Frankly Speaking - The end of the security specialist

The rise of the generalist security engineer

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Happy Chinese New Year (for those who celebrate)! I was recently on the Absolute AppSec podcast where I talked about organizational security and discussed the potential security implications of AI/ML. If you get a chance, check it out!

LET’S BE FRANK

I’ve been writing a lot about the rise of security engineering and the need for more software engineers in security. The reason for this is that there’s a lot to unpack. A recent topic that has come up is the idea of specialists. Traditionally, security has hired specialized analysts, sometimes to an extreme. For example, there are analysts that specialize in specific tools, like Splunk and Zscaler. There are other analysts that specialize in specific functions, like SOC, pentests, bug bounty, etc. It’s pretty obvious that this is extremely restricting and inefficient. It is also bad for the security industry as it discourages innovation. Specifically, bad legacy products are kept afloat because it’s easier to find analysts for them given how long they have been around. Also, a security leader isn’t incentivized to try new tools because it’s hard to find the right people to configure and maintain those tools. However, this way of operating has to change and is changing. It’s becoming too inefficient and more importantly, makes it more difficult to stay ahead of attackers.

Organizational change in security

To start, with the trend of more security engineers, organizational change is almost certain and a necessity. The reason for this is that security engineering should be viewed a profit and business center rather than a cost center.