Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-2-2 – All Cybersecurity positions must be filled with full-time and experienced Saudi cybersecurity professionals.
Understanding the Requirement
This control requires organisations to staff all cybersecurity roles with full-time, experienced Saudi professionals and to define the head, supervisory, and critical roles clearly. It expects written job descriptions, minimum academic and experience requirements, and alignment with national policies — using the Saudi Cybersecurity Workforce Framework (SCyWF) as a reference where helpful — while also following applicable national laws and regulatory directives on workforce nationalisation.
Technical Implementation
-
Define roles, qualifications and minimum experience: Create formal job descriptions for the head of cybersecurity, supervisory positions, and critical roles. Each description should list minimum academic qualifications, specific years and types of experience (e.g., 5+ years in security operations, incident response, or governance), required professional certifications (CISSP, CISM, or local equivalents), and essential technical skills.
-
Use the SCyWF to map skills to roles: Map each job description to competency categories and role profiles from the Saudi Cybersecurity Workforce Framework (SCyWF) so hiring, training, and performance metrics are consistent and auditable.
-
Create a full-time hiring and onboarding plan: Budget for full-time hires (not solely contractors) and schedule recruiting milestones. Include structured onboarding, probation targets, and at least 6–12 months of role-specific training and mentoring to ensure staff meet “experienced” expectations.
-
Implement supervisory succession and vacancy controls: For supervisory vacancies, assign a named interim employee with documented temporary authority and an approved timeline to fill the role. Track vacancy durations and escalate delays to senior leadership to meet the governance requirement.
-
Vet and verify candidate eligibility: Include identity, employment history, and background checks consistent with national regulations. For critical roles handling confidentiality/integrity-sensitive functions, add enhanced vetting (clearance checks, reference verification) and require signed confidentiality agreements.
-
Plan for training, career paths and retention: Establish continuous professional development paths (certifications, targeted training, conference time) and retention measures (competitive pay bands tied to role criticality) to keep positions filled with experienced Saudi professionals and reduce turnover risk.
Example in a Small or Medium Business
A 120-employee Saudi SMB running an online retail platform needs to comply with Control 1-2-2. The owner assigns HR and the COO to draft job descriptions for a Head of Cybersecurity, SOC Manager, and Incident Response Lead, using the SCyWF as a skills reference. They specify a minimum of 7 years’ relevant experience for the head role and 3–5 years for supervisory and critical roles, and list preferred certifications and university degrees. HR opens full-time positions with clear timelines and budgets, prioritising local Saudi candidates and advertising through national job boards and university partnerships. While searches are underway, the company designates an interim SOC lead from an existing IT senior engineer and documents an approved 90-day vacancy plan. They require background checks, set a 6-month on-ramp training plan, and commit to paying for one certification each year for staff in critical roles. Within three months the company hires a qualified Saudi Head of Cybersecurity, begins a formal onboarding and mentoring schedule, and updates governance records to show the roles are filled as required.
Summary
By formalising job descriptions, defining minimum qualifications and experience, using the SCyWF as a skills reference, and implementing hiring, vetting, succession and training processes, SMBs can meet ECC 1-2-2’s requirement for full-time, experienced Saudi cybersecurity professionals. These policy and operational controls together reduce staffing gaps, ensure role accountability, and provide a documented, auditable trail that aligns staffing with national regulations and organisational risk management needs.
