Support 100 years of independent journalism.

  1. Spotlight
  2. Cyber
9 March 2016updated 09 Sep 2021 1:30pm

Who can you trust?

Ian Glover, president of CREST, explains why penetration testing is a vital weapon in the battle against cyber crime and why you wouldn’t want just anyone trying to break into your company

By Ian Glover

With more sophisticated cyberattacks expected from hacktivist groups, organised criminal gangs and state-sponsored cyber terrorists, it is more important than ever that companies discover where their security weaknesses are and fix them before someone else finds and exploits them.

The best way to discover where vulnerabilities lie is to simulate a malicious attack, from inside or outside of the organisation, in order to see how easy it is to break into a network or computer system and steal valuable data or deny access to critical assets. This is called penetration testing, and the demand for this skilled, technical and clearly sensitive investigation and analysis has risen rapidly.

While penetration testing has traditionally been associated with government organisations and large financial institutions and corporations, it is now commonplace among medium-sized companies, NGOs and the wider public sector.

But this is sensitive work and companies need to be very clear who they are dealing with and have confidence in professionally qualified and skilled individuals with the appropriate processes and methodologies to protect data and integrity. It is a common misconception that the security industry is simply made up of ex-hackers – who, let’s face it, most organisations would be reluctant to trust.

This is where CREST comes in. CREST was established in 2006 by the technical security industry with the support of the UK government and is the not-forprofit accreditation and certification body representing the technical information security industry. It provides internationally recognised accreditation for organisations and certification of individuals providing penetration testing, cyber incident response and threat intelligence services. All CREST member companies undergo stringent assessment every year and sign up to a strict and enforceable code of conduct; and CREST-qualified individuals have to pass the most challenging and rigorous examinations in the industry worldwide, to demonstrate knowledge, skill and competence.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. A handy, three-minute glance at the week ahead in companies, markets, regulation and investment, landing in your inbox every Monday morning. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A weekly dig into the New Statesman’s archive of over 100 years of stellar and influential journalism, sent each Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy

For example, CREST practitioner entrylevel examinations are aimed at individuals with typically 2,500 hours of relevant and frequent experience, while candidates for CREST Registered Tester examinations should have at least 6,000 hours – three years or more and, at a certified level, 10,000-plus. All these individuals have to resit the examinations every three years, which reflects the fast-moving nature of the industry.

This means that organisations wishing to buy penetration testing services have the confidence that the work will be carried out by trusted companies with the appropriate policies, processes and procedures for the protection of client information, using qualified individuals with up-to-date experience and understanding of the latest vulnerabilities and techniques used by real attackers.

CREST members work very closely with the UK’s critical national infrastructure providers where cyberattacks could do the most damage – from energy and utilities companies to major financial institutions. Working with the Bank of England, government and industry, CREST developed a new framework to deliver controlled, bespoke, intelligence-led cyber security tests for the UK’s most important financial institutions. The CBEST scheme is the first initiative of its type in the world to be led by a central bank.

However, recent reports show that companies of all sizes are under threat from cyberattacks, so CREST also helped to develop the technical assessment and certification framework for the UK government’s cyber security standards, Cyber Essentials and Cyber Essentials Plus. These set down baseline requirements for cyber hygiene and are now mandated for some government contracts dealing with sensitive data.

The penetration testing activities are also supported by similar accreditations and certifications for cyber security incident response. This helps organisations assess how prepared they are to manage a cyberattack and CREST is working with the law-enforcement agencies to provide a register, where companies can look for help in recovery following a successful attack.

As we have seen, the results of a successful cyberattack can be devastating for businesses and individuals, so UK companies and the government need a professional cyber security industry they can trust and rely on.

For more information, visit: www.crest-approved.org