Explore the Skills-First Hiring Toolkit

Learning Objectives

After completing this unit, you’ll be able to:

Define upskilling and reskilling.
Create a plan to implement skills-first hiring practices.

Cybersecurity threats evolve very quickly. To stay ahead, businesses need adaptable professionals who can apply their skills in real time. Before diving into the skills-first toolkit, let's quickly recap some of the reasons why an employer would choose a skills-first approach to hiring cybersecurity talent.

Knowledge Check

Ready to review what you’ve learned? The following knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started let’s review what you’ve learned by matching each skills-first advantage next to the appropriate hiring manager's need statement. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Upskilling and Reskilling

The skills-first toolkit in this unit includes information and resources that can unlock hidden value in the cybersecurity hiring process across four key areas: the job announcement, resume screening, candidate interviews, and skills assessments.

But the greatest value might already be present within the business. Upskilling and reskilling are powerful “skills-first” tools that can efficiently strengthen an existing cybersecurity team.

Four scenarios, each depicting four steps in a hiring process: Job Announcements, Resume Screening, Candidate Interviews, and Skills Assessments.

Upskilling enhances existing skills within a current role. For example, a cybersecurity analyst strengthens her data analysis skills through on-the-job training. With her increased proficiency she enhances her typical analysis by adding data visualization and machine learning techniques, producing more informed threat forecasts for monthly reporting.

Reskilling involves learning new skills for a career change. For example, a graphic designer in a company is starting a career in cybersecurity so her employer sponsors her enrollment in an apprenticeship program to become an incident responder. After she completes the program, she applies for an entry-level cybersecurity position within the same company.

Transferable Skills

Now let’s explore transferable skills, another valuable tool in the skills-first toolkit. Examples of transferable skills are data analysis, project management and problem solving which can be applied across different roles and industries. These skills are valuable because they can be quickly adapted to specific needs and roles, reducing the time and resources required for training.

It’s because of transferable skills that the CEOs of major corporations can successfully transition across different industries. Their highly adaptable skills in core competencies like leadership, strategic planning, business acumen, crisis management and communication are essential for top roles in any sector.

For example, Meg Whitman’s extraordinary career began as an executive at Hasbro, an international entertainment company. She later became the CEO of eBAY, an ecommerce company, then Hewlett Packard Enterprise, an information technology company. As of today (2024) she is the United States Ambassador to Kenya, a very different context than her other leadership positions but one that still requires transferable skills like managing resources, influencing others, decisiveness, and inspiring diverse teams. This is one of many examples of the significant value and versatility of strong transferable skills which are essential for achieving success from entry-level roles up to the most senior positions in the business.

By identifying transferable skills in the existing workforce, employers can accelerate talent development and bridge skill gaps through upskilling and reskilling.

The Job Announcement

Adopting a skills-first approach doesn't have to be overwhelming. Starting small by focusing on one specific cybersecurity role can enable you to pilot the process, learn from the experience, and refine your approach before a wider rollout.

When implementing a skills-first hiring approach in your organization, start by targeting roles:

With consistently high turnover or where skilled candidates are difficult to find, allowing you to tap into a pool of capable candidates and quickly see the impact of skills-first recruitment
Where skills and experience can be gained through various paths, to encourage a wider range of applicants with a variety of backgrounds and skill sets
Directly impactful to the organization’s security posture so competence is highly visible, highlighting the value of a skills-first approach
That are entry to mid-level so feedback from the hiring and onboarding processes can be rapidly implemented to refine the approach

Update the Position Requirements

A key first step in adopting skills-based practices is creating new job descriptions or modifying your existing ones. Here are four areas to consider when creating the skills-first job announcement.

