Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-2-1 – A dedicated cybersecurity function (e.g., division, department) must be established within the organization. This function must be independent from the Information Technology/Information Communication and Technology (IT/ICT) functions (as per the Royal Decree number 37140 dated 14/8/1438H). It is highly recommended that this cybersecurity function reports directly to the head of the organization or his/her delegate while ensuring that this does not result in a conflict of interest.
Understanding the Requirement
This control (part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework) requires an organizational separation that ensures cybersecurity is a distinct, independent function rather than a sub-role of IT or digital transformation. In practice this means creating a dedicated cybersecurity function, assigning clear governance and monitoring responsibilities to it, and aligning its reporting line so it can operate without undue influence from operational IT teams. The goal is to avoid conflicts of interest by giving cybersecurity responsibility for both governance (policy, risk) and monitoring/operations oversight, and to place that function close to senior leadership so it has authority and visibility.
Technical Implementation
- Create a clear organizational charter and job descriptions. Define the cybersecurity function’s responsibilities in a short charter: governance (policy/risk), monitoring/compliance, incident oversight, and vendor/security assurance. Draft role descriptions (Head of Cybersecurity, security analysts) that explicitly exclude operational IT tasks (e.g., server maintenance, application development).
- Set the reporting line to senior leadership. Have the Head of Cybersecurity report to the CEO, managing director, or a designated senior delegate (e.g., deputy head of business) rather than the IT manager. Document this in the org chart and in terms of reference so audits and regulators can verify independence.
- Segregate duties and ownership. Ensure separation of duties by assigning monitoring, logging review, and compliance reporting to the cybersecurity function, while operational tasks (patching, backups, helpdesk) remain with IT. Use ticketing and change-management records to demonstrate distinct ownership.
- Establish governance processes and oversight metrics. Require the cybersecurity function to produce monthly risk reports, compliance dashboards, and incident post-mortems for executive review. Define KPIs (time-to-detect, time-to-contain, control coverage) and make them part of executive and board reporting cycles.
- Protect independence with budget and advisory support. Allocate a dedicated budget line for cybersecurity staffing, tools, and training so the function can operate without going through IT procurement approval. If full-time senior resources aren’t affordable, engage an external or fractional CISO who reports to the CEO and partners with internal staff for operations.
- Implement audit and conflict-of-interest checks. Run periodic internal audits or external reviews to confirm the cybersecurity function is not performing IT operational duties and that decisions (e.g., acceptance of residual risk) are not influenced by IT operational leaders. Record findings and remediation actions.
Example in a Small or Medium Business
A 120-employee manufacturing SMB appoints a Head of Cybersecurity who reports directly to the CEO rather than the IT manager. The company retains a separate IT manager responsible for infrastructure, helpdesk, and production systems, while the cybersecurity head owns policy, risk assessments, vulnerability monitoring, and incident coordination. The cybersecurity team handles SIEM alerts, vendor security assessments, and quarterly compliance reporting, and it approves any exceptions to security policy. Budget for security tools and training is assigned to the cybersecurity function so it can procure necessary monitoring services without IT approval. To keep costs down, the business supplements its small internal team with a retained external CISO who attends executive meetings and quarterly board updates. Regularly scheduled internal audits verify that cybersecurity staff do not perform routine IT tasks, and any identified overlaps are corrected through role reassignments and updated job descriptions. This structure improves visibility of security risks to leadership and ensures the organization can act on vulnerabilities and incidents promptly without operational bias.
Summary
Creating an independent cybersecurity function with a direct reporting line to senior leadership, clear role separation from IT, dedicated budget, and documented governance processes satisfies Control 1-2-1. Policy measures (charter, job descriptions, reporting lines) combined with technical and operational steps (segregated duties, monitoring ownership, KPIs, and periodic audits) deliver the independence and accountability regulators expect while giving SMBs a practical, affordable path to stronger security oversight.
