Jennifer Fernick SVP & Global Head of Research
Highlights include: • We invested a record 3,400 days on technical security research, which resulted in a significant contribution of conference presentations, vulnerability advisories, blog posts, research papers and open-source tools being released 3,400 days dedicated to research • We co-founded the Open Source Security Foundation 5 – a group of industry experts working together to improve the security of the open-source ecosystem – forming the group’s governing board alongside representatives from GitHub, Google, IBM, JPMorgan Chase, Microsoft, OWASP Foundation and Red Hat, among others • We served on the Industry Advisory Board at King’s College London, the Executive Steering Board for the Internet of Things Security Foundation (IoTSF), the UK’s National Cyber Security Centre (NCSC) Research Advisory Panel and the Technical Advisory Council of the Open Source Security Foundation, as well as contributing to standards groups like the CIS Benchmarks, the ioXt Alliance and the C Standards Committee • We created a new internal research working group focusing specifically on finding creative and massively scalable solutions to remediate – and perhaps even prevent – security vulnerabilities at internet scale, as well as a group which focuses exclusively on the security implications of emerging technologies yet unstudied by any other security research firm • It’s this technical excellence that makes NCC Group attractive to some of the world’s most talented security consultants. Attractive to those just starting out in their career, and to those who have already established a name for themselves in the infosec community, there is a research path for every single consultant who wants it here at NCC Group
Research at NCC Group typically falls under one or more of six core categories: Offensive – we perform deep technical vulnerability research to understand the complexities involved in attacking different technologies and systems and the true impact of any successes that attackers might derive with similar capabilities. Defensive – outputs from our offensive research inform our defensive research – this is where we research methods, tooling and solutions to mitigate the issues that we identify across technologies. Capability – we are constantly innovating and developing new technical testing capabilities and methodologies to keep pace with the rapid change in technology and threat landscapes. This ensures that when we assess client systems and networks, our techniques are at least as good as those of their adversaries. Future looking/horizon scanning – we routinely research emerging technologies to understand the potential security impact of those technologies on the sectors in which our customers operate. Customer-driven commercial research – we regularly perform paid research for customers, helping them to answer any uncertainties they might have on technology risk, such as understanding security capabilities of specific technologies or emerging technological security impact on an industry or sector. Collaborative – we are open to research collaborations and regularly work with academia through joint research and PhD sponsorships. We also contribute many of our research outputs to various international security standards bodies and we are open to B2B and consortia-based research collaborations.