Make the job announcement a collaborative effort. Collaborate with the hiring manager, HR, and the technical team to create an accurate, inclusive job announcement that reflects real-world skills and demands of the position.
Only require certifications when necessary. Sometimes certifications are contractual or necessary due to regulatory mandates, especially when the position involves sensitive data and systems. In these cases, require certifications in addition to demonstrated skill.
Focus on quality of prior experience. Instead of fixating on years of cybersecurity experience, prioritize the quality of a candidate's experience–even if gained outside traditional security roles. For example, strong problem-solving and communication skills honed over 3 years as a social worker might translate quite well to threat analysis and reporting in a SOC role.
Be specific about the skills needed for the position. The skills you list in the job announcement will guide the entire hiring process, so it’s important to spend time getting this part right. Collaborate with the team currently doing the work to identify essential skills the candidate will need to be successful in the position.
1. Required skills: These are nonnegotiable technical/nontechnical and business skills the candidate must possess to effectively perform the job. Examples include specific technical skills like proficiency in security tools, nontechnical skills like proficiency in technical writing or business skills like ability to brief executives.
2. Preferred skills: These are the additional or nice-to-have technical/nontechnical and business skills that would be beneficial to the role. These skills can attract the ideal candidate without making the job description so specific that it turns away candidates who only have the required skills.

Let’s look at an example of a traditional job announcement alongside a skills-first version. View the job announcement here as we review the key differences between the job announcements, focusing on traditional vs. skills-first requirements, and then on the senior vs. entry-level SOC analyst job announcement.

First, the traditional announcement has specific education, certification, and experience requirements which can exclude many qualified individuals who lack these requirements even if they possess the necessary skills.

In contrast, the skills-first announcements prioritize skills and abilities. Notice that there are no education, certification, or experience requirements (unless absolutely mandated). This approach opens the door to a wider, more diverse talent pool.

Next, the skills-first announcement provides more transparent and precise skills statements, specifying the candidate’s practical abilities. Let’s compare a “required skills” statement as an example.

Traditional statement: Experience in SIEM tool configuration.
- Specifies past experience in configuring a SIEM tool. This implies an expectation of current technical skill related to setup and customization of a SIEM tool, possibly including writing and refining correlation rules and integrating various data sources, but it is not explicitly stated.
- Centers primarily on the tool rather than the skills it enables.

Skills-first (senior-analyst) statement: Use SIEM tool to perform detailed log analysis of network traffic for threat detection.
- Specific and actionable emphasizing practical use of the SIEM tool.
- Explicitly lists the required skills: log analysis and threat detection.
- Communicates transferable skills like analysis and threat detection (which involves understanding normal versus abnormal patterns) allowing a wider range of candidates to showcase their relevant expertise.

Both the senior and entry-level skills-first job announcements list the same skills. However the difference is in the analyst’s proficiency levels and how those skills are applied on the job.

For the senior analyst, terms like organize, plan, and perform signal the need for autonomy and high proficiency. For instance, at work they may independently analyze logs to find and investigate security threats. This includes choosing the right SIEM tools, determining analysis methods, and identifying both known and unknown threats. The senior analyst job announcement clearly emphasizes skill.

For the entry-level analyst, phrases like “with guidance” and “under supervision” highlight that the new hire will likely have support as they work and produce results. For example, at work they may help analyze network traffic logs with guidance from a senior team member. This includes following instructions, using provided SIEM tools, and reporting basic issues based on a defined set of indicators. The entry-level analyst job announcement emphasizes both aptitude (or learning) and skill.

This means the hiring manager is looking for an entry-level candidate who can learn on the job. So the candidate assessments throughout the hiring process will focus on evaluating aptitude alongside demonstration of skill.

Overall, a skills-first approach opens doors in cybersecurity. It allows experienced professionals without traditional credentials to showcase their abilities, while also creating opportunities for those new to the field to gain experience while contributing to the business.

Posting the Job Announcement

In addition to the company website and frequently used job boards, consider posting job announcements in online communities, to help ensure a broader applicant pool:

Jopwell: Connects companies with Black, Latinx, and Native American professionals.
Pink Jobs: Aimed at the LGBTQ+ community.
Neurodiversity in the Workplace: Specializes in connecting neurodivergent individuals with suitable employment.
Hire Heroes USA: Empowers U.S. military members, veterans, and military spouses to succeed in the civilian workforce.
Women in Cybersecurity (WiCyS): Supports women in the field and often partners with companies on hiring initiatives.
Reachire: Specializes in remote work to remove location barriers.
YearUp: Committed to advancing a more diverse workforce.
NPower: Creates pathways to economic prosperity by launching digital careers for military veterans and young adults from underserved communities.

The Job Posting Skillitizer is a free online tool to assist hiring managers in creating a skills-based job posting. The list of resources at the end of this unit also includes links to downloadable skills-first job announcement templates.

