On the State of InfoSec Research

cybersecurity, infosec, Research / Tuesday, September 11th, 2018

I’ve always known this to be the case, but recent events have reminded me:

Quality research is a critical, often labor intensive function that provides quantifiable insight into an industry, and ultimately drives action. Clearly presented facts and figures are useful not only in explaining the current state of an industry and potential opportunities, but in analyzing strengths and assessing challenges. That is to say research is the foundation of the informed decision-making process.

Cybersecurity (read InfoSec) is not exempt from this.

Research in security is highly distributed as opposed to other industries. In medicine, for instance researchers are almost always associated with large medical institutions and these inevitably become hubs of information around which research communities form.

Hackers are different.

They are pack animals and yet they operate like lone wolves. As such, the research in this space is highly distributed: All over the world ‘independent security researchers’ are taking a look beneath the hood of hardware and software products, how these can be broken, manipulated, or otherwise exploited – generally with the intent to make them more secure and, in some cases, collecting a bug bounty in the process.

These discoveries are leveraged, either directly or indirectly, for coveted speaking gigs at conferences, which ultimately translate to some form of hacker street cred. But the real reward is satiating the innate curiosity the defines the hacker ethos. The hacker’s motivation is benign; the criminal’s is malicious. Knowing the difference will serve you well – if only because it means that Chris Roberts won’t tase you.

Aside from lone wolves operating in silos, where does research come from? In the course of our work, we rely heavily on research from organizations in each of the following categories:

  • Academic Institutions
    • No surprise here; research has long been a specialty of academia
  • Cybersecurity Companies
    • … with ad hoc research arms
    • sponsoring research via non-affiliated, established research firms
  • ‘Traditional’ research firms expanding into security research
  • Firms dedicated to cyber research
  • Military/Government Organizations


Where do you get your research?



Gotham Sharma is a cybersecurity advisor, educator, mentor, speaker, and trainer. He presently serves as the Managing Director of the Exeltek Consulting Group, and has been nominated for the ‘Cybersecurity Educator of the Year’ award. If you enjoyed this article and others like it, you can vote here.