This topic was also presented here
Security research teams are one of the important partners in any security organization and are usually found through an external company or through an internal group. Such teams are needed to secure your products, your network, and your business resources.
Managing and measuring such intangibles as “Security research” is a difficult problem, mainly revolving around the need to discover and fix issues before they reach the field and cause actual harm. Measuring or defining KPI for such teams is problematic as research has no firm boundaries or guarantees.
Access to such talent is crucial in today’s world and many companies are looking into hiring and growing such internal teams. Hiring security research talent, retaining and helping them to provide high business ROI is very difficult.
Over my career, I helped build and grow security research teams in large corporates and in start-up environments, and I will share some of my experience and advice for managing such teams.
In this talk, I will cover some basic lay of the land, some KPI that can be used to measure success and advice on how to retain and guide such teams.