In many cases, there is good collaboration between the research team discovering the finding and the relevant party. Sometimes the two publish the research together, with the responsible party providing the fix or mitigation. In the event that the security researcher or security research team provides research of a security vulnerability or flaw and the relevant party will not take action (for whatever reason), typically the security research team will make a public disclosure.

Anything else that you wish to share with the CyberTalk.org audience about hiring a security researcher?

Experience, curiosity, and problem solving combined with a passion for all things technology seem to be secret sauce in really great cyber security researchers. The organizations hiring these people can keep them happy by providing freedom to operate and resources, funding for talent and labs.

See CyberTalk.org’s last interview with expert Micki Boland, here. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.

Back to top button