Lesson 34: Building a Cybersecurity Team — Hiring and Development

What You Will Learn in This Lesson

• How to define the right cybersecurity team structure for a Saudi financial institution
• Where to find qualified cybersecurity talent in a competitive Saudi market
• How to evaluate candidates beyond certifications and resumes
• How to retain and develop your team through structured career paths and continuous learning

Your Security Program Is Only as Strong as Your People

You can deploy the most expensive SIEM, the most advanced EDR, and the tightest firewall rules — but without the right people interpreting alerts, tuning policies, and responding to incidents, those tools become expensive shelf-ware. In Saudi Arabia's financial sector, SAMA expects dedicated cybersecurity personnel across multiple domains: governance, operations, incident response, and risk management. Yet the Kingdom faces a talent gap estimated at over 30,000 unfilled cybersecurity positions. As a security leader, your ability to build and retain a capable team is arguably your most critical skill.

This lesson walks you through the full lifecycle: defining roles, sourcing talent, conducting meaningful interviews, and building a development program that keeps your team sharp and loyal.

Step 1: Define Your Team Structure

Before posting a single job ad, you need a clear organizational model. The right structure depends on your institution's size, regulatory obligations, and risk appetite. A mid-sized Saudi bank typically needs coverage across four pillars: Security Governance, Risk and Compliance (GRC); Security Operations (SecOps); Application and Product Security (AppSec); and Identity and Access Management (IAM). Smaller fintech companies may combine these into two or three roles, while Tier-1 banks will have dedicated sub-teams under each pillar.

Start by mapping your SAMA CSCC domains to team responsibilities. Domain 2 (Cybersecurity Defense) maps to your SOC analysts and incident responders. Domain 3 (Cybersecurity Resilience) requires personnel who handle business continuity and disaster recovery. Domain 4 (Third-Party Cybersecurity) needs someone managing vendor risk assessments. This mapping exercise tells you exactly which roles you need and prevents the common mistake of building a team that is strong operationally but weak on compliance — or vice versa.

Practical Example: A Saudi payment company with 200 employees mapped its SAMA CSCC obligations and discovered it needed at minimum: 1 CISO, 1 GRC analyst, 2 SOC analysts (for 12-hour shift coverage), 1 application security engineer, and 1 IAM specialist. They initially planned to hire only a CISO and two generalists — the mapping saved them from a compliance gap that would have surfaced during their next SAMA review.

Step 2: Source Talent Strategically

The Saudi cybersecurity talent pool is growing but remains competitive. Relying solely on LinkedIn job posts will not fill specialized roles. Diversify your sourcing across these channels:

Saudi universities and training programs: King Saud University, Prince Sultan University, and the Saudi Federation for Cybersecurity (SAFCSP) produce graduates with foundational skills. Establish internship pipelines — a 3-month internship with a conversion offer is one of the most cost-effective hiring strategies. Regional cybersecurity communities: BSides Riyadh, OWASP Saudi chapter meetups, and Capture The Flag (CTF) competitions are where you find practitioners who learn outside the classroom. Sponsor a CTF challenge and you will identify problem-solvers before they even apply. Cybersecurity consultancies and MSSPs: Analysts who have spent 2-3 years at a consulting firm have exposure to multiple environments and regulatory frameworks. They ramp up fast. Saudization requirements: Under Nitaqat, financial institutions must meet localization quotas. Plan your hiring timeline around Saudi national availability and factor in the 6-12 month development period for junior hires to become productive.

Step 3: Evaluate Candidates the Right Way

Certifications tell you someone passed an exam. They do not tell you how that person performs under pressure at 2 AM during a ransomware incident. Build a multi-stage evaluation process that tests what actually matters:

Stage 1 — Technical screening (30 minutes): A short, practical exercise relevant to the role. For a SOC analyst, provide a sanitized PCAP file and three SIEM alerts — ask them to identify the true positive. For a GRC analyst, give them a mock SAMA CSCC gap assessment with intentional errors and ask them to find the mistakes. Stage 2 — Scenario-based interview (45 minutes): Present a realistic incident scenario. "You receive an alert that an admin account is authenticating from an IP in a country where you have no operations, at 3 AM local time, and the account is querying your core banking database. Walk me through your first 15 minutes." You are evaluating their methodology, communication clarity, and ability to prioritize under ambiguity. Stage 3 — Culture and communication (30 minutes): Cybersecurity teams interact with every department. Ask how they would explain a phishing campaign risk to a non-technical CFO. Ask about a time they disagreed with a colleague's security recommendation. You need people who can influence without authority.

