Cyber Risk Resource and Skills Assessment
Governance Control: Cyber Risk Resources and Skills
1. Purpose
Provide the template for assessing the adequacy of cyber risk resources (personnel, skills, and budget) against program requirements, identifying gaps, and planning for resource sustainment.
2. Scope
This assessment covers all personnel, competencies, and financial resources allocated to [ORGANIZATION]'s cyber risk management program, including internal teams and outsourced capabilities.
3. Assessment Content
3.1 Current Resource Inventory
Document the current state of cyber risk resources:
| Role/Function | Approved Headcount | Filled | Vacant | Contractor/Outsourced | Key Skills |
|---|---|---|---|---|---|
| [CUSTOMIZE: CISO / Head of Cyber Risk] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | Strategy, governance, executive communication |
| [CUSTOMIZE: Security Operations / SOC] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | SIEM, incident detection, triage |
| [CUSTOMIZE: Incident Response] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | Forensics, containment, recovery |
| [CUSTOMIZE: Risk and Compliance] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | Risk assessment, audit, regulatory |
| [CUSTOMIZE: Security Architecture] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | Cloud security, network security, design |
| [CUSTOMIZE: Identity and Access Mgmt] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | IAM, PAM, directory services |
| [CUSTOMIZE: Vulnerability Management] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | Scanning, patching, remediation |
| [CUSTOMIZE: Security Awareness] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | Training development, communications |
3.2 Skills Gap Analysis
For each role/function, assess the current skill level against the required level:
| Competency Area | Required Level | Current Level | Gap | Priority | Remediation Plan |
|---|---|---|---|---|---|
| Cloud security (AWS/Azure/GCP) | [CUSTOMIZE: Advanced] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] |
| Threat intelligence and analysis | [CUSTOMIZE: Intermediate] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] |
| Incident response and forensics | [CUSTOMIZE: Advanced] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] |
| Risk assessment methodology | [CUSTOMIZE: Advanced] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] |
| Regulatory compliance | [CUSTOMIZE: Intermediate] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] |
| Identity and access management | [CUSTOMIZE: Intermediate] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] |
| Application security / DevSecOps | [CUSTOMIZE: Intermediate] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] |
| Security automation and scripting | [CUSTOMIZE: Intermediate] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] | [CUSTOMIZE] |
3.3 Capacity and Sustainability Assessment
Current operational capacity utilization: [CUSTOMIZE: XX%] (target: [CUSTOMIZE: 75-85%] to allow for incident surge capacity)
Single points of failure identified: [CUSTOMIZE: list roles/functions where only one person holds critical knowledge]
Staff turnover rate (last 12 months): [CUSTOMIZE: XX%] (industry benchmark: [CUSTOMIZE: XX%])
Average tenure in cyber risk roles: [CUSTOMIZE: X.X years]
Succession plans documented for: [CUSTOMIZE: list roles with succession plans / identify gaps]
Knowledge transfer documentation status: [CUSTOMIZE: percentage of critical processes with documented runbooks/procedures]
3.4 Budget Assessment
Current cyber risk budget: [CUSTOMIZE: $X,XXX,XXX] ([CUSTOMIZE: X.X%] of IT budget / [CUSTOMIZE: X.XX%] of revenue)
Budget allocation: Personnel [CUSTOMIZE: XX%], Technology [CUSTOMIZE: XX%], Services [CUSTOMIZE: XX%], Training [CUSTOMIZE: XX%]
Identified unfunded requirements: [CUSTOMIZE: list with estimated costs]
Budget adequacy assessment: [CUSTOMIZE: Sufficient / Partially Sufficient / Insufficient] based on comparison against program requirements and industry benchmarks.
Recommendations for budget adjustments: [CUSTOMIZE: specific recommendations with justification]
3.5 Recommendations and Action Plan
Based on the assessment findings, the following actions are recommended:
[CUSTOMIZE: Recommendation 1 - e.g., Hire 2 additional SOC analysts to address 24x7 coverage gap - Priority: High - Estimated Cost: $XXX,XXX - Timeline: Q2]
[CUSTOMIZE: Recommendation 2 - e.g., Invest in cloud security certification program for 5 team members - Priority: High - Estimated Cost: $XX,XXX - Timeline: Q1-Q2]
[CUSTOMIZE: Recommendation 3 - e.g., Engage managed detection and response provider to supplement SOC during off-hours - Priority: Medium - Estimated Cost: $XXX,XXX/yr - Timeline: Q1]
[CUSTOMIZE: Recommendation 4 - e.g., Develop succession plans for CISO and Security Architecture Lead - Priority: Medium - Timeline: Q2]
This assessment shall be reviewed by [CUSTOMIZE: CISO / Executive Committee] and updated at least [CUSTOMIZE: annually].
4. Compliance
Compliance with this assessment is mandatory for all personnel and functions within its scope. Compliance will be monitored through periodic audits, management review, and second line of defence oversight.
Exceptions to this assessment must be documented with a business justification, approved by [CUSTOMIZE: CISO/Executive Risk Committee], and reviewed at least annually.
5. Review and Revision
This assessment shall be reviewed at least annually by [CUSTOMIZE: CISO/Document Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, organizational structure, or risk appetite.
All revisions shall be documented with version number, date, author, and description of changes.
Document Approval
Approved By
Title
Date
Document Control