When people ask what it takes to be great at AppSec, they usually expect something like deep knowledge of secure coding practices, years of experience in software engineering, or some other very technical background.
That stuff’s important. No question. But it’s not what makes someone great.
The best people I’ve worked with in AppSec aren’t just good at tech; they’re also good with people.
The most underrated skillset in this field is what we still insist on calling “soft skills”: communication, empathy, influence, change management and creativity.
These aren’t nice-to-haves. They’re how the job gets done.
Why ‘soft skills’ matter in AppSec
AppSec isn’t about sitting behind a desk scanning code and sending off Jira tickets. Done well, it’s embedded. It’s collaborative. It’s constantly negotiating trade-offs between speed and safety. And that means your success hinges on your ability to work with people: people under pressure, people with different priorities, people who don’t always speak ‘security’, or even any tech at all.
If you want to drive secure-by-design thinking across an engineering organisation, you need to:
- Build trust with dev teams who’ve been burned by security before
- Make risk feel real to product managers who are chasing KPIs
- Influence execs to invest in security before there’s a breach
- Guide behaviour change across thousands of people without formal authority
That’s not just charm and vibes. It’s real, technical work aimed at people, not lines of code.
My ‘non-technical’ background became my AppSec strength
My path into AppSec didn’t follow the traditional route. I studied international relations, worked in global development, spent time in advertising and marketing, and even dabbled in politics. It wasn’t linear, and it definitely wasn’t planned — but each of those experiences gave me skills that are essential to how I lead cyber programmes today.
Diplomacy taught me how to navigate complex threat landscapes and explain them in ways that matter to a business. Advertising sharpened my understanding of audience, behaviour change, and creative problem-solving. Politics taught me to influence without authority, build coalitions, and get things done in complex environments.
I genuinely believe the AppSec industry needs to rethink its definition of what a “technical” background looks like to be successful in business.
Imagine an emergency services worker: they understand crisis response and pressure. What about a teacher? They know how to educate, influence, and handle resistance. How about a small business owner? They know how to manage risk, juggle priorities, and get things over the line.
These are the kinds of skills that help us not just build secure software, but embed security in a way that people will actually adopt, and drive long-lasting change. In a discipline that lives or dies by collaboration, empathy, and influence, we need more of these “non-traditional” skills in the mix.
Making Change Stick Means Starting with People
Not long ago, I managed a team that rolled out a quality gate in our static analysis tool that stopped insecure code from being deployed. It wasn’t exactly a popular idea at first. Many people said it would damage our relationships with developers and product teams by being a “blocker.”
Of course, we gave it a crack anyway, but not without doing the work to make it stick.
We didn’t just flick the switch. We started with people. We asked questions about the development team’s workflows and problems and challenges. We brought in early adopters, worked with them closely, and showed them how the change could actually help them. We gave developers practical ways to talk to their managers about delays or trade-offs when the tool flagged issues. We kept the conversation focused on how this would make their lives easier, not just more secure.
One of the unexpected wins? Developers started using the tool as leverage to push back on unrealistic deadlines. “I can’t ship this yet, it won’t pass the gate.” That was a big shift. It gave them more control and made security feel like a support, not a roadblock.
That’s the kind of outcome you only get when you lead with people, not process.
We need to stop calling these soft skills
In AppSec, these skills aren’t optional extras. They’re core technical competencies.
If you can’t influence, you can’t shift behaviour.
If you can’t communicate, you can’t build buy-in.
If you can’t empathise, you’ll never embed security into the way teams work.
If we only hire for hard technical skills, we’re missing the point — and the people who could actually move the needle.
I’ve just joined Galah Cyber as Director of Application Security Advisory. My mission is to build AppSec programmes that are not only technically sound but also shaped around how people really work, rooted in real behaviour change, not just checklists.
Because at the end of the day, security isn’t just about code. It’s about people. And people are complex.
So let’s stop pretending these skills are soft.
In AppSec, they’re some of the hardest of all.
