I am a security generalist. That’s not something I’ve heard many people describe themselves in the industry. In fact when I got into the industry I was told to specialize. That sort of happened with application security but I continued to get drawn back into more generalized roles. I have a diverse background in the field. I was IT focused for 10 years five with the Navy and five with the State of South Carolina. Then I shifted into security and was one of three people wearing multiple hats. I did eventually get an appsec focused role but then the development team was cut and I now had appsec as well as security engineering and pentesting. Which I was fine with. The company was great and the opportunity was interesting. Plus, I actually wanted to get into management.

I certainly think you can specialize but I think it’s okay to be a generalist too. In fact some people just have that mindset. They enjoy learning a bunch of different things instead of diving into on particularly subject. This website and the podcast are a testament to that. I can certainly specialize. I did it well with application security but I can also shift into other field. I’m now in a incident response role. I’ve never been one to dig to deep. Once I get to a certain level of knowledge with a particular topic I start to get bored. I need a constant challenge.

The downside of course is that there is not generalist role in security unless you consider management. Which has it’s own skillset outside of technical ability. I’ve struggled to prove to people on paper that I can do the job with such a diverse background. This is why networking is so important within the field. My current role came about because I knew several people on the company and they knew me and had no qualms about my ability to contribute to the company.

After 20 years of being in IT and security I’ve seen a lot of roles start to specialize. When I came up we wore many different hats across multiple fields. So, it may become harder to be a generalist. The issue I have with that is if someone goes down a path and then discovers it’s not for them. I do not want to be in a security operations center looking at logs all day. I did the job fine but four months in I was ready to be out because I felt like I was chained to my desk. Some people are fine with that. I’m just not one of them.

I encourage everyone just getting into the field to be okay with not knowing and to explore options. If something clicks then stay if not move onto something else and try that. If you do that (or have done that) enough times and nothing really sticks or you keep getting drawn back to other fields then maybe you’re a security generalist. That’s okay because we need security generalists too.

This blog post first appear on Exploring Information Security