“Patty: I’ll be the good guy. Shermy: I’ll be the bad guy. Patty: What are you going to be, Charlie Brown? Charlie Brown: I’ll be sort of in-between; I’ll be a hypocrite!” - Charles M. Schulz
This post is the first in a series designed to examine the value of generalists in cyber security. This first one looks at how we can get our hands on more generalists and why we should. Future posts will be targeted at people looking to transition as well as constructing teams and other topics. Check back each Thursday for the next part
Specialisation is important… or is it? It’s a question I have frequently asked myself as a self admitted generalist. What should my speciality be? Do I need a specialisation? Is it too late for me to pick one? The further I got into my career the more frantic this question got and the less obvious the answers got, the greater the pressure I felt to make a decision, it became a burning issue.
Until it didn’t. As I moved from Sysadmin to DevOps/SRE, to Security, to DevSecOps I increasingly came to realise that the biggest differentiator for me was my lack of formal “specialisation”. My broad based approach allowed me to fit into and lead any team. I could speak the language and walk the walk of developers, security engineers and everything in between. Most importantly though, I never found myself in a position where I felt the need to block with the standard security ban hammer. I also built solutions just as comfortably as I guided and protected.
I got comfortable in the grey. I also believe that more people should. I’ve noticed a trend whereby we focus so much training content and pathways upon two core concepts: GRC and Pentesting. This leaves us with a dismal gap, we’ve got a whole lot of people that know how to translate vulnerabilities into business risk and a whole bunch of people that are great at finding vulnerabilities but a significant shortage of people that can practically fix them or better yet avoid them. This is where the precis of my argument lies: we need a whole lot more people that sit right in the middle, we need more generalists.
This isn’t an attack on specialists, we need them just as much my ideal team is a mix of both. It’s more an argument that generalists create the possibility to address a few core issues within our industry
Hiring differently to fix the gap problem
Finding vulnerabilities isn’t easier, but its a hell of a lot easier than eliminating a whole class of vulnerabilities. This requires a unique combination of knowledge. Eliminating classes could be as simple as changing a framework or library but it could also involve deep infrastructure changes or mental model shifts. Generalists are the best people to guide and construct this. They understand enough of a broad set of domains to be able to target the specialists towards the most effective and considered fix.
Generalists can readily transition from other parts of the tech industry
Layoffs are happening as we face a decades overdue realignment between financial expectations and reality and whilst its terrible and my heart goes out to those that are facing this; there is opportunity in adversity. Some incredibly talented software engineers, infrastructure engineers and more are looking for roles right now and it’s highly possible they would make exceptional security engineers. We should embrace and bring them in, get rid of these ridiculous 5 year experience role requirements, get rid of the must have experience in blah. Unless you’re looking for a principal that needs to be able to mentor people the most important thing we need is people that are keen in securing the world and interested in sharing their knowledge.
Diversity of thought greatly enhances our ability to identify new threats
Imagine having access to a never ending stream of people that are exposed to the pointy end of our software and infrastructure every single day. Now imagine that you could build a team out of those people! You get to have the people that you’re securing or write the software you’re securing working to secure it with you. The value of this is impossible to overstate. They might not have the language that we speak but they sure as hell know what they are talking about.
If you have any thoughts feel free to reach out to me on the various social channels.