Olivier Le Moal - Fotolia

The Security Interviews: How Crest is remaking the future of consultancy

Crest president Ian Glover taught himself cyber security while working on government computing systems in the 1970s and 1980s. Now he is on a decade-spanning mission to change security consultancy models

In 1976, when Crest president Ian Glover went to speak to his school careers adviser, cyber security as we know it didn’t exist, the concept of STEM (science, technology, engineering and maths) as a discipline was not yet formed, and computers were not something teachers that understood you could have a career in. But he persevered.

“The idea that a computer could land somebody on the Moon was a primary driving force for me,” Glover tells Computer Weekly. “But I had terrible careers advice at school. I was very good at welding and I was very good with a lathe, so they tried to get me to go into those areas. I said I wanted to be a systems design engineer and they had no idea what that was. So I went and got a job.”

As someone who came into IT in its formative years – Computer Weekly was a mere 10 years old in 1976 – Glover is one of a cohort of people who enjoyed the relative luxury of being able to orchestrate his own career path, seeking new opportunities and changing things up just as the world of computing developed.

His work speaks to this, taking him over the years to the Ministry of Defence (MoD), where he worked on early military artificial intelligence (AI) projects, and the government’s Central Computer and Telecommunications Agency (CCTA), which developed the UK’s first national information security strategy and a number of other methodologies, before heading into the private sector in the late 1990s, founding his own consultancy, Insight, which was subsequently sold into what was then Siemens Enterprise Communications (SEC – now Atos Unify), where he remained until 2008.

Crest – or the Council of Registered Ethical Security Testers, to give it its full name – was formed in late 2008 on the premise that the security services industry was, in Glover’s words, “a bit like the Wild West”, and something needed to be done about it.

“It was really difficult to buy good-quality services, you had no idea who you were buying from, you didn’t really understand what it was you were buying, and there was no ability to take action should things go wrong,” he says.

“That, to me, was a big problem – the possibility of an unconstrained penetration tester doing inappropriate things or accidentally bringing the system down was quite high. So, we looked to try to professionalise the industry. The industry had been really good to me, the government had been really good to me in terms of giving me an education and an opportunity, and so I had three main criteria.

“Anything that would professionalise the industry, Crest absolutely fits into that bracket; anything that would support young people in careers, particularly giving people opportunities where they didn’t see there was an opportunity, then I would do that; and anything that protects vulnerable young people. The only work I’ve done for the last 12 years or so has been orientated toward those three primary goals and Crest fits very comfortably within each one of those criteria.”

A decade of growth

Since it was founded, Crest has grown from a small UK-centric non-profit to a globe-spanning organisation with just under 200 member companies at worldwide, regional or country level.

“The way it operates is that we accredit those organisations looking at their policies, processes and procedures,” says Glover. “We do on-site audits, we do technical assessments where appropriate, and we can run those in any parts of the world. And we accredit companies in penetration testing, cyber security, incident response, vulnerability analysis, threat intelligence, and we also accredit SOCs [Security Operations Centres].

“This is through a combination of paper-based audit, on-site audit and technical assessment, so it’s quite a high bar and we still have more applications in process than we have members. It’s quite a difficult thing for organisations to reach.”

Crest claims its accreditations are becoming increasingly sought after in the buying community – particularly in the US, where it says a growing number of security services specialists are regularly asked whether they are a Crest member when tendering for a job.

Glover puts this down to the growing size and complexity of the security market. “Security services are difficult things to buy,” he says. “How exactly do you go out and buy a pen test if you’ve not done if before? How do you know the SOC service you’re contracting into is good, bad or indifferent? That’s not an easy thing for a traditional procurement programme to actually identify – we’re doing the heavy lifting on behalf of the buying community, and we’re also setting good practice.”

From advice to opinion

Now that the security marketplace has grown significantly and security services providers have gone from boutique outfits to big-name brands, this need is becoming greater than ever, says Glover. He adds that buyers are now realising that if they contract their security services to structured organisations that back up their technology claims with certified skills and best practice, they get better outcomes.

He also reckons that security consultancy will soon begin to move from an advisory-based practice to an opinion-based practice. “We haven’t really done that as an industry yet, but I absolutely believe that is the direction of play,” he says.

