August 6, 2020

Last Updated on January 16, 2024

How is buying penetration testing services like getting a colonoscopy?
In either case, because of the technical specialization involved, you have no clue whether the practitioner actually did what they were supposed to do. You just have to take the results at face value.
So you hear, “Great news—we didn’t find anything wrong.” And you think, “OK… So either nothing’s wrong or you just didn’t know where to look. How do I know which?”
As a technical cybersecurity service provider, that’s not a position you want to be in with your client.

How do you ensure that clients trust your expertise and methodology from the outset?

By being CREST accredited. UK-based CREST (for Certified Registry of Ethical Security Testers) is a global nonprofit serving the technical cybersecurity marketplace. CREST’s rigorous audits attest that organizations and individuals offering services for penetration testing, incident response, SOC support and threat intelligence are ethical, skilled and employ best practices.
To share all the ways that CREST benefits buyers, sellers and practitioners of InfoSec services, we asked Ian Glover, CREST’s President and co-founder, to join The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as usual. (Full disclosure: Pivot Point Security is CREST accredited for penetration testing services.)
“What we’re trying to do is develop a sort of preferred supplier list,” Ian explains. “If you did an internet search on somebody doing penetration testing or incident response, I can assure you the list would be very long. So, at the very least, what we’re trying to do is bring that list down to an acceptable position. Therefore there’s a differentiator in the market for the CREST member companies.”
“CREST is very strong and therefore it’s almost mandatory within the industry that you need to have [CREST accreditation] to work in certain regulated environments,” adds Ian. “We’re seeing that now happen in places like Southeast Asia; we’re seeing that happen in Australasia. And we’re starting to see that happening more and more in the US.”
John mentions another key benefit: “As the Managing Partner here, one of the things that I like about [CREST accreditation] was … it allowed me to know that what we were doing was correct, was the right thing… which would be consistent with providing a high-value service to our clients.”
Beyond that, Ian notes, “It also allows some of the more boutique related organizations to put some structure behind their business and allow them to grow.”
Ian mentions by way of example how CREST helped grow and mature the penetration testing marketplace in Singapore. “I don’t think it really adds more competition; I think… you’re competing with equal, related organizations,” observes Ian.
By elevating quality standards and simplifying comparison shopping, CREST levels the playing field and supports all legitimate market entrants.
“You’re not trying to compete with a contractor who’s bought Nessus,” as John puts it. “One of the things which is amazing to me is we might … quote, let’s say $10,000 for a pen test. And … someone is going to ask me, “Why are you so much more expensive?” Or “Why are you so much less?” Because there’s no definition of what that is. This idea that somebody is offering ‘the same service for one-tenth the price’—you and I both know that’s not the case.”
John continues: “If they are looking at other CREST entities, then they’re looking at ‘apples and apples.’ One of the challenges I think any buyer has is how do I compare two proposals for pen testing services. If they’re both CREST-accredited companies… it allows them to do that.”

Many CISOs and other security decision-makers out there know the frustration of comparing proposals that reflect different methodologies, skill sets and even terminology. As CREST accreditation becomes more common in the US, that problem will diminish.

If your company delivers technical information security services, you’ll certainly want to hear the entire podcast episode with Ian Glover.
To listen to the complete episode, and get access to all our amazing podcast content, you can subscribe to The Virtual CISO Podcast here.
If you’d rather not to use Apple Podcasts, you can find all our episodes here.