What Makes a Good Security Researcher?

We are growing and the Cybereason team is looking for talented people on all fronts, be it for our development team, UI team and even the security research team. A few days ago I had a conversation with Yoav, Cybereason's lead security researcher, about what makes a good security researcher and why good security researchers are hard to find.

A training course is not enough

In the past few years, the field of information security has grown tremendously. Information security became “cybersecurity" and with the hike of sophisticated cyber attacks, every company wants to hire “cybersecurity experts” and being an “information security consultant” is not enough anymore. Because of this, a lot of training centers started offering training courses on “cybersecurity” and in fact are misleading their students. In their book, being a “cybersecurity expert” is basically knowing how to configure Vendor X’s firewall or WAF appliance. This “cybersecurity boom” is flooding the market with people who are calling themselves cybersecurity experts or researchers when in fact, no offense of course, they are glorified system or network administrators.

Security research is not just a title - it is a state of mind!

You cannot take shortcuts. Hands-on experience is a must: security researchers, first and foremost, must be hackers. Most of us researchers are people that have been on the ‘dark side’; we love taking stuff apart, be it software or hardware, our new smartphone or the DSL modem given to us by our ISP. We love to break stuff, but more than anything, we love to build stuff that can break stuff, as Security researcher Craig Heffner says.

Good researchers never give up

Throughout my career, I had the chance to work with many researchers, some of them were the most brilliant people that I have ever met. Those were the people that loved their jobs and treated it with excitement and respect. The others were, sadly, mediocre at best. They were the ones that grew frustrated and gave up on finding new solutions to their problems. They were the ones that went to their bosses and told them “I’m sorry, what you ask of me is impossible” after a very short time.

Being a security researcher, in my book, is an ever changing challenge. To me, a good researcher must love his job as much as he loves his hobbies. A good researcher will keep on reading and expanding his knowledge all of the time, even after working hours. Not because the job requires it, but because HE requires it for himself.

Comfort zones abandoned

Being a good security researcher means to always doubt given situations and find the most creative ways to “bend reality” to your will - "there is no spoon, Neo", just like in the matrix. Nothing is an axiom and everything is possible.

Back to my conversation with Yoav... Being a hardcore Linux guy who works for a company’s research team that currently develops a product for Windows, I couldn't help asking him if he judges a researcher according to his fluency in C or the Windows API, but Yoav revealed the contrary -

Being a good researcher is not necessarily how well you know C++ or the Windows’ API undocumented features. It is about moving out of your comfort zone and striving to know C++ better than English, or to learn the Windows’ API better every day.

Being a good security researcher means dealing with failures and frustrations on a daily basis and not giving in to them. It is all about turning these failures into winnings and breakthroughs while enjoying every minute of it. This is what I have done for a living for most of my adult life.

Are you up for it? Send us your CV! We're hiring security researchers as well as developers: jobs@cybereason.com or Cybereason Careers.

Follow Amit on Twitter

Amit Serper
About the Author

Amit Serper

Amit Serper is Principal Security Researcher at Cybereason. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering on Windows, Linux and macOS.