Be broad but specialise

You need to know more than just your area in order to be effective.

White arrow pointing right, with two tails that merge at the head.

It sounds counter-intuitive, even an oxymoron, to say "be broad but specialise", but that's the advice I give those looking to start out in cyber security (and IT in general).  I firmly believe that's the best advice I can give someone, and in this post I'll explain why, and how being able to draw across your experience helps you to be effective.

What does it mean to be broad?

Essentially, if you have broad knowledge and experience then you know about a lot of things.  That's not to say you're an expert in every one of those things, but you know enough to get by.  I know a bit about cars for example - I can drive one, fuel it, change a tyre, etc., but I'm not an expert in cars at all.  If you ask me what makes one car better than another I could have a go at answering the question, but I wouldn't be able to give you an "expert opinion".  I wouldn't be able to fix a major problem with a car either.

Being broad does not mean, necessarily, that you're a generalist - a "jack of all trades and master of none".

What does it mean to specialise?

Specialising in a subject involves having an in-depth knowledge about it.  Still, specialists have different skill levels and experiences and it's rare that someone is the foremost authority on a subject.  Take fountain pens as an example.  I know a lot about them compared to some of my friends and family, so they might consider it a specialism of mine, or that I'm an expert, but I consider I pale into insignificance when compared to some others I follow online.

My journey

I've written about my career journey before, looking at both my cybersecurity and development career angles.  For me, these two areas overlap quite nicely - while working on eVitabu I obviously write the code behind the software itself.  My security training and experience allows me to think about developing securely, while also giving me the ability to test the software I write [1] - that's the first overlap.

When working in security it's not unusual to write scripts to automate tests or reporting.  My main languages are PHP, Android SDK (Java) and PowerShell, but that doesn't stop me dabbling in Python or LUA for when writing Nmap scripts.  My development experience really helps with the thought process behind designing and writing a script, almost regardless of the language.

Specialise in your interests

As your career develops you'll work out what really interests you - what you're passionate about.  The more passionate you are about something, the more likely you are to put effort into learning about it.  In turn, the more you learn about your chosen area, the better you'll become at working in it.

There's no point in choosing to specialise in something you aren't passionate about (or worse, hate).  That's not to say that you think less about areas you choose not to specialise in.  For example, I wouldn't choose to specialise in service desk operations because I'm not excited by it.  Nonetheless, the service desk is often a user's first contact point with an ICT support team so it's really critical to the organisation.  Remembering that, make sure your colleagues don't feel you think they're less valuable because their specialism is different.

(For clarity, I don't hate working on the service desk - I just couldn't do it all day any more.)

Know what's around you

Thinking about me and my colleagues, the vast majority of us started in one area of ICT and have then moved into our current areas.  Having held other roles means I'm aware of how different areas work (or at least have worked in the past), so I can factor those areas into my responses and plans.  You also gain the ability to relate to colleagues in other teams.  Make an effort to understand the pressure they're under, and try to find ways to help reduce that pressure if you can.

In my security role I often have to talk to other teams to get changes made, making use of their specialisms.  By having some awareness of their areas I'm able to ask the right questions, and can understand the things they tell me.  If I was ignorant of their areas I wouldn't have any idea if what I was asking was reasonable, both in terms of time frame or capability, which could lead to me and the security team looking like very inconsiderate people.  Cyber security teams are often considered barriers, and the team that offers "No as a Service", so it's important to be approachable, reasonable, and understanding.

For a short time I worked alongside a development team.  Part of their planning phase was to outline their intentions to get security's input.  My development skills were helpful because I could understand what they were describing, and when there was a problem we could discuss how best to resolve it without causing them excessive work.  From memory, their developers liked working with me because I could understand them.

Specialisms change

Bear in mind that as your career progresses your specialism can, and should, change.  Originally I worked in IT support, helping end users with the applications they needed to use and servicing the hardware.  At that time my specialism was knowing the applications in use, and how to take laptops apart.  OS installation came into it too (Windows 98SE, then XP), along with finding the most efficient ways to complete the installation process.  Later on I moved to specialising in Windows Server (2003) and Active Directory.

Presently I'd say my specialism was in cyber security / IT security / information security (we have lots of names!), but even that's a very big landscape.  We say the CISSP is "a mile long and an inch deep" because it covers so many areas in some detail, and that's how cyber security works.  I've not chosen a specialism in cyber security yet, and at some point I'll need to refine my career to do so, but for now my skills in various areas are good and allow me to carry out my duties.


By having a wide understanding of how things work you become more approachable.  You're able to understand the pressures felt by colleagues, and can avoid adding to the pressure unnecessarily.  As a result of being approachable you'll find you gain more knowledge about the organisation, helping to prevent things going wrong.

Expect your specialism to change as your career progresses.  IT is a fast moving industry and we have to keep up with it.  There's little need for thousands of MS DOS specialists these days, but specialists in newer technologies are desired by organisations globally.

Pick a specialism that aligns with your interests - people tend to be good at what they're interested in.  There's nothing wrong with starting down a path, realising it's not for you after all, and choosing a different one - that just adds to your broad knowledge and experience.

Banner image: Convergent by Improulx on OpenClipart (modified).

[1] Obviously I look to get my software tested by other people too, to avoid unconscious bias in my testing.