“How do I break into security?” I get this question constantly, and for years I thought I was the worst person to ask since I stumbled into the field by accident.

But here’s what a decade of experience across security domains has taught me: the path into security matters less than what you bring with you. After building teams, hiring across different specializations, and watching careers flourish or stagnate, I’ve identified the soft skills that actually determine success.

These aren’t domain-specific skills - whether you end up in GRC, pentesting, cloud security, or anywhere else, these traits separate the security professionals who thrive from those who struggle. They’re also what I look for when hiring and what I evaluate in my own career moves.

Passion: The Foundation of Everything Else

Passion is the number one trait I look for. Not the kind where you’re spending your own money on SANS courses or grinding Hack the Box 24/7 (unless that genuinely excites you). I mean a lasting excitement about something that gives you purpose - something you want to learn more about and improve.

I’ll be honest: I didn’t start with passion for security. Early in my career, I had a comfortable IAM consulting gig that paid well and let me travel across the country. It came easily to me and provided a nice lifestyle, but I wasn’t driven by genuine interest in the work.

That changed over the past decade. I discovered what actually excites me: the technical side of security - architecture, application security, cloud security. My podcast library tells the story: half security shows, half aviation content. Those are my professional and personal passions on full display.

Here’s the thing about passion - it’s almost impossible to fake. Within minutes of interviewing someone, I can tell if they’re genuinely excited about security. I have a shirt that says “Warning: May spontaneously talk about airplanes” - and that’s absolutely accurate. But you could replace “airplanes” with any genuine passion and it would be just as valid. That constant drive to share, learn more, and develop further - that’s what makes individuals and teams thrive long-term.

Empathy: Understanding the Reality of Implementation

Security is a massive space - GRC, architecture, operations, pentesting, cloud security, application security. The list goes on. Most of what we do involves identifying risks and asking other teams to remediate them. Everything is urgent, everything is top priority.

Here’s the uncomfortable truth: security is rarely the top priority outside of security teams. And that’s not necessarily wrong.

Have you ever been asked to patch thousands of systems? It’s not just running an update command. Have you been handed a list of hundreds of vulnerabilities from an automated tool with an “ASAP” deadline? Do you know how long each one actually takes to fix? It’s never as simple as it looks.

The reality is messy: That unpatched machine might be running critical business software that breaks with updates. There might be compensating controls that provide better protection than the patch. That static analysis finding might miss proper escaping happening in another file, or fixing it might violate internal development standards.

The manage-by-numbers approach kills trust. When CISOs rely solely on tool metrics and push unscheduled work onto roadmaps, they lose sight of the business impact. Application security teams that come in like wrecking balls with lists of unexploitable issues - just so leadership can sleep better - destroy relationships with engineering peers.

Security professionals who came from other disciplines often have better empathy because they’ve lived the pain of implementing security requirements. Career security folks can develop this empathy, but it requires conscious effort to understand what other teams actually face.

Business Context: Perfect Security Is a Myth

Security professionals fall into two buckets:

  1. Absolutists - Those who believe security should be absolute with the smallest possible attack surface across all vectors
  2. Pragmatists - Those who acknowledge nothing will ever be 100% secure and focus on business context balanced with security best practices

The pragmatists are consistently more successful. While it might be unsettling to accept, there will always be protection gaps, new exploits, and customer priorities that challenge your security philosophy.

A product leader I respect recently told me something that stuck: “Your opinion, while interesting, is irrelevant.”

When building products, internal opinions about features are irrelevant. Current and prospective customers drive requirements, and security isn’t exempt from customer influence. If you follow the absolutist philosophy, you can’t adapt to customer needs or regulatory differences. Should an organization that doesn’t serve healthcare build everything around HIPAA requirements? What if that hurts user experience and customer retention? The absolute mindset doesn’t allow for the nuance needed to serve your specific market segment.

I believe security should be baked in by default. Standards like OWASP ASVS provide excellent baseline requirements. But security features beyond table stakes should be vetted with customers or tied to clear revenue drivers - either preventing losses or enabling gains. There’s no reason to boil the ocean with security.

Here’s what unifies passion, empathy, and business acumen: they’re invisible on resumes. When you interview someone who demonstrates all three, don’t let them slip away. Security professionals who are passionate and willing to learn are unstoppable.

I haven’t given you a roadmap for breaking into security. But understanding these soft skills - and how to demonstrate them - will help you plan your path and stand out from other candidates.