We need more security generalists
Cybersecurity has over-specialized into tool babysitting. AI and better design can bring the focus back to solving real problems.
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
Recently, I’ve been talking a lot about how AI might affect cybersecurity both the market and the people who work in it. I’ve been especially vocal about the broader inefficiencies in security and the way the industry continues to fixate on the wrong risks. But lately, another frustration has been on my mind: our over-reliance on specialization, and how cybersecurity is specializing in all the wrong ways.
To understand where we are now, it helps to rewind a bit. Security used to be a tight but overworked community. We were mostly generalists. People got into security because they liked solving problems, exploring systems, and finding creative ways to break (and fix) things. Very few of us were thinking about our “brand” or dreaming of being the next CISO-in-residence at a VC firm. We were curious, technically-minded, and hands-on.
Sadly, that world has changed. I admit that security was chronically underinvested for years. But now it feels like we’ve overcorrected. Companies are throwing money at security teams and products without a clear understanding of what problem they’re solving. Executives approve security budgets out of fear or FOMO. You can see a parallel with AI right now: lots of hype, lots of spending, very few successful deployments. In fact, most AI transformations at companies fail and are abandoned until companies figure out a better strategy.
In security, the effects are just as visible. Teams are bloated. Vendor lists are long. We’re overspending on tooling and compliance, but we’re not seeing meaningful reductions in breach frequency or response times. What’s more troubling is taht we’re training people to specialize in the wrong things.
Let me be more specific. Despite the constant refrain about a “cybersecurity talent shortage,” we seem to have an abundance of specialists for the wrong jobs. There are too many people who are experts in using Snyk, but not enough who can actually dig into a monolith, trace business logic, and find the root cause of an injection risk. There are too many people who are fluent in configuring Palo Alto dashboards, but can’t reason about access control in a distributed system.
I wrote a while ago that it was the end of the security specialist. That headline might have been a little dramatic, but the core idea holds. The industry has created tool specialists because we’ve made our tools too complex. Instead of fixing the tools, we’ve just hired more people to manage them.
This is a self-inflicted problem. The proliferation of tools in the security stack has created a maintenance burden that generalists can’t manage. We split the work: one person owns Snyk, another owns Wiz, and another owns Zscaler. These tools were supposed to make our lives easier. Instead, they created new silos. We’ve done this under the guise of freeing up the generalist to solve more problems, which it probably has done. But, it has created bloat and inefficiency and perpetuated the problem that security tools are too complex and are making it difficult for companies to effectively and efficiently achieve their security goals of mitigating risk.
It’s worth asking: why do we need a specialist to operate a scanner? Why does it take a full-time employee to tune a SaaS product? In most cases, the answer isn’t that the tool is doing something hard. It’s that the tool is unnecessarily complex, and our teams are too fragmented to integrate it smoothly.
Compare this to engineering. Software teams have plenty of generalists. Most engineers can work across the stack, not because they’re experts in everything, but because tools and abstractions are mature enough to let them move fast. At a startup, the same person might ship a backend feature, fix a CI bug, and tweak a Terraform config. They don’t need to be a Go or AWS specialist to contribute meaningfully.
I think security needs to follow a similar trajectory. We need more generalists. More people who can understand context, ask the right questions, and troubleshoot across layers. They don’t necessarily need to be experts in every tool, but competent enough to find answers and solve problems.
This is where AI becomes really interesting. I believe AI will allow generalists to get significantly more leverage. Instead of dedicating a headcount to manage a complex UI, you’ll be able to ask an agent to generate a query, tweak a policy, or summarize an alert. You won’t need to memorize every feature flag. You’ll just need to describe your intent.
The rise of tools like Cursor and Claude for software engineers is a signal of what’s to come. In security, I expect to see copilots for detection engineering, IAM reviews, policy validation, and much more. These won’t eliminate the need for specialists, but they’ll reduce the number of specialists required, and they’ll increase the impact of generalists.
Here’s the other dynamic that people don’t talk about: security teams often grow around tools because it creates perceived ownership. If you’re the “Wiz person” or the “Palo Alto person,” your role is protected. That kind of specialization becomes a moat, but it’s not a healthy one. It creates silos and discourages cross-training. It turns security into a series of micro-bureaucracies.
I’m not blaming individuals here — it’s a structural problem. Vendors build complex tools to differentiate themselves. Leaders buy those tools to check boxes. Then teams get hired to operate them. Eventually, you’re ten headcount deep and still struggling with the same alert fatigue.
What we need instead are leaner, smarter teams, e.g., people who are trained to think broadly, people who can reason about architecture, attack paths, and business priorities, and people who aren’t afraid to open the code and file a PR. To be clear, there will always be a place for specialists. Just like in engineering, there are times when you need a kernel engineer, or a compilers person, or someone who really understands Kubernetes internals. But these roles should be rare. They should be accelerators or unblockers. They shouldn’t be the default.
Another analogy: legal. Most companies have in-house counsel to handle basic contract work. But when something complex arises, e.g., an acquisition, a lawsuit, an IP filing, they bring in outside experts. Security could look the same. Keep a small, nimble team in-house and use firms or vendors for the deep work, letting AI handle the repetitive tasks.
This would also make security more accessible. If we reduce the reliance on tool-specific knowledge, we can onboard people faster. We can cross-train engineers who are curious about security, and we can stop building gated communities around product certifications.
More generalists also means more alignment with the business. Instead of having each specialist advocate for their own tool, you have people thinking about risk holistically. Instead of managing dashboards, they’re fixing broken processes.
So what happens to the tool specialists? I think many of them will evolve. Some will join consultancies or managed service providers, where they can apply their expertise across clients. Others will help vendors improve their products. Some will pivot into broader roles, learning new skills as the tools themselves get easier to use.
That’s the point. This isn’t about eliminating jobs, but it’s about reshaping the talent pool to better fit the problems we actually need to solve.
Right now, we’re wasting time and energy on tool babysitting. We’re building careers around interface quirks, and we’re still getting breached.
We need to break the cycle. AI gives us a path forward with better tooling, simpler workflows, more leverage for generalists, and fewer teams stuck in maintenance mode.
But it’s on us to change how we hire, how we train, and how we evaluate success. Let’s stop treating tool fluency as a qualification. Let’s stop hoarding tribal knowledge. Let’s build teams that are flexible, curious, and focused on outcomes.
The future of security isn’t specialization. It’s adaptability and hiring more generalists. That’s how we will make progress.