An interesting advantage of a security consulting firm is that the majority of it's employees absolutely love their job. The truth of the matter is that the label "Security Professional" is just a politically correct and somewhat emotionally diluted way to say [ethical] "hacker".
Since hackers live and breathe computer security, and the basis of the hacker culture is a community structure around sharing knowledge, it's easy for a security consulting firm to offer a podium (often something as simple as a website and a branded Word template) and reap the reputational benefits of a talented staff.
The problem with this is that the "Security Professional" ends up with the short end of the stick. He works his dream job during the day: hacking stuff, and then goes home to work on a side project: hacking some other stuff, to ultimately write a whitepaper, give a talk, or release a tool, that promotes the organization. This can only go on for so long before burnout occurs and morale is affected.
The solution to this is a Security Research Program. By creating a research program, management can provide consultants a technical path to grow, increase its service offerings, and demonstrate expertise throughout the industry while improving morale throughout the organization.
The biggest hurdle is how to do conduct research and still make money. After all, research is a tricky business with a lot of challenges. First, it's not always easy to directly map the output of dedicated research time to a new sale. Second, research outputs are variable- who knows what you'll be able to achieve, and in some cases you may not achieve anything at all.
I've worked in security for some time now and I've seen many different approaches to starting a research program. Honestly, I still don't know which is the best, but here are some of the things I've seen.
Informal ApproachThis is the most common approach across security consulting firms. Basically if the consultant wants to do something, they ask for it, and if there is a gap in their schedule, they get to work on it. This does work, but it can affect the longevity of your consultants. If there is not a structured process, then its likely that management will be blinded by the immediate need to get billable work done, and the research time will go on the back burner. This results in the consultant being overworked and morale deficient.
Position Based ApproachesSome organizations decide to go with a position based approach. The idea behind this is that more experienced consultants are given dedicated research time. More experienced consultants traditionally are more reliable and are more likely to produce something substantial. It also gives newer consultants motivation to work hard to move into a more senior position. The downside is that newer consultants, who are often more ambitious and have fresher ideas, don't get dedicated time.
Here are some examples of position-based research positions:
The Principal ConsultantAll "Principal Consultants" will be given one month of bench time per year to work on an approved project that will be used to create a new service line or demonstrate technical expertise in niche area of an already existing service line.
Here all experienced consultants would be given time. If research time is limited to a month, the lost opportunity cost can be recovered relatively quickly if the research does something like develop a new service line. At the same time the impact of a failed research project is limited.
The Research ConsultantThe Research Consultant is a full time position providing 1 day per week of dedicated research time. All other time is on billable work, providing technical oversight and mentoring per project.
One day a week over the length of the year actually makes it pretty difficult to recovery lost opportunity costs within a reasonable amount of time with just one Research Consultant position. And the chances are, you'll probably want to have more than one if your organization is of a decent size.
Formal ApproachAs mentioned above, position-based approaches, make it difficult to financially justify Dedicated Research time. The only reliable conclusion is, as an organization, you just have to go for it.
Here's an example of a more formal and structured approach:
Research Governance and Structure
- Security Research Sponsor - Responsible for executive steering and oversight into the entire security research program. The head of the organization.
- Research Committee - Technically well rounded group of individuals, plus at least one management level position, which evaluates submitted research proposals and selects those that will be given time decided by a majority vote.
- Security Research Manager - This is a dedicated position responsible for coordinating the selection and execution of research projects. Directly reports to the VP or the head of the organization, i.e., the Security Research Sponsor. The Research Manager's responsibilities include:
- Managing and measuring the progress of ongoing research projects
- Updating the committee on project status and milestones
- Developing tactical and strategic goals for the research program
- Conducting long term research projects
- Structuring, driving, and providing guidance to the Research Committee
- Reviewing all whitepapers, tools, talks, etc. prior to public release
- Managing the release of public vulnerability disclosures
- Managing the Research Development Team
- Managing all equipment and supplies purchased to support research
- Resource allocation
Application ProcessConsultants submit research project ideas in the form of an application. The application itself is developed and maintained by the Security Research Manager, and contains, at minimum:
- Detailed description of the proposed research topic
- Expected time of completion in number of days (max 20 days, 1 consultant-month)
- Previous time spent working on the project
- Expected deliverables
Research applications are be regularly assessed once a quarter by the Security Research Manager and Research Committee.
Selection ProcessOnce a quarter, the Research Committee evaluates all outstanding research ideas and distributes time from an allocated pool to the project that has been deemed most likely to succeed and most valuable to the organization.
CaveatsThe biggest problem with this approach is that, being formal and structured, it does not facilitate or support on-the-spot creativity. An individual have a mind-blowing idea and the motivation to get it done at that very second, but the program’s structure would force the individual to wait until the submission process is over, at which point the proposal might not even be approved. The individual could start the project in their free time, but counting on this ad-hoc "side project" approach defeats the purpose of the overall endeavor.
What works for you?
What experiences do you have with dedicated security research time? What has worked? What hasn't? Spill your beans in the comments below!