Does your organization consider cybersecurity knowledge as a factor in hiring, training, and employee retention decisions?
Explanation
Organizations that value cybersecurity knowledge in their workforce tend to build stronger security cultures and have employees who make better security decisions. By considering cybersecurity aptitude during hiring, you can ensure new team members have baseline security awareness. Including security in training programs and performance evaluations reinforces its importance and encourages continuous improvement in security practices.
Evidence could include: job descriptions that list cybersecurity skills as requirements or preferences, training programs with cybersecurity components, performance evaluation templates that include security-related metrics, or HR policies that document how security knowledge is factored into hiring and retention decisions.
Implementation Example
Consider cybersecurity knowledge to be a positive factor in hiring, training, and retention decisions
ID: GV.RR-04.046
Context
- Function
- GV: GOVERN
- Category
- GV.RR: Roles, Responsibilities, and Authorities
- Sub-Category
- Cybersecurity is included in human resources practices
Related questions
- Have organizational leaders formally documented and agreed upon their specific roles and responsibilities for cybersecurity strategy development, implementation, and assessment?
- Does leadership actively communicate expectations for a secure and ethical culture, particularly leveraging current events as teaching opportunities?
- Does your organization have a comprehensive cybersecurity risk strategy that is reviewed and updated at least annually and after significant security events?
- Does your organization conduct regular reviews to verify that individuals responsible for managing cybersecurity risk have appropriate authority and coordination mechanisms?
- Has your organization documented risk management roles and responsibilities in a formal policy?
- Has your organization formally documented the roles and responsibilities for cybersecurity risk management, including RACI (Responsible, Accountable, Consulted, Informed) designations?

