Tuesday, October 11, 2011

Starting a Security Research Program

By. Brad Antoniewicz

An interesting advantage of a security consulting firm is that the majority of it's employees absolutely love their job. The truth of the matter is that the label "Security Professional" is just a politically correct and somewhat emotionally diluted way to say [ethical] "hacker".

Since hackers live and breathe computer security, and the basis of the hacker culture is a community structure around sharing knowledge, it's easy for a security consulting firm to offer a podium (often something as simple as a website and a branded Word template) and reap the reputational benefits of a talented staff.

The problem with this is that the "Security Professional" ends up with the short end of the stick. He works his dream job during the day: hacking stuff, and then goes home to work on a side project: hacking some other stuff, to ultimately write a whitepaper, give a talk, or release a tool, that promotes the organization. This can only go on for so long before burnout occurs and morale is affected.

The solution to this is a Security Research Program. By creating a research program, management can provide consultants a technical path to grow, increase its service offerings, and demonstrate expertise throughout the industry while improving morale throughout the organization.

The biggest hurdle is how to do conduct research and still make money. After all, research is a tricky business with a lot of challenges. First, it's not always easy to directly map the output of dedicated research time to a new sale. Second, research outputs are variable- who knows what you'll be able to achieve, and in some cases you may not achieve anything at all.

I've worked in security for some time now and I've seen many different approaches to starting a research program. Honestly, I still don't know which is the best, but here are some of the things I've seen.

Informal Approach

This is the most common approach across security consulting firms. Basically if the consultant wants to do something, they ask for it, and if there is a gap in their schedule, they get to work on it. This does work, but it can affect the longevity of your consultants. If there is not a structured process, then its likely that management will be blinded by the immediate need to get billable work done, and the research time will go on the back burner. This results in the consultant being overworked and morale deficient.

Position Based Approaches

Some organizations decide to go with a position based approach. The idea behind this is that more experienced consultants are given dedicated research time. More experienced consultants traditionally are more reliable and are more likely to produce something substantial. It also gives newer consultants motivation to work hard to move into a more senior position. The downside is that newer consultants, who are often more ambitious and have fresher ideas, don't get dedicated time.

Here are some examples of position-based research positions:

The Principal Consultant

All "Principal Consultants" will be given one month of bench time per year to work on an approved project that will be used to create a new service line or demonstrate technical expertise in niche area of an already existing service line.

Here all experienced consultants would be given time. If research time is limited to a month, the lost opportunity cost can be recovered relatively quickly if the research does something like develop a new service line. At the same time the impact of a failed research project is limited.

The Research Consultant

The Research Consultant is a full time position providing 1 day per week of dedicated research time. All other time is on billable work, providing technical oversight and mentoring per project.

One day a week over the length of the year actually makes it pretty difficult to recovery lost opportunity costs within a reasonable amount of time with just one Research Consultant position. And the chances are, you'll probably want to have more than one if your organization is of a decent size.

Formal Approach

As mentioned above, position-based approaches, make it difficult to financially justify Dedicated Research time. The only reliable conclusion is, as an organization, you just have to go for it.

Here's an example of a more formal and structured approach:

Research Governance and Structure

  • Security Research Sponsor - Responsible for executive steering and oversight into the entire security research program. The head of the organization.
  • Research Committee - Technically well rounded group of individuals, plus at least one management level position, which evaluates submitted research proposals and selects those that will be given time decided by a majority vote.
  • Security Research Manager - This is a dedicated position responsible for coordinating the selection and execution of research projects. Directly reports to the VP or the head of the organization, i.e., the Security Research Sponsor. The Research Manager's responsibilities include:
    1. Managing and measuring the progress of ongoing research projects
    2. Updating the committee on project status and milestones
    3. Developing tactical and strategic goals for the research program
    4. Conducting long term research projects
    5. Structuring, driving, and providing guidance to the Research Committee
    6. Reviewing all whitepapers, tools, talks, etc. prior to public release
    7. Managing the release of public vulnerability disclosures
    8. Managing the Research Development Team
    9. Managing all equipment and supplies purchased to support research
    10. Resource allocation

Application Process

Consultants submit research project ideas in the form of an application. The application itself is developed and maintained by the Security Research Manager, and contains, at minimum:

  • Detailed description of the proposed research topic
  • Expected time of completion in number of days (max 20 days, 1 consultant-month)
  • Previous time spent working on the project
  • Expected deliverables
  • Milestones

Research applications are be regularly assessed once a quarter by the Security Research Manager and Research Committee.

Selection Process

Once a quarter, the Research Committee evaluates all outstanding research ideas and distributes time from an allocated pool to the project that has been deemed most likely to succeed and most valuable to the organization.


The biggest problem with this approach is that, being formal and structured, it does not facilitate or support on-the-spot creativity. An individual have a mind-blowing idea and the motivation to get it done at that very second, but the program’s structure would force the individual to wait until the submission process is over, at which point the proposal might not even be approved. The individual could start the project in their free time, but counting on this ad-hoc "side project" approach defeats the purpose of the overall endeavor.

What works for you?

What experiences do you have with dedicated security research time? What has worked? What hasn't? Spill your beans in the comments below!


  1. I'm the kind of person that gets bored quickly. I'll latch onto an idea, work at it pretty hard for some amount of time, then something else will interest me, and off I'll go. I HATE being structured, and working that way really cripples my motivation. At the same time however, some sort of guidance is a positive thing. I think what would work best for me would be to keep research on as a side job, but with guidance and input/output from a more senior person that could give me feedback and steer me into a forward moving direction with insightful comments and leadership. By keeping research as a side job, I don't go at it full bore, and end up getting bored with it after a month or two. I'm able to do my billable work and in that way, keep my motivation up for the side job, since my brain has time to get away from it and work on something else. I guess I think of it kind of like candy: some candy is great, especially when I have an experienced person who has tasted a lot of different candy suggesting I try different things, but if I stop eating typical food and replace that with candy ALL the time, then after a short while I get sick.

  2. FIRST! :)

    In my career, I've encountered a lot of security consultants bitching about "research" time. They blame the thing puts food on the table as the reason they are not doing killer research. They see the billable work as the blocker that prevents them from being a speaker. In nearly every case, it's simple motivation and lack of follow through that is the blocker. Another consideration is having more research time doesn't transform non-creative into a creative.

    Some people just can't 'produce' no matter how much research time they have. Research isn't all fun and games.

    I'd say to any security professional who feels like they job is preventing them from doing killer research, quit. Pack your bags, move to the Mid-Atlantic and find a pure research job that is grant based. If it's grant based you can research until the cows come home. If you find that a pure paid research job is not as glamorous as it seemed (meaning a year or two goes by and you still haven't put in a single speaking submission) quit. Go back to your billable work and be happy.


  3. A balanced approach might be more practical. So you have goal-oriented research with full investment and formal structure. And you let people who have spontaneous ideas to work on it for a short period of time then eval to see if they should be in the formal category or stay as side-project. And you balanced out your research for both types of projects.

    Individuals research to advance their career, companies researc to create new service/products for new revenue. Without real investment from both sides (company and individual), you just have to choose one as tehhig said. Good Luck! :)