Cybersecurity professionals tend to be categorised as either ‘technical’ or ‘non-technical’. However, success in this field is far more nuanced than this binary suggests.

Such a limited vision may impede us from leveraging the full range of skills within our cybersecurity workforce so Australia and our region are sufficiently equipped to deal with contemporary cyber threats.

Indeed, the Australian Signals Directorate’s Annual Cyber Threat Report 2023–2024 highlighted a continued rise in cyber threats. But we’re not just seeing an increase; we’re seeing an intensification of the threat. Today we face highly coordinated, multi-vector campaigns designed to disrupt critical infrastructure, steal intellectual property and undermine public trust in democratic institutions.

Humans love to categorise because it helps us make sense of the world—it makes the complex and daunting more digestible and tolerable. However, rigid categorical thinking can be dangerous, particularly when it reinforces hierarchies, limits opportunities and excludes talent.

Labelling someone as non-technical is a way of gatekeeping prospective job seekers from entering the cybersecurity job market. It’s worth noting this gatekeeping disproportionately affects women, who are more often associated with so-called soft skills, as well as other underrepresented groups who may lack time and resources to acquire hard skills outside of the industry. With so few women entertaining the idea of a career in cybersecurity to begin with, categorising people further exacerbates the risk of losing them to other industries.

In her article, If You Can Use a Fork, You’re Technical, April Wensel argues that technical is not a useful adjective to describe human beings because most of us are essentially technical (that is, able to use a fork). In other words, technical skills can be acquired in an appropriate environment with sufficient support and training.

The very term soft skills is misleading. Communication, writing ability, empathy, leadership and critical thinking are hardly soft. In many other industries, these abilities are prerequisites for high-level roles. Yet in cybersecurity, they are frequently undervalued, despite being crucial in such areas as incident response, risk assessment and policy development. This narrow definition of expertise makes cybersecurity less inclusive and less effective.

For example, security documentation is a foundational element of effective cybersecurity operations. Security documentation failures are often the culprit of system vulnerabilities and a leading cause of poor incident response. The 2021 Colonial Pipeline ransomware attack in the United States was a clear example of the panic that can ensue when a company is woefully unprepared. One of the systemic causes of the attack was the lack of a sufficient incident response plan, which led to an operational shutdown and delayed recovery. Nevertheless, writing security policies, post-incident reports or governance frameworks is often seen as peripheral—a task relegated to someone non-technical. As being technical is synonymous with being competent, security governance practices—performed by those considered ‘less than’—are deemed less important.

This stance is dangerous. The perception that only technical experts can perform roles such as incident response or digital forensics ignores the broader skill sets these roles require. These so-called soft skills extend well beyond keyboard proficiency. Good team coordination, excellent communication, ability to make decisions under pressure, and empathy (as opposed to ‘cyber heroism’) are attributes of effective incident response that can build Australia’s cyber threat resiliency. These skills make it more likely that security documentation will be written in accessible language, updated regularly and integrated into practice, rather than treated as an afterthought.

As we discuss in a previous Strategist article, current cybersecurity frameworks tend to reduce cybercrime to a technical problem. They ignore its social, behavioural and psychological dimensions, yet people remain our most important assets and deepest vulnerabilities. The 2022 Ponemon Cost of Insider Threats Global Report revealed that insider threat incidents rose 44 percent in two years. The report underscores that most of these threats originate from employee negligence or malicious intent, issues that cannot be mitigated through technical controls alone.

Take the CrowdStrike outage of July 2024. The incident affected millions of devices globally and led to significant disruption across multiple sectors. The news largely focused on system crashes and software malfunctions. However, it was a defective rapid response content update that caused the outage. In September 2024, Adam Meyers, senior vice president of intelligence at CrowdStrike, appeared at a US House of Representatives hearing. During his testimony, Meyers discussed how CrowdStrike had changed its content update procedures to prevent similar incidents.

Governance, risk and compliance (GRC) professionals are the ones playing a crucial role in addressing these threats, but they are often labelled as non-technical by the cybersecurity industry. Individuals with soft skills, among them those who develop and enforce policies, play a critical role in preventing and mitigating threats. By creating policies that reflect real-world behaviours and organisational culture, GRC specialists help bridge the gap between compliance and practice.

Effective cybersecurity requires more than technical expertise. It demands diverse skills, strong leadership and interdisciplinary collaboration. Reducing cybersecurity to a technical-versus-non-technical binary undermines our ability to address complex, evolving threats. Australia’s national cyber resilience depends on leveraging a full spectrum of skills, from governance and psychology to law and policy, while investing in ways to attract and retain professionals across all these domains. Building truly resilient systems and inclusive teams isn’t just good practice, it’s essential for national security.

 

This article has been corrected to state that the cause of the July 2024 CrowdStrike outage was a defective rapid response content update.