Technical versus procedural cyber security

nature image of a grove at the end of a hill with the sea in the background

We could try to put all expertise areas of cyber security into a single framework, if we want to build an overview of the field. However, that understanding of cyber security quickly gets too large to contain as a mental model.
A more abstract model will at the top distinguish between “technical” and “procedural” cyber security.

Technical cyber security is typically what people think of when we talk about “hackers”. Technical cyber security is work that has a direct effect on the world by interacting with technology. Expertise in this category includes, but is not limited to:

Software engineers
Technical system/network administrators
Penetration testers/red teaming
Malware developers
Technical analysts

Procedural cyber security entails the process side of how security relates to business operations.
Governance, risk management and compliance in the context of cyber security encompasses this concept, and include expertise areas such as:

Risk analysts
Non-technical system/network administrators
Auditors
CISOs (Chief Information Security Officer)

While technical cyber security breeds specialists, procedural cyber security breeds generalists.

This distinction of technical and procedural cyber security is also known as “hard versus soft”—you can guess which is which :)