# Sample SOC Analyst Screening Exercise — Triage Checklist
# Provide the candidate with these artifacts and 20 minutes:

Artifacts:
  1. Suricata alert: ET MALWARE Win32/Emotet CnC Activity (POST)
  2. Firewall log: Outbound connection to 185.xx.xx.xx:8080 (reputation: malicious)
  3. EDR alert: powershell.exe spawned by winword.exe on WORKSTATION-FIN023
  4. AD log: No privilege escalation events for the associated user

Expected candidate actions:
  - Correlate alert #3 with #1 and #2 (same source host)
  - Identify the kill chain stage (Execution → C2)
  - Recommend immediate containment: isolate WORKSTATION-FIN023
  - Flag the user account for password reset
  - Check if the Word document was received via email (pivot to email gateway logs)

Step 4: Retain and Develop Your Team

Hiring is expensive. Losing a trained cybersecurity analyst after 18 months — which is the industry average tenure in the Gulf region — is even more expensive. Retention starts on day one with three pillars: career clarity, continuous learning, and meaningful work.

Career paths: Define clear progression tracks. A SOC Analyst I should know exactly what skills, projects, and certifications they need to reach SOC Analyst II within 12-18 months, and what the Senior Analyst and Team Lead roles look like beyond that. Publish these paths internally. Ambiguity about growth is the number-one reason security professionals leave. Training budget: Allocate a minimum of SAR 15,000-25,000 per person annually for training and certifications. This covers one major certification (CISSP, OSCP, CISM) or two specialized courses (SANS, Offensive Security). Tie training to your SAMA CSCC domain gaps — if your team is weak on cloud security and you are migrating to AWS, sponsor AWS Security Specialty certifications. Rotation and exposure: Allow analysts to rotate between SOC, GRC, and AppSec on 6-month cycles. Cross-trained team members are more resilient, more engaged, and more valuable. A SOC analyst who has spent time in GRC understands why those compliance reports matter, and a GRC analyst who has done SOC work writes more realistic policies.

Practical Example: A Saudi insurance company reduced cybersecurity staff turnover from 35% to 12% in one year by implementing three changes: publishing a transparent career ladder with salary bands, sponsoring two certifications per employee per year, and introducing "Innovation Fridays" where the team spent half a day on a self-directed security research project. The total additional cost was approximately SAR 180,000 for a 6-person team — far less than the estimated SAR 120,000 cost of replacing a single mid-level analyst.

Connection to the Saudi Regulatory Landscape

SAMA CSCC Domain 1 (Cybersecurity Leadership and Governance) explicitly requires institutions to maintain adequate cybersecurity staffing with defined roles and responsibilities. Control 1-3 mandates that the cybersecurity function has sufficient and qualified resources. NCA's ECC similarly requires organizations to designate cybersecurity personnel proportional to their risk profile. Beyond compliance, SAMA examiners during on-site reviews often ask to see organizational charts, job descriptions, and evidence of ongoing training — a well-documented team structure with training records is tangible proof of your security program's maturity. The Saudi Data Protection Authority (SDAIA) also expects organizations processing personal data to have designated data protection officers with cybersecurity competence, adding another dimension to your staffing plan.

Common Mistakes to Avoid

• Hiring only for certifications: A CISSP holder who has never triaged a real alert is less effective than a self-taught analyst with two years of SOC experience. Use certifications as one data point, not the primary filter. Practical assessment always reveals the truth.
• Building a top-heavy team: Three senior engineers and zero junior analysts creates a team that is expensive and brittle. You need a pyramid structure — junior analysts handle L1 triage, mid-level analysts investigate, and seniors architect solutions and mentor. A healthy ratio is roughly 3:2:1 (junior:mid:senior).
• Ignoring soft skills: A brilliant threat hunter who cannot write a clear incident report or brief a business executive creates bottlenecks. Communication, documentation, and collaboration skills are non-negotiable for every role on the team, especially in regulated environments where audit trails and management reporting are mandatory.

Lesson Summary

• Map your team structure to SAMA CSCC domains before hiring to ensure full regulatory coverage and avoid compliance gaps during reviews
• Diversify sourcing through university pipelines, CTF competitions, and community events — do not rely on job boards alone in a talent-scarce market
• Evaluate candidates through practical exercises and scenario-based interviews that test real-world decision-making, not just theoretical knowledge
• Retain talent by providing transparent career paths, meaningful training budgets tied to organizational gaps, and rotation opportunities across security disciplines

Next Lesson

In the next lesson, we will cover: Communicating with the Board — Cybersecurity Risk Reporting — how to translate technical security metrics into business language that resonates with board members and executives, including frameworks for quarterly risk reporting aligned with SAMA expectations.

Ready to apply these concepts in your organization? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a tailored cybersecurity workforce planning consultation.