[robcohen]

Could you give us a few examples of security research jobs?

It seems pretty obvious that you’d need to go into a PhD program in cybersecurity to work on groundbreaking research. Perhaps you mean industry or implementation specific research?

[HedgeMage]

It's really not pretty obvious...says the non-degreed cybersecurity researcher at a major university in the US.

The majority of academia is further behind in cybersecurity than they think they are. Some bright spots are far ahead than they get credit for. A huge amount of impactful research is being done in the private sector or by hobbyists. Whatever the source or the organizational affiliation of the researcher, the best ones have a solid connection to what's really going on out there in the field, rather than living in a safe little researcher bubble disconnected from the real world.

[nibbleshifter]

Most of the actually groundbreaking and useful research in security happens out of necessity in the industry as opposed to in academia, where they seem to rediscover things that are widely known in the hacker community a few years later.

[m000]

I would argue that the industry may stumble upon a security-related issue first. But stumbling, and being aware of something is not research.

Anecdotally, I vividly remember industry people showing up in academic conferences, bragging how they knew everything about bit-flips already. They didn't. They just happened to know to be aware of the phenomenon, and smart enough to understand that it should have security implications of some kind. But that's not research.

[nibbleshifter]

A good amount of the industry has dedicated research departments these days. At least, the better consultancies have.

As for the bitflips example, are you talking about Rowhammer? That and the CPU side channel issues are the kind of area academia really tends to do great work on.

Where I find academia incredibly disappointing is in areas like covert channels - there's a fucking paper mill in Israel that keeps shitting out implausible "covert channel" research.

Also stuff like memory corruption techniques - academia seems to spend a lot of its time reinventing shit that has been done to death in industry or even has papers in Phrack.

[lmeyerov]

We have 2 senior openings right now, and both feel representative in not requiring a PhD. We're pretty cutting edge here (end-to-end GPU acceleration, graph neural networks, win R&D competitions, ...), and our team is split pretty evenly on PhD vs not, so I likewise feel pretty comfortable writing this:

* Security AI : ugrad-level math ability (linear algebra, prob, stats, info theory, ...) is required, as well as experience with deep learning and operational AI problems. PhD more strongly suggests you can communicate & plan, such as for giving talks, pitching crazy projects, and writing DARPA grants... but not necessarily, nor required.

* Security engineer: We care more that someone has worked with big operational security systems, getting things like large & gnarly Splunk deploys and how tools like Spark, AI, Python, notebooks, and viz can seriously augment them. You don't learn that at school.