In my 30 years tracking workforce trends at the intersection of business and technology, one truth keeps surfacing: linear career paths and rigid job definitions are becoming relics. Nowhere is this more evident than in information systems auditing, security governance, cybersecurity operations and data privacy.
Our team at Foote Partners has analyzed thousands of job descriptions, pay trends, and IT skills and certification premiums. What’s clear is this: the emerging heroes in these fields are not just the experts or the jacks-of-all-trades. They're what is known as “versatilists.” But what exactly is a versatilist, and why are they increasingly in demand?
Let’s break this down—versatilists vs. specialists vs. generalists—within the context of four high-stakes domains: IS audit and assurance, security governance and risk management, cybersecurity ops and engineering, and data privacy/protection.
Specialists: Critical, but Constrained
Specialists are deep-domain professionals. Think: the CISA-certified IS auditor who focuses exclusively on SOX compliance and internal control evaluations. Or the cryptographer securing blockchain implementations. Or the data privacy attorney who lives and breathes GDPR interpretation.
They’re indispensable when depth matters most. For example:
- A specialist in security event correlation might architect SIEM rule sets.
- A privacy expert might be retained to respond to a high-profile data breach notification requirement.
- An auditor might perform root-cause analysis for SAP transaction anomalies.
But here’s the risk: environments are evolving faster than ever, especially with AI evolution. The high-skill, deep-niche model can become a liability when you need adaptability. Too often, specialists struggle to operate outside their narrow swim lanes.
Generalists: Broad, but Often Shallow
Generalists, by contrast, have working knowledge across multiple domains. For example, a mid-level IT auditor who’s rotated through PCI, NIST and SOC 2 projects. A GRC analyst who touches on policy, threat modeling and vendor risk management. They’re utility players—valuable in lean teams and matrixed orgs.
Their strength lies in:
- Translating between teams (e.g., IT and Legal)
- Rapid onboarding to new technologies or frameworks
- Understanding how systems connect at a high level
But generalists may lack the depth to solve complex problems alone. You don’t assign a generalist to design your enterprise encryption strategy or lead a federal audit response.
Versatilists: Agile, Hybrid, Contextual
A versatilist is something else entirely. Coined by Gartner and validated in our labor market intelligence, a versatilist is someone who combines deep knowledge in multiple areas with the ability to shift roles and apply skills contextually. They're fluent in both the “how” and the “why.” They connect dots and they adapt.
In today’s interconnected risk, security and privacy ecosystem, versatilists aren’t just nice to have—they’re essential. Let’s look at just a few real-world archetypes represented in our research:
- The GRC-Cybersecurity Hybrid
Erica started her career in IT audit, moved into GRC consulting, earned her CRISC and CISM (or CISSP), and now serves as an enterprise security strategist. She leads policy design, interprets audit findings and runs tabletop exercises. She can code Python scripts for risk scoring—and explain them to senior management or even a boardroom full of directors. - The Privacy Engineer
Jason came from a front-end development background but pursued a CIPP/US certification and now integrates privacy-by-design principles into applications development. He collaborates with marketing, legal and engineering, serving as the connective tissue between compliance and code. - The Security Ops-Audit Crossover
Mei was a SOC analyst who got bored with the daily alert grind. She transitioned into internal audit with a focus on operational risk in cloud environments. Her ability to map threat intelligence to control failures gives her audit reports unmatched credibility.
Market Signals: Versatilists Command Premiums
Foote Partners’ IT Skills and Certifications Pay IndexTM tracks cash pay premiums for 1,371 certified and non-certified IT skills, almost always in the form of bonus pay (not salary augmentation). Versatilists routinely earn robust salaries and higher-than-average cash pay premiums—not because of any one or two skills, but because of how they synthesize and apply them.
For example, pairing CRISC with experience in SIEM administration and exposure to AI/ML governance practices results in double-digit pay premiums in many midsize and large enterprises. In our most recent benchmark, skill combinations like “CISM or CISSP + Agile + Risk Modeling” or “CISA + Python + DevSecOps” significantly outperformed narrowly defined roles.
Why Employers Are Recalibrating Roles
The tech job market has always had its ups and downs, but lately, it feels more like a high-speed roller coaster with surprise loops. The following are only a few of many demand drivers that ISACA members should focus on right now.
- Digital transformation: Cloud, AI and decentralized architectures demand flexible security models.
- Regulatory pressure: Data privacy and cybersecurity compliance frameworks are proliferating. Someone needs to stitch them together.
- Board accountability: Security leaders must be storytellers, translators, and technologists—often all in one.
CISOs and Chief Privacy Officers tell us they’re redesigning roles to favor “security advisors” and “privacy architects” over traditional siloed positions. They want talent who can sit with engineers on Monday, talk to auditors on Tuesday and brief the CEO on Wednesday.
Building Versatilist Capacity
How do you attract, retain, or develop versatilists? Here are few suggestions to begin with.
- Rethink job titles and descriptions. Stop organizing around fixed silos—design roles around problem-solving, integration and adaptability.
- Encourage cross-pollination. Fund training and project rotations. Let your IAM engineer shadow the audit team. Let your DPO participate in threat modeling.
- Pay for context, not just credentials. Structure compensation and rewards around capability and impact, not just certifications or tenure.
- Focus more on skills taxonomiesand frameworks. HR groups are gaining expertise in LinkedIn, Workday, SAP, Eightfold AI, O*NET and NIST/NIST 800 taxonomies as they come up with strategies to reward skills acquisition, adaptability and project-based contributions. Seek out their knowledge and assistance.
- Flatten hierarchies. Versatilists thrive in fluid orgs where they can move fast and bridge disciplines.
Final Thoughts
The future of information systems auditing, cybersecurity operations, risk management and privacy will not be won by siloed specialists or stretched-thin generalists. It will be shaped by agile thinkers who operate across boundaries, integrate knowledge and solve complex problems with precision and perspective. That’s the advantage of Versatilists roles. If you’re not hiring and nurturing these professionals yet, you’re already behind.
