Recently I finished reading the book Range: Why Generalists Triumph in a Specialized World by David Epstein, which I find not only interesting but very relevant to Cybersecurity.
Our world is becoming increasingly specialized, and it’s easy to believe that the key to success is to focus on one thing and become an expert. This is especially true in Cybersecurity where over the years I had many people who asked me “What should I specialize at?”, and even if they know what they want some times they feel that they are too late because they didn’t start when they were younger. But what if the future belongs not to the specialists, but to the generalists? That’s the argument David Epstein made in his book.
In the book, he set out to explore how to leverage diverse experience, and interdisciplinary exploration, within systems that increasingly demand hyper-specialization. Epstein argues that in a world that is constantly and rapidly changing, and becoming more complex, the ability to think broadly and creatively is more important than ever.
Kind vs. wicked environment
Epstein describes two types of learning environments: kind environment and wicked. Kind environment has clear rules, clear goals, and clear feedback. In this environment, the work this year looks exactly like the work last year and it can be easily automated. Wicked environments, on the other hand, are messy and constantly changing. There are no clear goals, rules may change, and you may or may not get feedback, it may be delayed or it may even be inaccurate, the work in a wicked environment this year may not look like the work last year. The world we increasingly living in is a wicked one.
Specialists, with their deep knowledge and experience, are better at solving Kind problems, where Generalists, with their wider range of knowledge and experience, are better at solving wicked problems. The trap we fall into is that we often expect the hyper-specialist, because of their expertise in a narrow area, to magically be able to extend their skill to wicked problems and in those cases the results can be disastrous.
The wicked cybersecurity environment
There is no question, Cybersecurity is a wicked environment! I explored that concept in a previous post “Which security game are you playing?“. We don’t always have crystal clear goals and even if we do they tend to change, rules change all the time whether new regulations or new type of attacks, and when we do something we don’t always get feedback so those new tools or processes we invested so much to implement we may never know how effective they are, and lastly our work never looks the same from one year to the next.
So what do we need, specialized security experts or generalized practitioners?
The answer is both! and it depends great deal on the role. In areas of security engineering where technical mastery is critical, or in areas of compliance hyper-specialization is a well-meaning drive for efficiency. However in areas of threat intelligence or incident response we need people who start broad and embrace diverse experiences and perspectives while they progress. People with range!
In today’s world, it’s becoming more important than ever to be able to think broadly and see the connections between different disciplines, and this is especially important for CISOs!
The need for a generalist CISO
Today’s businesses are intricate ecosystems, supply chains stretch across continents, data flows like a firehose, and algorithms dictate everything from what we see on our newsfeed to the price of goods and services. Artificial intelligence is going rogue, writing code, creating presentations and videos, transcribing meetings and even assigning action items.
As if that wasn’t enough, throw in the ever-evolving regulations, the constant churn of innovation, and the pressure to keep up with the ever-demanding share holders. Throw into that mix dozens of well organized, incredibly well-funded, roving gangs of cybercriminals and nation-state actors attacking everything connected to the internet 24/7, and it is no wonder that being a CISO feels like juggling chainsaws while riding a unicycle on a tightrope suspended over a pit of hungry lions.
In this wicked environment, CISOs cannot be limited by the narrow constraints of a single discipline. The future belongs to those who can think broadly and creatively, and are not afraid to step outside their comfort zone and explore new things. Even in a world that increasingly incentivizes, even demands, hyper-specialization, we need generalist CISOs that are better at solving wicked problems.
What makes a generalist CISO
In the book, Epstein cites the example of Benjamin Franklin, who was a scientist, inventor, writer, and diplomat. Franklin’s deep learning allowed him to make significant contributions in a wide range of fields. He also emphasizes the importance of interdisciplinary thinking and argues that generalists are better able to break down the silos between different disciplines and come up with new and innovative ideas. For example, he cites the example of Steve Jobs, who combined his knowledge of technology with his understanding of design to create Apple products that were both functional and beautiful.
Similarly, the ability to learn and understand complex concepts, and break down the silos between various functions and disciplines within the business, are essential for a generalist CISO.
Generalist CISOs need to have a broad understanding of the business, regulatory and legal matters, cyber threats, technology, risk, strategy, and more. They also need to master other skills as they build relationships and trust, communicate, negotiate, evangelize, influence, mediate, mentor and coach.
Above all, they need to be able to adopt to the ever evolving business, technology, regulatory and threat environments. This is the challenge of the role, but it also what makes it interesting and fun for those who thrive on the constant change and the need to always learn and evolve.
The experience from my journey
I had a lot of different experiences throughout my professional career and I never really stayed in one industry. I enlisted in the military and later became an officer, I was responsible for complex signal intelligence systems and worked both on hardware and software. After the military, I started my own company where I was teaching people how to use computers and later evolved to developing tailor made software for organizations in different industries. I developed software systems for retail, manufacturing, tourism, shipping and transportation, legal and marketing.
After a few years, I decided to close my business and join the corporate world. As an information technology and security practitioner I worked in Telecom, Automotive, Internet and eCommerce, Financial Services, Healthcare and Technology Solutions. I worked for startups and I worked for fortune 500 organization. My journey took me around the globe and I got to partner and work with people in Asia, Europe, North America and the Caribbean. I worked as a software engineer, technology architect, sales engineer, account manager, project manager, product manager, security architect, application security manager, cloud security architect, security defense strategist and more.
There were times where I envied more specialized colleagues, but then I realized that my ability to look broadly, connect the dots, break silos and partner across cultures brings me a greater fulfillment than being an expert in a very specific domain. and as a CISO I find myself leveraging these experiences daily!
Conclusion
There is no one size fits all here, especially in cybersecurity we need specialists who can dive deep into the complex problems we face, and generalists who takes a broad view and can find the patterns and the route to exit the maze.
What do you think? Are you a generalist or a specialist? And how do you think the rise of the generalist will impact the future of security? I hope this blog has given you some food for thought as you ponder your career path and if you’re interested in learning more about the benefits of being a generalist, I highly recommend reading David Epstein’s book “Range.”
