In 1976, when Crest president Ian Glover went to speak to his school careers adviser, cyber security as we know it didn’t exist, the concept of STEM (science, technology, engineering and maths) as a discipline was not yet formed, and computers were not something teachers that understood you could have a career in. But he persevered.
“The idea that a computer could land somebody on the Moon was a primary driving force for me,” Glover tells Computer Weekly. “But I had terrible careers advice at school. I was very good at welding and I was very good with a lathe, so they tried to get me to go into those areas. I said I wanted to be a systems design engineer and they had no idea what that was. So I went and got a job.”
As someone who came into IT in its formative years – Computer Weekly was a mere 10 years old in 1976 – Glover is one of a cohort of people who enjoyed the relative luxury of being able to orchestrate his own career path, seeking new opportunities and changing things up just as the world of computing developed.
His work speaks to this, taking him over the years to the Ministry of Defence (MoD), where he worked on early military artificial intelligence (AI) projects, and the government’s Central Computer and Telecommunications Agency (CCTA), which developed the UK’s first national information security strategy and a number of other methodologies, before heading into the private sector in the late 1990s, founding his own consultancy, Insight, which was subsequently sold into what was then Siemens Enterprise Communications (SEC – now Atos Unify), where he remained until 2008.
Crest – or the Council of Registered Ethical Security Testers, to give it its full name – was formed in late 2008 on the premise that the security services industry was, in Glover’s words, “a bit like the Wild West”, and something needed to be done about it.
“It was really difficult to buy good-quality services, you had no idea who you were buying from, you didn’t really understand what it was you were buying, and there was no ability to take action should things go wrong,” he says.
“That, to me, was a big problem – the possibility of an unconstrained penetration tester doing inappropriate things or accidentally bringing the system down was quite high. So, we looked to try to professionalise the industry. The industry had been really good to me, the government had been really good to me in terms of giving me an education and an opportunity, and so I had three main criteria.
“Anything that would professionalise the industry, Crest absolutely fits into that bracket; anything that would support young people in careers, particularly giving people opportunities where they didn’t see there was an opportunity, then I would do that; and anything that protects vulnerable young people. The only work I’ve done for the last 12 years or so has been orientated toward those three primary goals and Crest fits very comfortably within each one of those criteria.”
A decade of growth
Since it was founded, Crest has grown from a small UK-centric non-profit to a globe-spanning organisation with just under 200 member companies at worldwide, regional or country level.
“The way it operates is that we accredit those organisations looking at their policies, processes and procedures,” says Glover. “We do on-site audits, we do technical assessments where appropriate, and we can run those in any parts of the world. And we accredit companies in penetration testing, cyber security, incident response, vulnerability analysis, threat intelligence, and we also accredit SOCs [Security Operations Centres].
“This is through a combination of paper-based audit, on-site audit and technical assessment, so it’s quite a high bar and we still have more applications in process than we have members. It’s quite a difficult thing for organisations to reach.”
Crest claims its accreditations are becoming increasingly sought after in the buying community – particularly in the US, where it says a growing number of security services specialists are regularly asked whether they are a Crest member when tendering for a job.
Glover puts this down to the growing size and complexity of the security market. “Security services are difficult things to buy,” he says. “How exactly do you go out and buy a pen test if you’ve not done if before? How do you know the SOC service you’re contracting into is good, bad or indifferent? That’s not an easy thing for a traditional procurement programme to actually identify – we’re doing the heavy lifting on behalf of the buying community, and we’re also setting good practice.”
From advice to opinion
Now that the security marketplace has grown significantly and security services providers have gone from boutique outfits to big-name brands, this need is becoming greater than ever, says Glover. He adds that buyers are now realising that if they contract their security services to structured organisations that back up their technology claims with certified skills and best practice, they get better outcomes.
He also reckons that security consultancy will soon begin to move from an advisory-based practice to an opinion-based practice. “We haven’t really done that as an industry yet, but I absolutely believe that is the direction of play,” he says.
But what does that actually mean? Glover explains: “Right now, we provide advice and guidance. We look at your systems and we say ‘that’s not very good – you should correct it’. That’s advice. But what we’re now seeing under GDPR [General Data Protection Regulation] and other regulations is you are asked if you have taken appropriate steps to secure your data, otherwise the regulator is going to take regulatory action or fine you a lot of money.
“So we are now moving into this area where security consultants have to be professional auditors and say, in our professional opinion, this organisation has or has not taken appropriate steps to secure its data. That is going to be a significant change in the security services market. We are well geared up to do it, but it won’t happen without some pain, and certainly a change of mindset among Crest members.”
This change of mindset will be necessary because, under this model, security consultants will find themselves under similar restrictions as they would if they provided other services where they give a professional opinion, such as financial audit.
There is a lot of risk and personal liability associated with this sort of activity, as Glover recalls from his time on the board of SEC, when he had to read and understand the reports put in front of him thoroughly, because signing them off made him personally liable. As regulation such as GDPR becomes more widespread, this is something CISOs may not yet have grasped.
“Education is needed to try to help security professionals understand the direction of play,” he says. “I don’t think it’s a big change from advisory to accountability, but it is a change and it will be a change for the organisation as much as the individuals, because that organisation will be liable for the advice and guidance it provides in that opinion-based service.”
But the way forward for this new model of security services will not be without its challenges, says Glover. “The model that we put forward in terms of trusted organisations with credentialed individuals tied together with effective codes of conduct sounds, in one sentence, a really easy thing to do, but in actual fact it is quite difficult to achieve. We’ve got to tidy things up.”
Many of these challenges will centre on legality and ethical behaviour – such as what constitutes a GDPR breach, or how to run simulated phishing attacks or penetration testing – areas where Glover says there are clearly some grey areas.
“Take disruptive methods, like crowdsourced bug bounty programmes,” he says. “We need to understand how those could operate within a regulated environment and we need to understand how we can control access to them.
“If you open your system up to a bug bounty programme, it’s very difficult to turn it off, so you need to do it at a particular point in maturity – you can’t do it too early. But if you don’t act on those observations that come through them, then where does that information go legitimately? That’s quite a difficult question to answer.”
Undoubtedly, adds Glover, getting it wrong in the case of a major data breach could see security professionals being legally sanctioned in the courts, so it is important that the certification process is watertight.
Crest’s process is already comparable, in terms of time needed to achieve it, to becoming a chartered accountant with the ICAEW – a three-year process if you train with a “Big Four” practice (Deloitte, EY, KPMG and PwC).
“Our qualifications come in at around 2,500 hours after a good degree, then it goes up to about 6,000 hours for our registered level and about 10,000 for our certified level,” says Glover.
“Our practitioners can work on these assignments with support, our registered-level can work without support but can’t sign off, and our certified-level people are operationally competent and can sign off. We’ve got about 4,000 people certified, and we’re building international relationships with other professional certification bodies on a global basis.”