Cyber Risk Resources and Skills
ResourcesControl Statement
The organization has allocated sufficient and skilled resources for the sustainment of cyber risk programs, systems, roles and services.
Description
The effectiveness of the entire cyber risk management program depends on having adequate human, financial, and technical resources with the necessary skills and expertise. This control requires the organization to assess resource needs against program requirements, address skill gaps through hiring, training, or managed services, and ensure that resource levels are sufficient to sustain ongoing operations rather than just initial implementation. Under-resourcing is a common root cause of control failures and security incidents.
Key Implementation Activities
- 1 Conduct a resource and skills assessment comparing current cyber risk team capabilities against program requirements and the threat landscape
- 2 Develop a resourcing strategy that addresses identified gaps through a combination of hiring, upskilling, cross-training, and strategic use of managed services or consultants
- 3 Establish role-based competency requirements and ongoing professional development programs for cyber risk personnel
- 4 Monitor resource utilization and capacity to identify burnout risks, single points of failure, and areas where demand exceeds capacity
- 5 Include resource sustainability considerations in annual planning and budget cycles, ensuring that ongoing operational needs are funded, not just projects
Evidence Examples
- Resource and skills gap assessment documentation with findings and recommendations
- Cyber risk organizational chart showing filled roles, vacancies, and reporting structure
- Training and certification records for cyber risk personnel demonstrating ongoing professional development
- Budgetary documentation showing dedicated funding for cyber risk personnel, tools, and services
- Workforce planning documentation addressing succession, retention, and knowledge transfer
Maturity Levels
Cyber risk responsibilities are assigned to personnel with limited relevant expertise or as additional duties. Budgets are insufficient for program requirements. Skill gaps are unaddressed.
Dedicated cyber risk resources are allocated with defined roles and competency requirements. Budgets support program sustainment. Training and development programs address identified skill gaps.
Resource planning is dynamic, informed by workload analysis and threat landscape changes. The organization invests in advanced skills development, knowledge management, and retention programs. Resource adequacy is measured against program performance metrics.
Document Templates
Evidence Requirements View all evidence
| Type | Evidence Item | Frequency | Level |
|---|---|---|---|
| Document | Resource and skills gap assessment with findings and recommendations | Annually | Required |
| Document | Cyber risk organizational chart showing filled roles, vacancies, and reporting structure | Current | Required |
| Document | Budget documentation showing dedicated funding for cyber risk personnel, tools, and services | Annually | Required |
| Record | Training and certification records for cyber risk personnel | Tracked continuously | Required |
| Record | Workforce planning documentation addressing succession and knowledge transfer | Reviewed annually | Expected |
| Record | Role-based competency requirements and job descriptions for cyber risk positions | Reviewed annually | Expected |