Skip to main contentSkip to main content
Feature
BUSINESS • 3 min read

What’s more valuable: spotting a breach or explaining why it matters?

What defines seniority in a cyber security team? Technical range and better instincts under pressure are important, and of course worth developing. But there's another skill set that gets much less airtime even though it's often the thing that actually separates the analysts who drive change from those who stay heads-down in the queue: clear, confident communication.

The ability to explain what’s happening in the right language for the right audiences within and outside the SOC determines whether security work has any impact at all. Should real incidents be the only times that this skill is tested?

Communication is momentum at all seniority levels

Clear articulation of urgency and consequences matters at every level, and stakes only increase with seniority. The analyst who can commit to a clear answer under pressure, frame a finding for a non-technical stakeholder, or write an incident summary that actually drives a decision is preventing team stagnation as much as they’re driving their individual career path.

During a major incident, an incident lead might need a simple confirmation, like was this authentication attempt successful? Yes or no. They’ll ask an analyst directly, with the answer influencing next steps and actions from the wider team. Diving into too much technical detail or process won’t serve the organization, and will only add noise. What’s needed is a combination of situational awareness, communication clarity and ownership to keep things moving. The most effective SOC analysts know how to give a clear answer, flag their confidence level, specify what would change that assessment, and hand the thread back. But that’s rarely taught in courses, or tested outside of actual crisis.

Business context is a security skill

Understanding a threat technically is one thing. Understanding what it means for an organization at a given time is another. Regardless of seniority, cyber security professionals need to communicate in ways that help move the organisation forward, whether that’s within the team, to their managers, or all the way to leadership and the executive.

Waiting til an incident isn't a development strategy

When it comes to validating readiness, technical teams and executive leadership have almost no meaningful interaction until a serious incident occurs. With that, there’s no shared vocabulary, established relationships, or prior context about how each side thinks or what they need to be effective.

Then a crisis hits, and mature analysts are expected to seamlessly communicate across the org, under pressure, without the experience. This is an unnecessary risk and strain on an already high-stakes process. This is part of why we made SAL2 a different kind of assessment. Across 12 scenario-based investigations, candidates handle real incidents in realistic SOC environments,  but the technical work doesn't happen in isolation from the communication demands. Incident summary writing, customer-facing updates, timeline construction, stakeholder reporting, SLA management and prioritization  are assessed in the same 72-hour window as the log analysis in SIEM solutions, access to compromised machines in real time, PCAP and malicious file analysis on an analyst VM, and detection engineering and TI tasks.

That's what the job actually looks like, and the only way to know whether someone can do it under pressure is to put them under pressure.

SOC managers, we’re looking at you

If you had to describe what ready for mid-senior responsibilities looks like on your team, what evidence would you actually point to?

Tenure is a proxy. Job titles are a proxy. Even technical certifications are often a proxy for things that were never directly tested.

The most useful thing you can do for your team, and for the business case you'll eventually have to make on their behalf, is to close the gap between what your analysts can do and what you can objectively demonstrate they can do. That gap is smallest when assessment reflects the full reality of the job, including the parts that happen in the stakeholder summary during a complex investigation.

That's the standard SAL2 was built to.

SAL2 is available now. One free retake included.

Interested in business context as a security skill? We're hosting a free live session on how to improve stakeholder comms within cybersecurity teams on 31st March. Register here.



authorJoanna Duffy
Mar 27, 2026

Recommended

Get more insights, news, and assorted awesomeness around cyber training.

Join over 640 organisations upskilling their
workforce with TryHackMe