Cybersecurity has changed fast. Roles are more specialized, and tooling is more advanced. On paper, this should make organizations more secure. But in practice, many teams struggle with the same basic problems they faced years ago: unclear risk priorities, misaligned tooling decisions, and difficulty explaining security issues in terms the business understands.
These challenges do not usually come from a lack of effort. They emerge from something more subtle, a gradual loss of foundational understanding as specialization accelerates. Specialization itself is not the problem. A lack of context is. When security teams do not have a shared understanding of how the business, systems, and risks fit together, even strong technical execution starts to break down. Over time, that gap shows up in the way programs are designed, tools are chosen, and incidents are handled. Unfortunately, I’ve seen this pattern repeatedly when assisting with incidents and security programs across organizations of all sizes.
Specialization without context narrows the risk picture
Cybersecurity is unusual in how quickly practitioners are able to specialize. In many professions, broad foundational training comes first. You learn how the system works before focusing on a single part of it. Consider, for example, that one becomes a medical doctor before becoming a specialized surgeon. In security, it often works the other way around. People move directly into focused roles such as cloud security, detection engineering, forensics, or IAM with limited exposure to how the broader environment fits together. Over time, this creates teams that are highly capable within their domains but disconnected from the larger risk picture.
The resulting challenge is a lack of end-to-end visibility. When you only see one slice of the environment, it becomes harder to reason about how threats move, how controls interact, or why certain risks matter more than others. Risk stops being something you understand holistically and becomes something you only see through the narrow lens of your role. This is where many security conversations break down. A security issue is raised, but it is not connected to how the organization actually operates. Without that connection, the concern sounds abstract. It fails to resonate, not because it is unimportant, but because it lacks context.
When tools replace understanding, programs drift
Another pattern that shows up repeatedly is how security decisions become centered on products instead of processes. Teams are asked why they need a tool, and the answer focuses on features or industry trends rather than the specific risk it addresses inside the organization. When a tool cannot be tied back to organizational risk, it usually means the underlying problem has not been clearly defined. Security becomes something that is purchased rather than something that is designed.
A functional security program starts with the business. Why does the organization exist? What mission does it serve? Which systems and data are essential to that mission? Without clear answers to those questions, it is impossible to know what actually needs to be protected. Attackers understand this well. To disrupt a business, they must identify what matters most and where impact will be felt. Defenders who lack that same clarity are always reacting. They are responding to alerts and vulnerabilities without a clear sense of priority. Foundational knowledge helps prevent that drift. It allows teams to work from mission to assets to risk, rather than from tool to alert to remediation.
Detection, response, and prevention depend on knowing “normal”
Many security failures trace back to a simple issue: teams do not know what normal looks like in their own environments. Detection becomes difficult when expected behavior is poorly understood. Response slows when basic questions about systems, users, and data flows cannot be answered quickly. Prevention turns into guesswork when past incidents cannot be clearly explained or learned from.
This is not a tooling problem. It is a familiarity problem. Knowing your systems, your network, and how your organization operates day to day is foundational. It is what allows anomalies to stand out and investigations to move forward with confidence. When teams skip this work, they are forced to build this understanding during incidents, when pressure is highest and mistakes are most costly. Advanced capabilities only work when they are grounded in proper baseline understanding.
Master Your Foundational Skills at SANS Security West 2026
Modern cybersecurity depends on specialization. That is not going to change. What does need to change is the assumption that specialization alone is enough. Foundational skills enable specialized teams to reason about risk, communicate clearly with the business, and make decisions that hold up under pressure. They create shared context, which is often what’s missing when programs drift, tools pile up, or incidents stall.
As environments grow more complex, that shared understanding becomes a requirement, not a nice-to-have. This May, I will be presenting SEC401: Security Essentials – Network, Endpoint, and Cloud at SANS Security West 2026 for teams and practitioners who want to strengthen those foundations and apply their specialized skills with clearer context across modern security programs.
Note: This article has been expertly written and contributed by Bryan Simon, SANS Senior Instructor.
About The Author
Original post here
