Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-10-4 – Essential and customized (i.e., tailored to job functions as it relates to cybersecurity) training and access to professional skillsets must be made available to personnel working directly on tasks related to cybersecurity including:
Understanding the Requirement
This control requires that personnel who perform cybersecurity-related tasks receive role-specific, practical training and access to external or internal professional skillsets so they can meet their responsibilities. It targets the cybersecurity function’s personnel and related sub-controls (1-10-4-2 and 1-10-4-3) and is part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework, meaning SMBs should prioritize tailored learning, documented competencies, and access to expertise when staffing cybersecurity tasks.
Technical Implementation
-
Conduct a role-based training needs assessment:
List all cybersecurity-related roles (e.g., SOC analyst, system administrator, application developer, incident responder) and map the specific skills and tasks for each. Use a simple matrix that links tasks to required skills and existing staff proficiency to identify gaps.
-
Create and maintain tailored training plans:
Develop short, role-specific curricula: onboarding basics, quarterly refreshers, and advanced modules for high-risk roles. Include hands-on labs, secure coding sessions for developers, and threat-hunting exercises for operations staff. Set a schedule and assign owners for completion tracking.
-
Provide access to professional skillsets on demand:
Budget for external expertise (consultants, managed security services, certified trainers) that can augment gaps or lead incident response. Establish vendor relationships and a low-friction procurement process so expertise can be engaged quickly when needed.
-
Use measurable competency checks:
Implement practical assessments—simulated phishing responses, tabletop exercises, code reviews, or lab-based challenges—to verify skills transfer. Track completion and competency metrics in a simple HR or LMS report every quarter.
-
Embed continuous learning and knowledge sharing:
Hold monthly brown-bag sessions, post-incident lessons-learned reviews, and maintain a small internal knowledge base (runbooks, checklists). Encourage cross-training so backup personnel can cover critical tasks.
-
Protect time and budget for training:
Allocate dedicated hours per employee per quarter for training and a small annual budget for certifications or courses. Treat training like maintenance—missed training increases operational risk.
Example in a Small or Medium Business
Acme Tech, a 75-person managed services provider, created a simple cybersecurity role matrix and discovered that their system administrators had no formal incident-response training. They defined three role levels—basic, intermediate, and advanced—and mapped required courses and hands-on labs to each level. The CEO approved an annual budget to hire a retained security consultant and to buy seats in a cloud-based training platform. System admins completed a two-day tabletop exercise led by the consultant, then participated in monthly 90-minute lab sessions for six months. When a ransomware-like simulation was run, the trained team followed the documented runbook, isolated impacted systems, and escalated to the consultant within their service contract hours. Leadership tracked completion and assessment scores in a spreadsheet and used those metrics during performance reviews to keep accountability. Over the next year, the company expanded the program to developers with secure-coding workshops and added a yearly external penetration test to validate skills and identify new training needs.
Summary
Meeting Control 1-10-4 requires SMBs to adopt a pragmatic, role-based approach: assess skill gaps, deliver tailored training, verify competencies, and provide access to professional expertise when internal skills are insufficient. Combining documented policies, scheduled training, competency checks, and contracted specialists ensures personnel can perform cybersecurity tasks effectively while keeping the program affordable and scalable for a small or medium business.
