The General Security Practitioner

“Oh, I’ll take a vet over an M.D. any day. They gotta be able to cure a lizard, a chicken, a pig, a frog — all on the same day.” – Kramer (Seinfeld, ep. 144, Dec. 1996)

Kramer’s got a point. Maybe not one that convinces people that a veterinarian is the best option when sick, but that a broad set of skills can be extremely useful. It seems that more and more we look to the specialist for help, especially in the medical field. The general practitioner, on the other hand, or “jack of all trades” has fallen into the shadows.

This paradigm may be due, in part, to the longer version of the phrase: “Jack of all trades, master of none.” This saying often carries a negative connotation that usually describes someone who has acquired skills across many disciplines, but none to an expert or sufficient level. So, we strive to be, or to seek out, the specialist, …the expert, …the master. The generalist just isn’t suitable.

The field of cybersecurity is no exception to this concept. Organizations reach out to the specialist for security system A or the expert for security framework B. We need these masters and they serve an invaluable purpose. However, we also need the generalist, the cybersecurity practitioner who has the broad set of skills to solve a diverse set of problems — all on the same day.

Going Farther with Less

Let’s consider going backpacking. Backpacking has a similar mission as many cybersecurity organizations: Go farther with less. Every item you carry needs to be carefully selected to maximize usefulness and minimize weight and space. With this in mind, what do you choose to carry? You may need a saw. You may need scissors. You will need a knife. Since taking an entire toolbox is not an option, you may carry a more flexible tool like a Swiss Army Knife® or a multi-tool.

Multi-tools are an excellent choice, and with good reason, providing a broad range of utility, expertly engineered in a compact format.

This should also describe the general security practitioner. Like the veterinarian and multi-tool, a generalist provides the flexibility needed to carry the mission towards success.

Know Enough to Be Useful

There is an important balance that must come with a generalist as well. A broad set of skills packaged in a single practitioner is valuable (like the multi-tool), but each skill must be developed to the point of being useful. Often, we joke about knowing “enough to be dangerous” in a particular area or with a certain technology. While this is a humorous caution to those around us, our usefulness is lost if the sentiment is true.

There seems to be a continuum in skill acquisition that stretches from “dangerous” and “familiarity” to “competency” and ultimately “mastery.” If utility is lost at one end and the specialist is developed at the other, a generalist is developed in the middle. Their skills should range from familiarity, where topics can be discussed at length and concepts understood properly, to competency, where the skill can be executed proficiently.

This mix of skills may vary drastically among general cybersecurity practitioners. However, rather than knowing just enough to be dangerous, the generalist should know enough to be useful.

Superpowers

In an October 2015 TED Talk, Emilie Wapnick highlighted the multi-potentialite. This is the person with multiple skill potentials and interests, arguably similar to the generalist described here. The generalist who proves themselves to be indispensable has packaged multiple, useful skills into a single engineer. Wapnick described three “superpowers” that often accompany this person: idea synthesis, rapid learning, and adaptability. In cybersecurity, these abilities are imperative for the general practitioner and qualities that set them apart.

While these three superpowers are not necessarily foreign to the specialist, the combination of these traits allows the cybersecurity generalist to showcase their value. The generalist can learn quickly and bring each skillset together in new ways to solve unique challenges. As the multi-tool helps with unexpected needs on the trail, the general security practitioner is ready to adapt when needed.
sdf

The Benefits of Hiring a Generalist

  1. Versatility: “We need a cybersecurity engineer, a compliance assessor, and someone who can script Python, but can only afford 1 full time employee. Who do you know?”

    Personnel needs like this are difficult to fill and finding the perfect candidate can become a challenging, almost futile, endeavor. This is where the Generalist fits well. A general cybersecurity practitioner may only have two of the three major skills desired but may also have four or five others that bring additional value to the organization. Their idea synthesis, rapid learning, and adaptability can help fill the missing elements quickly. This versatility allows the immediate requirements to be met, while preparing for future needs.

