Hiring guide: Key skills for cybersecurity researchers

In this Help Net Security interview, Rachel Barouch, an Organizational Coach for VCs and startups and a former VP HR in both a VC and a Cybersecurity startup, discusses the dynamics of cybersecurity researchers and team-building strategies. She highlights that these researchers, often brilliant and introverted, come with distinctive working styles, making it challenging to foster collaboration.

However, with the right approach to assessing, managing, retaining and developing them, organizations can unlock their potential and drive high-performance teams, ultimately boosting the startup’s market value, especially in the context of mergers and acquisitions (M&As).

What should organizations focus on when preparing to interview cybersecurity researchers?

Pre-interview preparation is essential for evaluating potential candidates. Organizations should thoroughly review candidates’ technical contributions, including their publications, vulnerability disclosures, and open-source work. Conference presentations provide insight into their ability to communicate complex ideas.

Their participation in competitions like Capture The Flag events and platforms such as TryHackMe and HackTheBox can demonstrate practical skills. Understanding that many researchers perform their best work during non-traditional hours, sometimes flourishing at 2 AM, can help organizations adapt their expectations accordingly.

What technical competencies are most critical when hiring security researchers?

The foundation of a strong security researcher lies in their drive to understand and master new domains. They should possess strong offensive security capabilities, enabling them to think like attackers while maintaining ethical standards. Programming expertise, particularly in languages like Python, C/C++, and assembly, combined with deep knowledge of operating system internals, is crucial. Cloud security understanding has become increasingly important as major breaches often occur in cloud environments. While certifications like OSCP, GXPN, and CISSP can validate expertise, the key is their practical application of this knowledge.

How do personality traits and soft skills factor into security research roles?

Successful security researchers possess strong analytical thinking abilities and demonstrate persistent curiosity about how systems work. Their ethical judgment must be impeccable, as they’ll often encounter situations requiring careful consideration of consequences. Creative thinking allows them to approach problems from unexpected angles. While they may prefer independent work, they need to collaborate effectively with various teams and stakeholders.

What approaches work best for retention and professional development?

Creating an environment where researchers can thrive involves establishing dedicated research spaces where they can explore and experiment. Supporting their participation in security conferences helps them stay connected with the broader security community. Rotation programs provide fresh challenges and learning opportunities. Bug bounty programs can offer both motivation and recognition. Developing their presentation and communication skills helps advance both their careers and the organization’s security mission.

How should organizations prepare for emerging security research needs?

The security landscape continues to evolve rapidly. Organizations need researchers who can tackle challenges in artificial intelligence and machine learning security, understand the complexities of IoT devices, and prepare for quantum computing’s impact on cryptography. Cross-disciplinary collaboration is becoming increasingly important, sometimes requiring expertise from fields like physics to address emerging security challenges.

What’s the essence of successfully managing security researchers?

Managing security researchers requires understanding that each individual brings unique strengths and working styles. The key is creating an environment that embraces both technical excellence and individual characteristics while maintaining clear objectives. Success comes from recognizing each researcher’s distinct approach while fostering a collaborative atmosphere that encourages open feedback and innovation.

Creating and sustaining a high-performing cybersecurity research team is no easy task, especially when dealing with brilliant minds who tend to work independently. Bringing these individuals together to form a cohesive, productive unit requires exceptional leadership and almost feels like magic. However, once achieved, the value of such teams extends beyond day-to-day operations. In M&As, the strength of research teams can significantly elevate a company’s valuation. This is largely driven by their intellectual property and innovations, which provide a competitive edge.

Additionally, acquiring top talent through an “acqui-hire” can enhance the company’s expertise. Moreover, strong research teams help position startups as industry leaders and signal future growth potential. By focusing on cutting-edge areas like AI-driven security, these teams align with key industry trends, further boosting a startup’s attractiveness to potential acquirers.