This post provides a practical, compliance-focused hiring plan to meet Essential Cybersecurity Controls (ECC – 2 : 2024) Control 1-2-2 — specifically the requirement to staff all cybersecurity positions with full-time, experienced Saudi professionals — and shows how small and medium businesses can implement each step, collect evidence for auditors, and maintain operational security while recruiting.
Understanding Control 1-2-2 and Compliance Objectives
Control 1-2-2 in the Compliance Framework is focused on workforce localization and capability: all cybersecurity roles must be occupied by full-time Saudi nationals with documented experience. The key objectives are (1) demonstrate a complete cybersecurity staffing plan mapped to the ECC control set; (2) show hires are full-time and experienced; and (3) retain evidence (employment contracts, CVs with experience verification, training/certificates, payroll records, onboarding checklists) for audits. Implementation must therefore cover workforce planning, recruitment, vetting, onboarding, and retention while maintaining day-to-day security operations.
Step 1 — Workforce Assessment and Role Mapping
Begin with a simple role inventory aligned to the Compliance Framework. For each required cybersecurity function (e.g., CISO/Head of Security, Security Architect, SOC Analyst, Incident Responder, IAM Specialist, Penetration Tester), document the minimum experience, certifications, and responsibilities. Use a competency matrix (columns: role, required years of experience, must-have skills, desirable certs, evidence artifacts) and set measurable targets: number of full-time Saudi hires per role and an acceptable timeline (e.g., 90–180 days). For a small business (50 employees), you might map a minimum viable team as: 1 Security Lead (CISO/Manager), 1 SOC Analyst, 1 Systems/Network Security Engineer, and one hybrid Security Administrator — with plans to augment via training or MSSP while hiring.
Step 2 — Define Job Descriptions, Technical Profiles, and Evidence Requirements
Write job descriptions that explicitly state required experience levels and technical skillsets tied to ECC controls (e.g., for SOC Analyst: 2–4 years in log analysis, SIEM experience with Splunk/QRadar/Elastic, knowledge of MITRE ATT&CK, familiarity with EDR tools like CrowdStrike or SentinelOne). Include mandatory evidence to collect during hiring: degrees, employment certificates, verified references, copies of certificates (CISSP, CISM, OSCP, SANS), documented results of technical assessments, and signed full-time employment contracts. For each hire, prepare an evidence packet that maps the individual's skills to specific ECC control requirements — this becomes an auditor-friendly artifact.
Step 3 — Sourcing, Outreach, and Local Partnerships
Use Saudi-specific sourcing channels and government programs to reach experienced Saudi professionals: post roles on Taqat (the national employment portal), Bayt/Gulftalent/LinkedIn with Saudi-targeted keywords, and engage HRDF (Human Resources Development Fund) and Monsha'at for SMEs. Partner with local universities and training academies (e.g., King Saud/King Fahd career centers, Tuwaiq Academy, and NCA-endorsed training programs) to access alumni who meet experience thresholds. For small businesses that cannot immediately fill all roles, document interim measures — e.g., a contracted Saudi-resident consultant or a Saudi full-time hire in a broader IT role with defined cybersecurity responsibilities — and record a timeline to reach fully staffed state to remain compliant in auditors' eyes.
Step 4 — Screening, Technical Assessment, and Background Checks
Design a two-stage technical evaluation: (A) a take-home or timed practical assignment (log triage, threat hunting query in ELK/Splunk, small pen test report) to validate hands-on skills; (B) an in-person/virtual lab-based interview using a sandbox (e.g., a controlled VM with common attack scenarios) to assess incident response and forensic skills. Include HR background checks, employment verification, and — if required by sector or NCA guidance — security clearance or residency checks. Keep signed consent forms and copies of verification reports in the hire's compliance file. For small businesses, practical tests can be scaled down (a 2-hour SOC simulation or a scripted C2 detection exercise) while still providing robust evidence of competency.
Step 5 — Offer, Onboarding, and Probation with Measurable KPIs
Offer full-time contracts that clearly state duties, working hours, probation terms, confidentiality and nondisclosure clauses, and any security clearance obligations. During probation (commonly 3–6 months), require completion of an onboarding checklist mapped to ECC controls: system access provisioning, MFA enrollment, SIEM training, incident playbook review, and required certifications or courses. Track KPIs such as time-to-hire, time-to-competency (hours until able to handle incidents independently), pass rate on technical onboarding tests, and retention at 6/12 months. Store onboarding evidence — access logs, completed training modules, signed playbooks — in a secure HR/compliance repository for audit readiness.
Retention, Continuous Development, and Interim Compensations
To retain experienced Saudi professionals, offer career paths, continuous education budgets, and links to national career development programs (HRDF-funded courses). Competitive total compensation is vital; benchmark salaries using regional surveys and consider non-salary incentives (paid certifications, conference attendance, flexible scheduling). If immediate hires are not possible, document interim compensations that maintain compliance: a full-time Saudi employee in a combined role with a documented training plan to upskill into a specialized cybersecurity position within a fixed timeframe, or a full-time Saudi employee supervised by an accredited Saudi cybersecurity vendor. Record these arrangements with timelines and progress reports as compliance evidence.
Risks of Not Implementing Control 1-2-2
Failing to implement this control exposes the organization to multiple risks: regulatory noncompliance (potential fines or loss of certification), inability to demonstrate custody of cyber responsibilities to auditors, impaired incident response due to lack of on-site full-time staff, and reputational damage that can affect government and enterprise contracts. Technically, gaps in staffing increase mean time to detect/respond (MTTD/MTTR), leaving systems vulnerable to lateral movement, exfiltration, and prolonged downtime. For a small business, dependence on external contractors without proper full-time Saudi staff may be flagged by auditors unless adequately documented as temporary with a clear hiring roadmap.
Practical Compliance Tips and Best Practices
Keep an evidence-first approach: treat every hiring action as an audit artifact (job postings, applicants, assessment results, signed contracts, payroll entries, training completions). Use a secure document management system with role-based access controls to store evidence. If you use an MSSP or contractors temporarily, maintain a clear timeline and written agreement showing the transition plan to full-time Saudi hires. Automate parts of the compliance trail where possible — HRIS export of payroll showing nationality and full-time status, LMS completion reports, and SIEM user activity logs during probation — to simplify audits.
Summary: Meeting ECC–2:2024 Control 1-2-2 requires a structured, evidence-driven hiring and onboarding approach that aligns role definitions to ECC controls, leverages Saudi recruitment channels and training programs, uses robust technical screening and background checks, and documents interim measures with clear timelines. For small businesses, combining temporary managed services with a documented, time-bound plan to hire and upskill full-time Saudi professionals provides a practical path to compliance while protecting operations. Adopt measurable KPIs, retain all artifacts in a secure compliance repository, and treat workforce localization as a strategic, auditable control rather than a personnel checkbox.