But what does that actually mean? Glover explains: “Right now, we provide advice and guidance. We look at your systems and we say ‘that’s not very good – you should correct it’. That’s advice. But what we’re now seeing under GDPR [General Data Protection Regulation] and other regulations is you are asked if you have taken appropriate steps to secure your data, otherwise the regulator is going to take regulatory action or fine you a lot of money.

“So we are now moving into this area where security consultants have to be professional auditors and say, in our professional opinion, this organisation has or has not taken appropriate steps to secure its data. That is going to be a significant change in the security services market. We are well geared up to do it, but it won’t happen without some pain, and certainly a change of mindset among Crest members.”

This change of mindset will be necessary because, under this model, security consultants will find themselves under similar restrictions as they would if they provided other services where they give a professional opinion, such as financial audit.

There is a lot of risk and personal liability associated with this sort of activity, as Glover recalls from his time on the board of SEC, when he had to read and understand the reports put in front of him thoroughly, because signing them off made him personally liable. As regulation such as GDPR becomes more widespread, this is something CISOs may not yet have grasped.

“Education is needed to try to help security professionals understand the direction of play,” he says. “I don’t think it’s a big change from advisory to accountability, but it is a change and it will be a change for the organisation as much as the individuals, because that organisation will be liable for the advice and guidance it provides in that opinion-based service.”

Challenges ahead

But the way forward for this new model of security services will not be without its challenges, says Glover. “The model that we put forward in terms of trusted organisations with credentialed individuals tied together with effective codes of conduct sounds, in one sentence, a really easy thing to do, but in actual fact it is quite difficult to achieve. We’ve got to tidy things up.”

Many of these challenges will centre on legality and ethical behaviour – such as what constitutes a GDPR breach, or how to run simulated phishing attacks or penetration testing – areas where Glover says there are clearly some grey areas.

“Take disruptive methods, like crowdsourced bug bounty programmes,” he says. “We need to understand how those could operate within a regulated environment and we need to understand how we can control access to them.

“If you open your system up to a bug bounty programme, it’s very difficult to turn it off, so you need to do it at a particular point in maturity – you can’t do it too early. But if you don’t act on those observations that come through them, then where does that information go legitimately? That’s quite a difficult question to answer.”

Undoubtedly, adds Glover, getting it wrong in the case of a major data breach could see security professionals being legally sanctioned in the courts, so it is important that the certification process is watertight.

Crest’s process is already comparable, in terms of time needed to achieve it, to becoming a chartered accountant with the ICAEW – a three-year process if you train with a “Big Four” practice (Deloitte, EY, KPMG and PwC).

“Our qualifications come in at around 2,500 hours after a good degree, then it goes up to about 6,000 hours for our registered level and about 10,000 for our certified level,” says Glover.

“Our practitioners can work on these assignments with support, our registered-level can work without support but can’t sign off, and our certified-level people are operationally competent and can sign off. We’ve got about 4,000 people certified, and we’re building international relationships with other professional certification bodies on a global basis.”

Read more from The Security Interviews series

  • Mike Lloyd, CTO at Redseal, holds 21 cyber security patents and a PhD in stochastic epidemic modelling from Heriot-Watt University in Edinburgh, so is probably the man to talk to when it comes to cyber security in the world of Covid-19.
  • David Mudd of the BSI reveals how a pragmatic and realistic approach to security vulnerabilities underpins its internet of things kitemark, helping give users the confidence to buy smart devices safely.
  • On the General Data Protection Regulation’s second birthday, Tim Hickman, a data protection lawyer and partner at White & Case LLP, discusses the regulation’s teething troubles and assesses how best to maintain optimum compliance.
  • Alun Baker, CEO of Clario, is on a mission to rehabilitate the image of consumer security products and take the fear out of selling antivirus. We find out how things are changing.
  • You may not make a million as a bug bounty hunter, but you might help remove some of the stigma that persists around cyber security, says HackerOne’s Shlomie Liberow.
  • Check Point founder Gil Shwed discusses his Infinity Next concept and how he plans to remodel the world of cyber security in the next 10 years.
  • F-Secure’s Mikko Hypponen discusses cyber weapons and nation-state threats, and explains why arms limitations treaties might one day expand to include malware and other threats.
  • Ann Johnson, Microsoft corporate vice-president of cyber security, is on a mission to prove that artificial intelligence holds great promise for the security sector, and she has the analogies to back it up.

Read more on Regulatory compliance and standard requirements

Data Center
Data Management