June 9, 2020

Last Updated on January 15, 2024

Anyone with a computer and an Internet connection can set themselves up as a penetration testing or cyber incident response service provider. 
What methods does your organization have in place for vetting an individual or company that you are potentially allowing unfettered access to your entire network?
Ian Glover is President of CREST, which provides internationally recognised accreditations for organisations, and professional level certifications for individuals providing penetration testing, incident response, threat intelligence and Security Operations Center (SOC) services. 
He is also the President of  Bloodhound SSC 1k, which in addition to providing some fantastic SSC education for kids, is also the UK project team building the next land speed record car! 
Ian joins the show to talk about how turning to CREST approved organizations and individuals allows you to procure services from a trusted company with access to demonstrably professional technical security staff. When it comes to Network Penetration testing, nothing less will suffice. 
Ian appreciates a good whiskey, as well as the occasional need to cut off one’s own frostbitten finger whilst trekking around the South Pole. I mean, how can you NOT tune in, right? 

CREST and a CISO’s decision making process

What we are there to do is to provide support to the buying community to make sure they understand how to buy. -Ian Glover

As a CISO, deciding which cyber security related services to engage for Network Penetration Testing is an integral part of your role. It’s really difficult to assess the knowledge, capability and consistency of a service by individuals and companies who claim they can get the job done.
That’s the problem CREST (Certified Registry of Ethical Security Testers) is trying to solve for people in these decision making roles. It’s a really complicated purchase for a few reasons:

  • A lot of the elements are extremely technical. 
  • How can you trust the individual or company? 
  • You have to make sure they are going to protect your information.
  • Incident response is not the time for wondering about competent support.

To provide support, CREST established a rigid accreditation process for companies, and a respected certification program for individuals that is recognized internationally. Engaging members of the CREST network offers a level of confidence in avoiding making a misstep with a decision that if made poorly, could have disastrous consequences.  
You can throw money at your security operation centers and have all of the best products in the world, but that doesn’t mean they are working for you.

“They can all be sitting there, but if they’re not configured correctly, and we don’t understand what they’re doing and there’s no escalation then it’s a difficult thing to buy.” -Ian Glover 

CREST is an organization that’s had its policies, processes, and procedures, externally audited, and then technically validated, so the buying community has a verified place to turn for support. A CREST approved company or individual gives you the confidence that you are giving your organisation the best possible solution in the following spaces:

  • Incident response
  • Security operations
  • Threat intelligence
  • Network Penetration Testing


The rigorous process of CREST accreditation and certification

Ian considers the processes that CREST has in place as the “hardest invitation to tender that that organization will ever see.”
That’s a bold statement. As someone looking to vet an organization or individual to handle security needs, it may be just the type of scrutiny needed. Ian breaks down what it takes to become CREST Approved:


CREST accredits organisations through extensive, evidence based analysis. 
Their policies, processes and procedures are all closely monitored. Onsite audits are done as well as any appropriate technical assessments.
Accreditation is renewed annually, and the entire process is done every three years. 


The process for individuals is examination based, with 3 levels of certification:
Registered practitioner
Registered practitioner is classified as someone with approximately 2500 hours in the industry. Someone who has some time in the space, and has increased their knowledge base beyond what they entered the industry with.
Certified practitioner
Someone who is moving along in the industry, gaining expertise can take the Certified Practitioner exam, which is generally taken at around the 6,000 hours stage.
Certified practitioner
An individual having the ability to conquer the exam to become a certified practitioner, typically occurs at around the 10,000 hours in the industry mark. 
All practitioners, despite the level achieved, are required to take exams every 3 years to assure they have kept all of their skill, knowledge and competence up to date.

Having a certifying body evens the playing field

“I think an individual in this particular marketplace needs that underpinning of working for a professional organization. The combination of those two is I think where our strength lies.”  -Ian Glover

CREST has a buyer’s platform on their website that enables you to choose the level of competency you need in an individual or company, based on what your needs are.
So, for example, if you’re testing a noncritical network, you may only need a practitioner to do the work and a registered individual to sign off on it, saving you from paying a higher cost resource.
Once the level of expertise required is determined, comparison shopping is less scattered and more precise than outside of CREST, giving you, the buyer, a market determined price point to work with, as opposed to calling around and receiving very differently priced proposals.
Any CISO who has shopped around for network penetration testing lately knows the frustration that comes when you look at 5 proposals you can’t compare. They all have different methodologies, talent and terminology… que the apples to oranges reference.
CREST’s ability to help the buyer of security services make an informed purchase is one of the greatest victories they have logged in their long successful history.

This post is based on The Virtual CISO podcast hosted by John Verry and featuring special guest, Ian Glover

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.