Manage Learn to apply best practices and optimize your operations.

Strategic security staffing: Generalist or specialist?

Expert Joseph Granneman explains whether a midsize company should hire security specialists or generalists and why.

I recently took over the security team in a midsize organization. We have a staff of six, and I have a couple open spots to fill. I need people with a technical background who have experience in log management/event management. However, long term, should I aim for a security team with one or two people who specialize or try to foster a team of generalists?

Fill the positions with people who have knowledge in many areas of security. Here’s why: Security staffing is a challenging proposition. There don't seem to be enough candidates with the required skills to fill all available positions. As a result, an information security manager must develop a nontraditional staffing strategy to identify and fill key needs within the department. This may mean recruiting staff from outside the core information security disciplines or recruiting security professionals with more generalized skills. This is especially true in small to mid-sized companies where the workload or budget may not support specialists.

There are several benefits to recruiting people with general security knowledge. They tend to be more open to different ways of tackling technical issues, while specialists tend to have rigid ideas about how to deploy specific technologies. The generalist also tends to look at information security as a whole product, spanning multiple technologies, platforms and processes. Specialists may have a difficult time expanding their scope beyond a specific skill set. Generalists may also have an easier time communicating security processes and technologies to other employees by not delving into the technical details.

One potential issue that may crop up when the staffing strategy involves hiring generalists is that they will not have the in-depth knowledge to appropriately configure every technology platform in the organization. They may not be able to detect potential intrusions, either, because of their lack of specialized information security knowledge. This can be mitigated by using outside consultants to supplement staff when needed, provide training and configure technology platforms. Using outside consultants only when needed will fill any technology or security knowledge gaps while still employing generalists with a wider view of the company's information security plan.

Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

This was last published in April 2014

Dig Deeper on Information security certifications, training and jobs