How do you build a career as a security researcher?

Security research is a varied field – with no two researchers working in exactly the same way. This makes it challenging for aspiring researchers to start building their careers; so we asked Owais Shaikh (Security Researcher at RedHunt Labs) to help demystify this space and tell us about his work. 

Discover why research offers exciting opportunities for endlessly curious humans – and how to focus your mind so you can build your career. 

What does a typical working day in your life as a cybersecurity researcher look like?

“‘Cybersecurity research’ is a complex field, and no two cybersecurity researchers are alike. At work, I write tools to detect web vulnerabilities, user data leaks, broken authflows, secrets, concurrently scrape data and much more. 

“I also have a developer background, so not only do I write these tools in languages like Go and Python, I also deploy them to Elasticsearch via logstash pipelines, manage and scale infrastructure at the company I work at and so on.”

If you were mentoring someone who wanted to work as a researcher in this space, what are three things they could do (or learn) to set themselves up for success? 

“Three things that I have learned, not just as a researcher, but in life, are…

1. Be eager to be offended: It teaches you about a hundred other ways to do things aside from the one way you’ve already thought of. Diversity of thought and fearless experimentation is the key to innovation, or men would never land on the moon. To quote Steve Jobs: “The people who are crazy enough to think they can change the world are the ones who do.”
   
2. Absorb all kinds of knowledge from anywhere you can: Just like a sponge absorbs water. That boring tutorial you followed to install a custom ROM on your Android phone? One day, it might help you understand device encryption, data loss and brute forcing (not me admitting I accidentally formatted my phone doing this once…!).
   
3. See what nobody is paying attention to: We often have this insecurity that everything is already being solved by smarter people and that we have nothing to offer. But if you’re zealous enough and read tons of research papers, clone tons of tools from GitHub and play with computers, you’ll eventually find loopholes everywhere and learn how to either exploit them or fix them.”

“And some honourable mentions: learn to Google like a pro, read research papers, use ChatGPT and similar tools and such. Building a knowledge base, then peer-reviewing with other researchers, developers and engineers by listening to their opinions on things is an excellent way to stay up-to-date with an occasional reality check.”

Do you think learning by doing is more important than cybersecurity courses and certifications, or vice versa? Or are they equally useful...in different ways? 

“The former, of course. Keep in mind that the people who wrote those courses and certifications had to gain this knowledge first, and they lacked the courses and certifications themselves to do that. Doing things the hard way is basically like a tailored course that you give yourself, as opposed to a mass broadcast of abridged information. A course is more of a cheat sheet one can use to gain insight into a field, in my opinion. 

“No course is ever truly comprehensive. The world is fast-moving. Everything gets outdated within a few years. I learned BASIC when I was 10, but fast forward to today I’m using Golang, Kotlin, Python and tons of new languages, tools and frameworks that didn’t even exist a few years ago. 

“Just be eager to try new things and you’ll be fine. As for certifications, they are kinda just like licences. Not having a driver’s licence doesn’t equate to not knowing how to drive. I don’t have any certification of any kind and that’s okay. I just like solving problems by attacking them outside in and inside out and that’s how I attempt to generate value.”

What's most exciting to you about your job? 

“There’s always something new I come across. As a researcher, you get so absorbed into finding things that there’s always this rush you get when you acquire new information that isn’t otherwise widely known. Every day, you come across new terms and technologies to learn that will either excite you or scare you. 

“Sometimes, I find my own data in data leaks that I get my hands on, which is really scary. Other times, I just use some app, find that it lacks a feature I want and bam! I now know what I’ll be doing for the rest of the day. 

“Achieving this annoying researcher mindset is the best thing that has happened to me in the past decade.”

And finally, what was the best experience you had at Black Hat MEA 2023? 

“My favourite thing about Black Hat was all the cool people I met. I met people from tons of backgrounds and loved interacting with them. I love learning languages (as in spoken, not programming ones) and attempting to speak to people in their languages (broken French, Spanish, Bengali, Arabic etc.) and seeing their reaction was hilarious. 

“On that note, I especially loved that I met a lot of young Arab college students and budding professionals who were so eager to learn about everything. I was a bit saddened that there was a language barrier when they spoke to people, which made me realise how they needed to spend years learning English just to break into this field. Fortunately I do speak some Arabic, so talking to them about their ideas and opinions – in Arabic – and seeing their faces light up with joy (probably due to that personal connection) is one of the best memories of my life.” 

Thanks to Owais Shaikh at RedHunt Labs. Want to be a part of the Black Hat MEA Experience? Register for the 2024 event.