Accreditation and website update from CREST

Dear Members,

Since taking on the CREST Presidency role in September, I have been keen to engage with both our members and our exam takers to get feedback on things we can do to serve you better.

We conducted an in-depth members’ survey just before Covid hit, and we have been focusing on the areas that you highlighted as being important to you. You asked us to explore changes in the accreditation process, and as part of that to look at tiered accreditation.  In addition, you asked us to look at continuous improvement, to help ensure that CREST continues to be seen as the gold standard for accreditation

One of the frequent comments we have received is that we need to do a better job of representing you, our members, to buyers of cyber security services.  When CREST was established 15 years ago, the cyber security market had a smaller number of service providers operating within it.  The market has grown significantly and consequently, the pool of capable service providers operating both domestically and internationally has grown beyond all our expectations.

To support CREST member companies to engage with the buying community more effectively, we will be launching a series of initiatives in the first quarter of 2022. I wanted to share some information about these changes so that you are in tune with our ongoing strategy for maximising the value we deliver to our membership and so that you get the opportunity to provide us with your feedback. I have also recorded a video that describes them here: https://youtu.be/z8CViFvBfYc

On behalf of the CREST team, I would like to thank all members for their ongoing support, and we look forward to driving these initiatives forward in 2022.  For members that have questions on any of the elements covered in this update, please contact the CREST accreditation team.

Rowland Johnson

CREST President

Website

Work is underway on a new CREST website that is designed to connect CREST accredited companies with buyers of cyber security services.  We are creating a new framework on the website, based on the existing Service Selection Platform. This will to allow members to better showcase their services and capabilities to buyers of cyber security services and support lead generation between buyers and members.

We will engage with all members in January and invite you to provide details of the content and collateral that you would like to showcase on the platform.

As members you will be able to tailor your company profile so that you have more control over how best to present your organisation and the services you offer to the buying community. So, for example, you might want to publish details about new research, events or ongoing innovation through these pages.

The aim is to actively encourage buyers of cyber security services onto a more dynamic platform that empowers them to select the services they require and to shortlist potential providers from the large database of CREST accredited companies.

The platform is also designed to deliver meaningful sales leads to member companies by improving and encouraging inquiries from prospective clients. It is our intention to provide our members with analytics and insight into the prospective clients that use our site.

Throughout, website redesign will offer significantly improved navigation for member companies and cyber security professionals, allowing them to access the information they require as quickly and easily.

Accreditation

We are planning to make some significant updates to CREST company accreditation so that the assessment process for members is linked with the individual skills and competencies that exist within members’ teams. The updates are designed to offer increased value to our members and support professionalism and capacity-building across our industry.

As part of the current accreditation process, we undertake a rigorous review of an organisation’s policies, processes and procedures surrounding quality metrics, data handling, contracting, background checks and more. We then undertake assessment around the individual discipline that the member organisation is applying for.

At the end of the assessment, once it has achieved the required expectations, the accredited organisation is obliged to sign a company code of conduct that explicitly defines the expectations and principles associated with being a CREST-accredited organisation.

CREST also has a code of conduct that is issued to exam candidates at the point where they sit a CREST exam.  In regions around the world where CREST exam uptake has been strong, it has resulted in large numbers of skilled and competent individuals signing up to these codes of conduct.  In regions where exam uptake has been less prolific, fewer people have signed up to the code of conduct.

In the first half of 2022, we plan to update the CREST accreditation process requiring all employees and contractors delivering CREST-accredited services to sign up to the code of conduct.  Any individual responsible for the delivery of an accredited service, for example, scoping, delivery or sign-off of a Penetration Test, will be asked to register via CREST’s accreditation portal.  The intention is for this to be a decentralised activity that will be undertaken by the individuals that deliver accredited services. We envisage that the whole activity should take no more than 5-10 minutes.

Through signing this code of conduct, individuals will be attesting to the fact that they will abide by the rules, expectations and principles that are required across the whole of the accredited discipline.  This change is something that CREST has been proactively encouraged to pursue by a series of governments, regulators and buyers around the world.  By having both companies and individuals sign up to a code of conduct, it provides buyers with a meaningful complaints process to address scenarios where service providers or their teams consciously choose to deviate from the expected rules and principles.

As part of this process, we are planning to ask a series of questions about individuals’ skills and competencies.  The process will initially enable CREST to gain a deeper understanding of the skills, knowledge and competencies that exist across members and across regions.  We plan to use this to gather feedback on people’s experience, training, development, examinations, research & development and wider cyber security contributions.  This insight will enable us to understand domestic and regional cyber security norms, and it will also help us to shape a tiered accreditation process that is planned for the second half of 2022.  Early adopters able to demonstrate their skills and competencies through CREST certifications will be highlighted on the CREST website in advance of the tiered accreditation changes

Organisations that have invested in training and development through non-CREST pathways, will still be able to demonstrate their skills and competencies back to the market in 2022, however these changes will only be presented back to the buying community once the tiered accreditation approaches are launched in the second half of 2022.

We believe this evolution to the accreditation process will be a major benefit to organisations.  This process will allow CREST to highlight organisations that invest in developing their workforces’ capabilities.  CREST intends to proactively promote organisations that demonstrate skills and competencies, and that have signed both company and individual codes of conducts.  It is CREST’s vision that this approach will foster investment in building cyber security skills, whilst being inclusive across other career pathways that have been delivered by other training and certification providers.  The planned changes are designed to encourage upskilling in the workforce, whilst supporting capacity building at every level.

The buying community expects to be serviced by organisations that are highly capable, with robust policy and process.  However, they also expect the individuals undertaking core cyber security tasks to be suitably skilled and qualified.  This change to the accreditation process will support the creation of a tiered approach, that is designed to focus the industry on capability building across all regions around the world.

Conclusion

The changes that we plan to introduce during the first half of 2022 will generate increased value for our members.  The changes to the website, will provide you with increased ability to showcase your services and competencies, whilst also allowing you to engage more seamlessly with buyers.  The evolution in the accreditation process, which allows for recognition of skills and competencies gained through other training and certification bodies provides a more inclusive strategy and offers greater capacity recognition within the market. The changes to the code of conduct will bind accredited service providers together with their service delivery teams to ensure a common set of approaches, expectations and principles.  We believe that this activity will provide greater levels of confidence to the buying community that CREST accredited services deliver the gold standard for technical cyber security services.

We are keen to hear your views on the accreditation plans and would welcome any feedback from you by 14 January 2022. Please send your comments around tiering and your ideas on the skills and competencies we should be measuring and additional suggestions to CREST by emailing [email protected] within the first couple of weeks of the new year.