Recruiting cyber security professionals is not going to get any easier. There are simply not enough candidates to fill all of the open roles. As a result, hiring managers may want to consider “out-of-the-box” thinking to develop a staffing strategy to identify and fill open requisitions. Expanding your search criteria to include not just candidates with specialized technical skill sets, but also candidates with a more general background and proven record of success will broaden the potential pool of candidates, and result in a more diverse and effective cybersecurity team. And for those who are considering a career in cybersecurity, don’t be discouraged if you don’t have a technical specialization, you may find that your diverse background and experience provides the perfect missing puzzle piece to a great cybersecurity team!
Specialists are essential to cybersecurity and, indeed, they’ll continue to be just as essential in the future. Yet generalists have played a crucial role in the development of the industry. Although overlooked in many organizations, I believe generalists are equally as important as specialists. To be clear, I’m using the term generalist to describe someone with a varied educational and professional background. On the contrary, a specialist is one who has education and career experience primarily in a single discipline or niche.
In 1971, Bob Thomas, an ARPANET developer, created the first computer worm. Nothing more than a joke at the time, the “Creeper” worm simply printed the message “I’m the creeper; catch me if you can.” In 1973, researcher Ray Tomlinson created “Reaper,” a program to find and destroy Creeper on ARPANET. This was the beginning of a timeline that saw the rise of the computer virus followed by antivirus software, the rise of computer crime followed by anti-computer crime legislation, and the continuing pattern of new threat followed by a new countermeasure. This played out through the 80’s, 90’s, 2000’s, and 2010’s. Sometimes we need to be reminded that security was not built into the original internet.
Computer security training was sporadic, if not nonexistent, in the early days of modern computing. In 1997, the FBI established the National Cyber-Forensics & Training Alliance (NCFTA), which would later become a model for law enforcement. The private sector, however, didn’t have any formal training or career paths. Those working in the field were generalists, relying on their other skills and experiences and applying them to the emerging industry. Often, security was just a collateral role associated with some other job, such as a network administrator or college professor. SANS, a leader in technical cybersecurity training and certification, and the go-to for many industry professionals, started to change that with its establishment in 1999. Additional certifications and degree programs followed.
As the industry matured, roles specifically designed for cybersecurity related disciplines began to appear. Today, it’s not uncommon to see a job description that requires 5, 10, or even 15 years of experience in any given (frequently highly specific) skill. Those already in these roles are often encouraged to continue training and honing those skills that they use on a daily basis through additional courses and certifications. The idea being that the more practiced a professional is, the faster they’ll solve problems, reduce errors, and limit the scope of incidents. Of course, there is some credence to that way of thinking. Those workers will be great at completing the tasks that fall in the spectrum of their skill set and experience. However, they also risk developing a tunnel vision perspective, getting stuck in a singular viewpoint and struggling to approach issues from alternative perspectives.
I spent a few years in the military and worked with a wide array of people. The bulk of my experience was on a premier incident response team that specialized in malware analysis, reverse engineering, and digital forensics. One thing I learned pretty quickly was that anyone could be asked to do anything at any given point in time. That included interfacing with and providing input in workstreams that we generally played no role in, explaining complex issues to officials far above our own ranks, or providing impromptu training while executing missions across the globe. Our team was mostly enlisted members each with less than 3 years of experience in this field, yet we consistently outperformed the resident “subject matter experts.” This was so apparent that our shop of roughly 10 qualified analysts (based on internal training and competency tests) developed a reputation across multiple organizations.
Our team was called in to augment teams developed specifically to solve these problems in the field, and in several cases we worked across the services. Being the military, we had a significant percentage of younger team members with little other work experience. On the other hand, we also had an unusually high number of individuals in their late 20s and early 30s with an interesting mix of backgrounds for a single military shop.
Me? A computer engineering degree and a few years of industrial electronics work with a focus on laser beam recorders. Another colleague had an acting degree and a few years experience in social work. Yet another came with a psychology degree and a few years in an elite special warfare unit. One of our most ambitious and creative teammates was a mechanic. Our civilian Department leader? Forensic anthropology degree, military intelligence, and improv comedy.
To be fair, with the exception of the last example, the rest of us went through a six month cybersecurity training program before getting assigned to the team. Needless to say, we were far from what would be considered ‘cybersecurity experts.’ Yet, somehow, we managed to go toe-to-toe with industry veterans in various roles and come out ahead. During my time with that team, our shop's successes were briefed to the Director of the NSA, the Joint Chiefs of the DoD, and senior officials of non-DoD executive agencies on more than one occasion.
Why was the team this successful? For starters, our leadership, whose background was as diverse as ours, would put full faith in our abilities to solve problems when others struggled, failed, or wouldn’t even try. Second, we didn’t approach things from the perspective of industry experts; we approached them from an outside-in viewpoint based on past experiences with generalized, transferable skills. We solved problems through conscious (and probably way more subconscious) cross-referencing and mapping of our past experiences to the current situation. We didn’t need to be the most technically proficient individuals because we saw each problem from a high level and tackled it through generalized problem solving skills, learning any specific technical knowledge that we needed on-the-fly.
At that time, we traveled and responded to incidents onsite. Endpoint Detection and Response (EDR) solutions existed but weren’t widespread yet. Due to more widespread adoption of effective endpoint solutions with remote evidence capturing capabilities, travel isn’t nearly as necessary. If the need for such capabilities wasn’t already becoming apparent, the pandemic surely forced the issue. Firewalls, AV engines, and default system security are starting to stop incidents before they start, and when they don’t, responders are able to address the issues from anywhere in the world with exponentially less effort. Every day there are new advances in the AI and automation that those tools are built on. This is made possible through the relentless research and practice of the specialists that currently drive the industry. Their investigations and documentation are feeding the underlying technology that's implemented into these types of products.
In the process of moving from the military to the private sector, I interacted with many organizations whose team building appeared to stem from input developed by technical experts and translated by non-technical recruiters. A generalist perspective didn't seem to fit into the resulting specialist based requirements. I briefly worked for the federal government, where I found the same practice held true. This was in stark contrast to my current role as a cybersecurity consultant. I can't speak for other professional service providers, but it is apparent that my organization takes a different approach.
For instance, I work everyday with an individual that has a Math degree, worked as lifeguard, worked in child protective services, and competed on his country's national curling team before entering the industry. He was denied roles at other company’s before finding a place with ours. This is not a unique case, as I’ve interacted with many co-workers who have a range of backgrounds providing a great mix of both specialists and generalists. This dual mindset approach, thus far, has proven invaluable.
As the tools become smarter, we’re entering an era that may not follow the new form of attack/new form of defense industry cycle. Nothing lasts forever, and whether it comes from a breakthrough in quantum computing, independent, generalized AI, or something we can’t yet imagine, we might end up in a situation where our specialists with their years of hyper-focused skill sets might have trouble adapting to a vastly different, rapidly changing, landscape.
This is where the generalists will shine. It’s their interdisciplinary experience that fosters a big picture mindset with the ability to rapidly adapt to new situations and take deep dives without losing perspective.
This may seem a bit fantastical, and I’m only presenting it from an incident response viewpoint, but the idea is applicable to any discipline in the industry (arguably, to any industry). I’m not trying to convince anyone not to specialize in their career. My only hope is that I’ve given you a different way of looking at things. Likewise, I hope the next time you're up for some training or trying to hire a new team member, maybe you’ll skip the same old stuff and go for something/someone that will give you and your team a little more range and, most importantly, an alternative perspective.