    Versatility is also important because issues will arise, and plans will change. This is why you pack multifunctional items when backpacking. As a general cybersecurity practitioner, today you may be working on a planned project, and next week be in the middle of an incident that spans multiple departments and disciplines. Having a broad skill base and background can pay dividends to ensure both are addressed.

  2. Interpretation: “Team A and Dept. B don’t understand one another’s systems. Can anyone help bridge this gap?”

    Implementation projects can sometimes feel like foreign travel, in that everyone is trying to interact but having trouble communicating. This can occur when only specialists are present and no “translator” is available. Each specialist knows their own discipline, but not necessarily that of the others. Who better to bridge these gaps and help reduce frustration than the generalist?

    Project teams can benefit from adding a generalist to help bridge these silos internally as well. A general security practitioner pairs well with a specialist teammate: The specialist brings the depth of knowledge in their area, and the generalist bridges the gaps and helps synthesize information and integrate different areas. Like backpacking with a multi-tool and a fixed-blade camp knife, sometimes you need multiple options and other times you just need a really good knife.

  3. Perspective: “I don’t think you understand the impact of the cybersecurity requirements you’re asking for. Have you ever tried to implement this?”

    Experience across different disciplines provides invaluable perspective for security practitioners. They’ve spent the late nights and weekends updating and patching systems. They’ve spent countless hours debugging code. They’ve seen the “hotfix” that makes the issue worse than before. After all of this exposure in different IT disciplines, the conversation changes when the security team goes to the business or IT teams with requirements.

    Often the perspective of the generalist can help long before these types of comments arise. The general security practitioner understands the “big ask” from security will be difficult for the business to deliver. They are more empathetic when delivering security requirements because they’ve been there. As Dr. Covey said, they “seek first to understand, then to be understood.” This can help projects and security initiatives run more smoothly and foster buy-in rather than resistance from other departments.

The role of the specialist is apparent when an expert is needed to solve a specific problem. However, like the veterinarian and the multi-tool, there is also great value in the general security practitioner who can offer their broad set of skills to solve diverse problems — all on the same day.

“A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, and die gallantly. Specialization is for insects.”

Robert Heinlein, Time Enough for Love, 1973

What NorthState Technology Solutions Offers

NorthState Technology Solutions provides best-in-class specialists and general security practitioners with a broad range of skills developed at an enterprise scale.

To speak directly with one of our cybersecurity professionals, please contact us at technologysolutions@nscom.com.

Speak with a Cybersecurity Expert

Endnotes:

  1. The phrase “Jack of all trades” has origins that reach back to 1592 when Robert Green, an established English author and playwright, accused a contemporary, often thought to be William Shakespeare, of being a “Johnny do-it-all” (lit. Johannes factotum).
    http://www.theatrehistory.com/british/shakespeare024.html
  2. For a more scholarly perspective on skill acquisition levels see “A Five-Stage Model of the Mental Activities Involved in Directed Skill Acquisition” by Stuart & Hubert Dreyfus (February 1980).
    http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA084551&Location=U2&doc=GetTRDoc.pdf
  3. Emilie Wapnick presented a talk at TEDxBend titled “Why some of us don’t have one true calling” (October 2015). She used the term “multipotentialite” to describe having many interests, jobs, and potentials and described the value they can bring to specialists. She also highlighted the benefit of pairing the multipotentialite with the specialist. https://www.ted.com/talks/emilie_wapnick_why_some_of_us_don_t_have_one_true_calling
  4. Dr. Stephen Covey’s book “The 7 Habits of Highly Effective People” he presents the 5th habit as “Seek First to Understand, Then to be Understood.”
    https://www.franklincovey.com/the-7-habits/habit-5.html
  5. Robert Heinlein’s fictional character Lazarus Long in “Time Enough for Love” (1973) described a list of diverse skills that anyone should possess.