It's 100% true that you need technical expertise in a security team. There are also other things that need to come together for a team to improve how well protected their business is. One of those can be winning the opportunity to do the technical stuff that's needed.
In fact I think there are 8 key applied abilities that are vital in security
1. Systems thinking
2. Politic
3. Architecture / engineering mindset
4. Team creation and evolution
5. Product management
6. Project management
7. Data science
8. Coding
1. Systems thinking
2. Politic
3. Architecture / engineering mindset
4. Team creation and evolution
5. Product management
6. Project management
7. Data science
8. Coding
Systems thinking: Sec teams are usually implementing a complex system (lots of sec controls w/ interdependencies) within a complex system (the biz+its people/process/ tech inter-relationships). Ability to understand, share & build consideration of this into decisions is vital.
Politic: Knowing what doors to push on, how hard, and when - and having the patience for the right moment to emerge rather than trying to force the issue - are criminally under-rated abilities that you generally only learn from painful mistakes in our profession.
Arch / eng mindset: It's great if you can hire ppl who've solved problems before & have a snag list of what to avoid. But often you don't have that, so you need ppl who can connect an understanding of your system, with what needs building, to a blueprint for the builders.
Team creation & evolution: Getting the right people on the bus in security (& keeping them there) is exceptionally difficult. Finding the right balance of characters, getting them operating as a unit & evolving the team with the business ... loads of security teams struggle here.
Product management: The planning, communication and execution involved in product management are all directly applicable to making sure security projects build something that all the different layers of users involved want and deliver value incrementally with feedback loops.
Project management: Cost control, juggling dependencies, delivering an actual outcome anyone cares about ... project mgmt is something we seem to be criminally bad at overall.
Data science: For an industry that spends so much time with data, we struggle to use it to communicate, measure success, and inform our decisions. Having a way to approach questions we want to answer, and the data we have is a much needed discipline we need to add to our teams.
Coding: Arguably this is a 'technical' ability, but the there is technical at a level where you are writing code to go into production, and technical to the level that you can hack some scriptz together to a level where you can show a concept or solve a problem.
