Control 1-2-2 of ECC – 2 : 2024 requires organisations to recruit and verify appropriately experienced Saudi cybersecurity professionals to perform security functions; implementing this effectively combines HR processes, technical validation, local regulatory awareness (including Saudization/Nitaqat considerations), and audit-ready documentation.
Why this control matters and the risks of non-compliance
Failing to recruit and properly verify experienced Saudi cybersecurity staff increases the risk of operational errors, delayed incident response, insider threats, and regulatory penalties—especially where national workforce rules or sector-specific requirements mandate Saudi nationals in critical roles. For a small business, these risks translate into potential data breaches, loss of customer trust, and fines that can be fatal to operations. Additionally, weak verification practices make it difficult to demonstrate compliance during audits.
Practical recruitment strategy for small businesses (step-by-step)
Start with a clear, compliant job description mapped to the Compliance Framework: define responsibilities, minimum experience (years and domains), required certifications, and Saudi-specific requirements (citizenship or residency where applicable). Use local recruitment channels: LinkedIn with Riyadh/Jeddah filters, Bayt, local university career centres (King Saud University, Imam Mohammad ibn Saud University), and government-supported talent platforms. For small businesses, consider contract-to-hire, internships, and partnerships with local training academies to build a pipeline while meeting short-term needs.
Job specification and salary benchmarking
Create role tiers (L1: SOC analyst, L2: incident responder, L3: security architect) with explicit technical tasks and success metrics. Benchmark salaries against local market data—adjust for Riyadh vs smaller cities—and build compensating benefits (training budget, certification sponsorship) to attract experienced Saudi candidates. Document your justification for chosen salary bands as part of compliance evidence.
Verification: credentials, experience, and technical skill validation
Use a multi-layered verification approach: (1) identity and legal right-to-work checks (Saudi ID or valid iqama, and Nitaqat compliance if applicable), (2) credential validation (verify certifications via issuing organisation or digital badge APIs—CISSP, CISM, OSCP, GIAC, and recognized NCA programs where available), (3) employment reference checks using professional referees and prior employers, and (4) criminal record or police clearance through authorised government channels. Retain copies of verification evidence in a secure HR system with access controls and audit logging.
Technical assessments and real-world scenarios
For technical validation run practical tests rather than relying solely on CVs. Examples: a timed log-analysis exercise using a Splunk/ELK query, a ransomware containment tabletop scenario, a hands-on pentest lab (Kali + Metasploit under a controlled environment), or a take-home forensic challenge using an image with YARA rules. For a small e-commerce company, a useful practical test is: given web server logs and WAF alerts, identify a likely SQLi attempt, write the detection query (example: Splunk: index=web sourcetype=access_combined status=5* | top uri), and outline an immediate containment plan. Score candidates on detection accuracy, remediation steps, and communication clarity.
Onboarding, least privilege, and continuous verification
Integrate the verified credentials into a secure onboarding checklist tied to Control 1-2-2: IAM account creation, role-based access control (RBAC), privileged access provisioning (use a PAM solution or vault for secrets), MFA enrolment, device hardening, and mandatory security orientation. Implement periodic re-validation: annual certification status checks, quarterly skill refreshers, and continuous monitoring (SIEM alerts for anomalous activity). Maintain an access review cadence and log approvals to produce audit evidence.
Compliance tips and operational best practices
1) Document a hiring and verification policy mapped to the Compliance Framework with roles, evidence retention periods, and escalation paths. 2) Use secure HR storage (encrypted database, role-limited access) and retain validation artifacts for audit windows defined by your regulator. 3) Include NDAs and data-handling clauses in employment and contractor contracts. 4) Use third-party background-check vendors that operate in KSA for criminal and employment history verification. 5) Sponsor local certifications and on-the-job training to build talent and demonstrate investment in workforce capability.
Real-world small business scenario
A 25-person fintech startup in Riyadh needed an L2 incident responder to meet ECC 2:2024. They created a tiered job post requiring 3+ years SOC experience, OSCP or equivalent preferred, and Saudi citizenship due to contract terms. They used a two-stage vetting: a practical Splunk log-analysis lab followed by a reference check and iqama verification. On hire, the company provisioned the role via Azure AD with conditional access policies, assigned a PAM-managed privileged session, and enrolled the engineer in a quarterly incident-response tabletop exercise—generating the documentation they later used to pass an internal compliance review.
In summary, meeting Control 1-2-2 of ECC – 2 : 2024 demands deliberate hiring practices, robust identity and credential verification, technical validation through hands-on assessments, and ongoing governance to maintain and prove workforce competence; small businesses can achieve this with clear role definitions, local recruitment channels, practical testing, secure evidence retention, and routine re-validation to reduce risk and satisfy auditors.
