The Age of Security Specialization is Near!

By Mike Rothman

First day back in the saddle after vacation is always interesting. I must have had a million ideas while lounging on the beach. I remember maybe 3, and probably won’t have time to do much of anything for a while – first I need to dig out of a week of inflow. But one thing I did want to revisit quickly is defining what security folks are, and more importantly what we need to move forward.

I hit on this years ago when I published the Pragmatic CSO and sent out a little series called “5 tips to be a better CSO.” The first is this:

Tip #1: You are a business person, not a security person

When I first meet a CSO, one of the first things I ask is whether they consider themselves a “security professional” or a “finance/healthcare/whatever other vertical” professional. 8 out of 10 times they respond “security professional” without even thinking. I will say that it’s closer to 10 out of 10 with folks that work in larger enterprises. These folks are so specialized they figure a firewall is a firewall is a firewall and they could do it for any company. They are wrong.

One of the things preached in the Pragmatic CSO is that security is not about firewalls or any technology for that matter. It’s about protecting the systems (and therefore the information assets) of the business and you can bet there is a difference between how you protect corporate assets in finance and consumer products. In fact there are lots of differences between doing security in most major industries. There are different businesses, they have different problems, they tolerate different levels of pain, and they require different funding models.

Pragmatic CSO’s view themselves as business people first, security people second. To put it another way, a healthcare CSO said it best to me. When I asked him the question, his response was “I’m a healthcare IT professional that happens to do security.” That was exactly right. He spent years understanding the nuances of protecting private information and how HIPAA applies to what he does. He understood how the claims information between providers and payees is sent electronically. He got the BUSINESS and then was able to build a security strategy to protect the systems that are important to the business.

This concept came back to me when I was reading Dave Shackleford’s post, “I’m not a coder” may not fly forever. His point is that a lot of our security problems are application-centric and we need to develop a bit of code fu to be effective moving forward. Can’t argue that fact, but does that mean we can take our eye off the network? The servers? The data? Probably not.

Many of us identify as security folks, but in reality that is a limiting and self-destructive perception. I think we are entering an age of security specialization, at least within the large enterprise. Generalists will get lost in the complexity of enterprise problems. I believe the senior security folks still have to be focused on the business issues, and be considered a senior management peer to be effective. That’s what I describe above – the idea of being a business specialist. But not everyone needs to (or can) play at that level.

The technical practitioner will have to make a choice. I don’t see a way around that. As Dave points out, someone needs to understand applications at the code level. Shrdlu has pointed out on numerous occasions that one of the best hunting grounds for security folks is the ranks of system and network adminsm because they understand how this stuff really works within the infrastructure. But those folks probably won’t be code ninjas, not unless they are savants or something like that.

Regardless of which discipline you choose, you’ll need to understand how things really work for plenty of reasons. First, security isn’t something that folks do out of the goodness of their hearts. So you have to appeal to these colleagues in their native languages. That’s business for business folks, code for developers, and network and server configs for admin types. You try to talk to these constituencies in a generic language and they’ll shut down, write you off, and in the best case ignore what you are saying. More likely they’ll go around whatever you try to do and make it pretty much impossible for you to succeed.

Second, you need to really understand when someone is yanking your chain. You need to be able to call folks out when they go around you. You must build credibility with the folks you are trying to influence. The only way to do that is to show them you aren’t a lightweight in the area they care about. Unless you are, in which case you have different issues.

Obviously if you work for a smaller entity, specialization is not an option. You just don’t have the bench strength. So you need to fight complexity, because you ultimately need to be a mile wide, which means you’ll be an inch deep. Again – unless you are a savant. But large enterprise security folks will be specialists, methinks. Agree? Disagree? Am I two years behind the common wisdom (for a change)?

No Related Posts

The Security generalist is going the Way of the IT generalist. they are just less and less relevant. What fascinates me is the specialties that are being merged into other specialties. Firewall and IPS are converging. Vul management and GRC. Which of the security specialties will survive the game of musical chairs?

Also as part of the equation is the degree of emotional investment some IT SEC generalist have in obsolete methods and technologies. You can never (IMO)outsource security completely. But Security operations?

The article raises lots of good questions


By Mike Winkler

Hi Mike,

You are not in the left field.  That is something that I have believed for the last couple years.

IT Security is not just IT Security today.  It is:
  - Forensics,
  - Firewalls,
  - Gateways,
  - Web Application,
  - COTS Application,
  - Vulnerabilties,
  - Traffic analysis,
  - Trending,
  - ...

and so much more.

Having worked in the field for a small number of years, I can see that, as time goes by, the more limited I am.  I have always figured that to be able to do great security, you have to know everything.

Today, I believe that specialization is critical to better do the job but, at the top of that group, you have to have someone who has a generic background to lead the group in teh right direction.

Your specialists must come from a varied background: developpers, networking, infrastructure, mainframe, ... so that each can address the right target in the same language.

Today, I am in a position where I can build a team like that.  I have worked as a generalist but, now it is time to move up and let the specialist take over the technical role…

Take care and thanks for the great article.


By Philippe P.

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.