Cybersecurity training is made available to personnel with assigned cybersecurity responsibilities, at least in an ad hoc manner
Context and Guidance: Ensure that personnel in assigned responsibilities in WORKFORCE-3b have the knowledge and skills needed to perform those responsibilities. Conduct cybersecurity training internally or include funding in the cybersecurity program budget for personnel to take training from vendors. If training is provided internally, it should be relevant to the types of activities identified in WORKFORCE-3a. Additionally, as noted in the help text for WORKFORCE-3a, cybersecurity responsibilities are not restricted to traditional cybersecurity or IT roles. For example, operations engineers, human resources specialists, and procurement specialists typically have cybersecurity roles, and these roles may be performed by third parties. Training might include attendance at conferences that provide deep dive sessions, vendor-specific training on tools used, and certificate programs. Payment for external training and certificate programs might be done only on a reimbursement basis after successful completion.
Related Practices • Input From: Implementing WORKFORCE-3b provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: WORKFORCE-4a, WORKFORCE-4d, WORKFORCE-4f.