Now that we’ve reviewed the job announcement, let’s update the resume screening process to ensure it continues to follow a skills-first approach.

We use the senior SOC analyst job requirements as an example for the remainder of this module.

Resume Screening

The first screening stage of the hiring process lays the foundation for who eventually receives a job offer. To manage large volumes of applications and improve hiring quality, many organizations use automated resume screening tools. However, in traditional processes, top candidates–especially those from nontraditional backgrounds–often don't make it past this initial stage. Here are a few reasons why.

Keyword focus: Systems rely heavily on keyword matching, missing candidates who have the skills but not the exact phrasing.
Algorithmic bias: Unconscious bias embedded in the algorithm can perpetuate discrimination and exclude diverse talent.
Overlooked potential: Prioritizing degrees and traditional career paths can lead to overlooking self-taught individuals or career changers with highly relevant skills.

Despite these limitations, automation can still play a role in a skills-first approach. Consider using it for basic filtering (for example, identifying non-negotiable citizenship or work authorization requirements), then the hiring manager, HR representative, and other relevant team members should review remaining resumes to ensure the best candidates with the required skills move forward.

To maintain an inclusive screening process, focus on identifying evidence of skills needed for the job, regardless of how or where those skills were acquired.

Use a rubric like the sample below to guide the assessment.

Skills-First Resume Screening Rubric
Job Title: Senior SOC Analyst
Candidate Name:		Date:
Reviewer Initials:

Skills	Evidence to look for	Evidence_Scale
Use of SIEM tools for log analysis	Specific tools: Listing SIEM tools (Splunk, Wazuh, QRadar, ArcSight, and so on), threat intelligence feeds, network protocols, analysis techniques (for example, anomaly detection, pattern-matching). Quantifiable achievements: For example, “Investigated X incidents leading to Y discoveries” demonstrates practical use of the skill.	1 = Missing 2 = Potential 3 = Evident
Scripting/light coding	Coding/scripting languages: Use of Python, Bash, PowerShell, or SIEM-specific query/rule languages (for example, Splunk SPL). Projects: Mention of personal or work projects involving scripting for automation or security analysis, even if small in scale. Keywords: "Parsing," "logic," "workflow," even if not in coding contexts, show a transferable mindset.	1 = Missing 2 = Potential 3 = Evident
Document/communicate technical topics to nontechnical and technical audiences	Presentations/training: Experience presenting technical topics or delivering training, showing adaptability to varying audience levels. Work history: Roles in customer-facing or cross-departmental positions requiring communication of complex ideas. Writing samples: Links to clear technical reports or blog posts authored by the candidate.	1 = Missing 2 = Potential 3 = Evident

Ensure the resume screening rubric reflects the same required skills listed in the job announcement. If using multiple reviewers, discuss any discrepancies between final evaluation scores.

By emphasizing the required skills and deemphasizing factors unrelated to core skills, hiring managers can identify the most promising candidates to move to the next hiring phase: the interview.

The Interview

The job posting and resume screening process narrows options down to a strong pool of candidates. Now, it’s time to design interview questions that further refine those options.

The skills-first interview is the opportunity for remaining candidates to demonstrate their practical skills in situations that align directly, or as closely as possible, with the work of the position. The interview also provides an opportunity to clarify any remaining questions from the resume screening process. Additionally, it gives candidates a chance to decide if the workplace suits their career aspirations.

A video interview, featuring one person on a computer screen and another sitting in a modern office.

How does a skills-first interview actively assess a candidate's skills and abilities, compared to a traditional interview?

First, traditional interviews often seek examples of how candidates demonstrate certain traits or skills, with little context. For example, “Give me an example of how you’ve demonstrated teamwork in your previous job?” or “Tell me about the process you’ve used to find vulnerabilities.” There are two primary issues with these questions.

Lack of relevant context: Traditional interview questions tend to lack relevant context and as a result won’t always reveal how well a candidate’s skills would translate to your specific team and work environment. Even a well-articulated response might only reflect their general approach, not their adaptability.
Presentation over capability: Without context, it’s easy to be swayed by a candidate’s communication style rather than their actual ability to apply their skills in a relevant setting.

In contrast, a skills-first interview scenario might look like this: “It’s 4 PM and your shift has ended. Before leaving the SOC, you notice unusual outbound network traffic from workstations in our main building. The pattern doesn’t match established baselines. Walk me through your next actions.”

