Business-First Application Security: What Modern Organizations Must Get Right
- The Cybersecurity Podcast
In this episode of the Cybersecurity Podcast by EC-Council, host Jay Bavisi speaks with Abhay Bhargav, Founder and CEO of we45, a specialized application security (AppSec) firm, Black Hat instructor, AppSec expert, and long-time industry practitioner, whose career path has defied every traditional stereotype in the cybersecurity industry.
Far from beginning his professional life as a software engineer or computer scientist, Abhay started out as a trained accountant, earning his Certified Public Accountant (CPA) credential in the United States. Only after that did he make a decisive leap into cybersecurity, a move that positioned him as a respected voice in application security and secure software development.
This conversation is not just a personal success story. It is a direct reflection of where the cybersecurity industry is today. As AppSec, DevSecOps, and AI-driven development reshape the threat landscape, the industry increasingly rewards professionals who understand risk, systems, and business impact, not just code. The journey from accounting to hacking is no longer unusual; it is a signal of how cybersecurity careers are evolving.
Why Nontraditional Backgrounds Are Becoming an Advantage in Cybersecurity
Abhay’s transition from accounting into cybersecurity highlights a critical truth: cybersecurity is fundamentally about risk management. Accounting trains professionals to assess exposure, materiality, controls, and consequences. Those same skills translate directly into security decision-making, where not every vulnerability carries the same weight and not every fix delivers equal value. Cybersecurity professionals who understand business context consistently make better prioritization decisions.
Another reason non-traditional backgrounds thrive in cybersecurity is systems thinking. Accountants, lawyers, and business professionals are accustomed to working within structured frameworks, regulatory environments, and competing constraints. When applied to application security, this mindset helps bridge the gap between abstract security theory and real-world software development. Security becomes less about isolated technical flaws and more about how systems behave under stress, misuse, or malicious intent.
Finally, curiosity plays a decisive role. Many professionals who enter cybersecurity from outside traditional engineering paths do so because they are naturally inclined to explore how things work, and how they break. Abhay’s early experimentation with systems, long before formal security training, reflects a learning style that cybersecurity rewards. In a field driven by adversarial thinking, unconventional curiosity is often more valuable than rigid technical orthodoxy.
Why Application Security Is the Core Cybersecurity Challenge Today
During the conversation, Jay and Abhay make it clear that application security is where modern cyber risk truly lives. Network security has matured into a space dominated by standardized tools and baseline controls. Organizations can buy firewalls, endpoint protection, and intrusion detection systems. Applications, however, are custom-built, continuously changing, and deeply intertwined with business logic.
Every application introduces unique workflows, permission models, and data flows. These elements create security risks that automated tools struggle to fully understand. Traditional scanners often miss authorization failures, business logic flaws, and multi-step workflow exploits because the code can be technically “correct” while still being logically insecure. This is why application security demands professionals who understand both technology and business intent.
Abhay also highlights why secure coding remains such a persistent challenge. Developers are rarely evaluated on security awareness during interviews or performance reviews. As a result, universities and coding bootcamps prioritize functionality and speed over secure-by-design principles. This structural misalignment ensures that security remains reactive rather than preventative. Until secure coding is treated as an expected competency, not an optional specialization, application security will remain the industry’s largest attack surface.
DevSecOps, AI Coding, and the Shift in Security Responsibility
DevSecOps emerges in the discussion as both a solution and a cautionary tale. When implemented correctly, DevSecOps integrates security throughout the software development lifecycle (SDLC) using continuous feedback loops. Instead of relying on a single security gate at the end of development, teams embed security throughout design, coding, testing, deployment, and runtime. This approach reduces friction, lowers remediation costs, and aligns security with engineering workflows.
Artificial intelligence (AI) is accelerating this transformation while simultaneously introducing new risks. AI-assisted coding tools can generate vast amounts of functional code in seconds, dramatically increasing development speed. However, Abhay emphasizes a critical distinction: generating code is not the same as building a secure, maintainable application. AI tools often make assumptions about libraries, architectures, and patterns that may be insecure or incompatible with an organization’s environment.
Rather than eliminating the need for developers and security professionals, AI shifts their role. Developers increasingly become reviewers, architects, and maintainers of AI-generated code. Security teams must focus on guardrails, secure defaults, dependency governance, and business logic validation. In this AI-driven environment, professionals who understand systems holistically combining technical, architectural, and business perspectives become indispensable.
Conclusion
The conversation between Jay and Abhay illustrates a defining reality of modern cybersecurity: success is no longer determined by traditional career paths. As application security, DevSecOps, and AI-driven development reshape the industry, cybersecurity increasingly rewards those who can think critically about risk, design resilient systems, and adapt continuously. The journey from accounting to hacking is not an exception, it is a blueprint for the future of cybersecurity careers.
Summary
Cybersecurity today is not just about writing code or finding vulnerabilities. It is about judgment, context, and the ability to anticipate how systems fail at scale. Professionals who bring diverse backgrounds, disciplined thinking, and relentless curiosity are shaping this field and its future.
