Rethinking Cybersecurity: Beyond the Technical and Non-Technical Divide

In the realm of cybersecurity, professionals are often categorized as either ‘technical’ or ‘non-technical.’ However, this binary classification oversimplifies the complexities of the field and can hinder our ability to effectively combat contemporary cyber threats. As highlighted in the Australian Signals Directorate’s Annual Cyber Threat Report 2023–2024, Australia faces a rising tide of cyber threats that are not only increasing in frequency but also in sophistication. To adequately address these challenges, we must recognize the diverse skill sets within our cybersecurity workforce.

The Limitations of Binary Thinking

Humans have a natural tendency to categorize information, which helps simplify complex realities. However, rigid categorizations can be detrimental, particularly when they reinforce hierarchies and limit opportunities. Labeling individuals as non-technical can act as a gatekeeping mechanism, preventing talented job seekers from entering the cybersecurity field. This issue disproportionately affects women and underrepresented groups, who may be more frequently associated with so-called soft skills. With fewer women considering careers in cybersecurity, such categorizations risk pushing them toward other industries.

The Misconception of Technical Skills

In her compelling article, the argument is made that the term ‘technical’ is misleading when applied to human beings. Most individuals possess some level of technical ability, akin to using a fork. Technical skills can be cultivated in supportive environments, and it is crucial to recognize that many roles in cybersecurity require a blend of both technical and non-technical skills.

The term ‘soft skills’ itself is a misnomer. Skills such as communication, empathy, leadership, and critical thinking are anything but soft; they are essential for high-level roles in many industries. In cybersecurity, however, these abilities are often undervalued, despite their importance in areas like incident response, risk assessment, and policy development. This narrow definition of expertise not only limits inclusivity but also diminishes the effectiveness of cybersecurity efforts.

The Importance of Security Documentation

Security documentation is a foundational element of effective cybersecurity operations. Failures in this area often lead to system vulnerabilities and poor incident response. A notable example is the 2021 Colonial Pipeline ransomware attack, which was exacerbated by a lack of a sufficient incident response plan. This incident underscores the importance of viewing security governance as a critical function rather than a peripheral task assigned to those deemed non-technical.

The perception that only technical experts can handle roles such as incident response or digital forensics ignores the broader skill sets required for these positions. Effective incident response relies on good team coordination, communication, and the ability to make decisions under pressure. These skills are vital for ensuring that security documentation is accessible, regularly updated, and integrated into practice.

The Human Element in Cybersecurity

Current cybersecurity frameworks often reduce cybercrime to a technical issue, neglecting its social, behavioral, and psychological dimensions. Yet, people remain our most significant assets and vulnerabilities. The 2022 Ponemon Cost of Insider Threats Global Report revealed a 44% increase in insider threat incidents over two years, primarily stemming from employee negligence or malicious intent—issues that cannot be mitigated through technical controls alone.

Consider the Crowdstrike outage of July 2024, which affected millions of devices globally. While the media focused on system crashes, the root cause was a bug in the code and inefficient testing practices. This incident illustrates the need for a more comprehensive approach to cybersecurity that includes governance, risk, and compliance (GRC) professionals, who are often labeled as non-technical.

Bridging the Gap with GRC Professionals

GRC professionals play a crucial role in addressing cybersecurity threats, yet they are frequently marginalized within the industry. Individuals with strong soft skills, including those who develop and enforce policies, are essential for preventing and mitigating threats. By creating policies that reflect real-world behaviors and organizational culture, GRC specialists help bridge the gap between compliance and practice.

The Need for Diverse Skills and Collaboration

Effective cybersecurity requires more than just technical expertise; it demands a diverse array of skills, strong leadership, and interdisciplinary collaboration. Reducing cybersecurity to a technical-versus-non-technical binary undermines our ability to address complex, evolving threats. Australia’s national cyber resilience depends on leveraging a full spectrum of skills—from governance and psychology to law and policy—while investing in ways to attract and retain professionals across all these domains.

Conclusion

Building truly resilient systems and inclusive teams is not merely a good practice; it is essential for national security. By moving beyond the simplistic technical/non-technical divide, we can harness the full potential of our cybersecurity workforce. This approach will not only enhance our ability to combat contemporary cyber threats but also create a more inclusive and effective cybersecurity landscape for all.