This scenario includes relevant context or a framework of events that invite each candidate’s unique perspective on handling the situation. The candidate’s response can highlight their focus, strengths, thought process, and decision-making style.

Skills-first interviewing is performance-based and situational. It aims to help the interviewer observe how the candidate does something under specific conditions, not just whether they know what to do. Ideally this approach gives the interviewer a clearer picture of the candidate’s compatibility with the day-to-day realities of the position.

Before beginning the interview, help the candidate understand the skills-first interview approach and what they can expect. For example:

This interview will focus on how you’d apply key SOC analyst skills in our specific environment.
You will be asked to answer questions and complete tasks that involve situations you might encounter on the job.
For some tasks, I’ll provide log samples and other reference materials.
Please explain your thought process as much as the final response.
Feel free to ask clarifying questions about our work environment, policies, or anything that would help you better understand the scenarios.
We’ve scheduled 90 minutes for this interview. Let me know if you need a short break at any point.

Let’s illustrate the skills-first interview by comparing traditional and skills-first interview questions and scenarios for key SOC analyst skills listed in the job announcement.

Skill Area

Interview Questions & Tasks

Use SIEM tools to perform detailed log analysis of network traffic for threat detection.

Traditional: “Describe the different types of SIEM logs you’re familiar with and describe how you used them.”

Skills-first: “During a recent vulnerability scan, we noticed outbound SMB traffic to an external IP address not on our whitelist. This aligns with known ransomware IOCs.

Question: “Walk me through your process to investigate this potential threat. What would you prioritize?”

Visual: (Share with candidate) A very basic image of the vulnerability scan output.

Follow-ups: Ask the candidate about specific tools, how they’d handle false positives, and so forth.

Perform light coding to create custom integrations between security tools (no formal developer training required).

Traditional: “Tell me about when you have created custom scripts to integrate security tools?”

Skills-first: “Our SIEM and vulnerability scanner are effective tools, but a new zero-day exploit highlights the need to update the integration between our SIEM and vulnerability scanner for more comprehensive detection. Currently, an analyst is manually correlating firewall logs, vulnerability scan results, and the asset list to identify the threat. Of course, this is a slow process, prone to human error so we need to automate this correlation.”

Visuals: (Share with candidate)

Screenshot 1: Firewall log entries (focus on source/destination IP, ports, timestamp)
Screenshot 2: Vulnerability scan output (list of assets, associated CVEs, including the relevant zero-day CVE)
Screenshot 3: Simplified asset list (device name, IP address, operating system)

Task: “At a high level, describe the code you would write to automate the process of importing vulnerability data into our SIEM, correlating it with firewall logs, and identifying hosts potentially vulnerable to the zero-day exploit. Focus on extracting data from the provided sources, matching firewall activity to assets from our vulnerability scans, and ensuring the process runs automatically.”

Effectively document and communicate SOC data and areas of progress to nontechnical and technical audiences.

Traditional: “Tell me about a time when you had to explain a technical topic to a nontechnical individual? How did you ensure they understood your explanation?”

Skills-first: “This is a sample slide similar to the one we present for our Weekly Security Analysis—Incident Highlight meeting. It highlights a recent incident involving unauthorized access to a privileged user account.”

Visual: (Share with candidate) A simple graphic that depicts user account access.

Task 1: “You’re discussing this slide with your security team. What are a few key points you’d discuss to gain a deeper understanding of the incident?”

Task 2: You’ve just been informed that you need to accompany the SOC manager to a meeting with the Board of Directors to explain this incident. The Board is primarily concerned about potential legal or regulatory implications and steps taken to prevent similar incidents. How would you explain this to address their concerns? Would you modify the way you present the data? If so, how?

Remember, a skills-first interview should be a collaborative dialogue where the interviewer’s role is similar to a mentor or colleague observing the candidate’s thought process and decision-making abilities. As the candidate explains the reasoning behind their responses, the interviewer should provide feedback or hints, if needed, allowing the candidate to demonstrate potential to quickly learn and adapt.

The skills first interview should assist in further validating the candidate’s skills and uncovering their potential while giving them a realistic preview of the position.

In the next unit we will discuss the pre-employment assessment, another valuable skills-based tool.

Besoin d'aide ?