Who do you trust with your network?

Would you give a random person access to the infrastructure that runs your business? 

Anyone with a computer and an Internet connection can set themselves up as a penetration testing or cyber incident response service provider. 

But what methods does your organization have in place for vetting an individual or company that you are potentially allowing unfettered access to your entire network?

Ian Glover, President of CREST, is on the podcast to talk about how CREST provides internationally recognised accreditations for organisations, and professional level certifications for individuals providing penetration testing, incident response, threat intelligence and Security Operations Centre (SOC) services. 

What we talked about:

  • CREST and a CISO’s decision making process
  • The rigorous process of CREST accreditation and certification
  • Why having a certifying body evens the playing field

 

Check out these resources we mentioned during the podcast:

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

 

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Speaker 1 (00:06):

You’re listening to the virtual CSO podcast, a frank discussion, providing the best information security advice, and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:26):

Hey there. And welcome to another episode of the virtual CSO podcast. I’m your host, John Verry, and with me as always, the Hobbes to my Calvin, John Verry. Hey Jeremy, you’re not old enough to remember Calvin and Hobbes.

Jeremy Sporn (00:40):

I think I can remember something I read when I was a kid, I’m allowed to do that. Don’t tell me what I can and can’t do.

John Verry (00:45):

What did you think about my conversation with Ian?

Jeremy Sporn (00:49):

So he is a brilliant guy who has been in the security industry a long time. And what I really appreciate most about Ian is the way he keeps a very nontechnical listener like myself, engaged in content that to be frank, is over my head. And he said he had a lot experience speaking with children. So what I would say about Ian is he sort of an example of that fictional idea of an “overnight success”. Crest has really started to achieve some renown, but you got to remember his vision for that started in the early 2000s. It was, and is a very important idea.

John Verry (01:27):

Yeah. And to anyone listening, if you don’t know who Crest is or what they’re about, I’ve actually thought about this a lot, and my very nontechnical explanation is think about that USDA organic logo, or that non-GMO project verified icon on food packaging. Without getting too political and diving into the complex world of food and nutrition, when you see those labels, you are expecting the makers of that food to have held to a certain standard.

Jeremy Sporn (01:55):

Buyers of that product have the assurance that the quality is to a certain standard and to their liking and sellers can easily demonstrate that quality of their product. This is what Crest does for buyers and sellers of security services. They give those buyers assurance that any service with that Crest seal of approval is conducting the service according to an acceptable standard and sellers, a simple way to verify the quality of their service and demonstrate their value, really, really cool stuff what Crest is doing for the security industry.

John Verry (02:27):

Well, so maybe a even simpler way to say it is, it’s a good housekeeping seal of approval for security companies, right?

Jeremy Sporn (02:34):

And it’s almost like you’re the marketer.

Jeremy Sporn (02:36):

Wow.

John Verry (02:36):

There you go.

Jeremy Sporn (02:39):

So this one is simple. If you’re a seller or consumer of security services, Crest is doing some great things for you already, stick around to learn more about Crest and really what they’re doing to help you and the security industry as a whole.

John Verry (02:52):

Sounds good. With no further ado, let’s get to the show.

John Verry (02:59):

Ian, thank you for joining us today. How are you?

Ian Glover (03:02):

I’m really good. How are you?

John Verry (03:04):

Good. And for the folks listening, Ian was kind enough to join us from England. Correct? So I’m catching late in the evening there. So thanks. Appreciate you staying up late to have a conversation with us.

Ian Glover (03:16):

No, it’s no problem at all.

John Verry (03:18):

Cool. So always like to start easy. So let’s go with tell us a little bit about who you are and what it is that you do.

Ian Glover (03:26):

Okay. So I’m the president of a not for profit organization called Crest and what our role is, is to represent the technical cybersecurity industry and to help build capacity capability and consistency within that marketplace.

John Verry (03:43):

So before we get down to business, always like to kind of personalize the conversation. I ask a question I like, what’s your drink of choice? And I have a guess being you’re from England.

Ian Glover (03:55):

That’s a good one. I’m into Johnnie Jackson at the moment. So-

John Verry (04:00):

Johnnie Jackson?

Ian Glover (04:01):

Yeah. So it’s either Johnny whiskey with ginger or it’s Jack’s with ginger. So that’s what I’m into at the moment.

John Verry (04:12):

Yeah. So yeah, we have something similar, Jack and ginger, meaning JD or Jack Daniels, which is a Tennessee whiskey sort of in the bourbon family. Johnnie Jackson, is that a particular brand out of England?

Ian Glover (04:24):

No, no, no. So Jack Daniels or-

John Verry (04:26):

H, it is Jack Daniels. Oh.

Ian Glover (04:28):

Yeah. Yeah.

John Verry (04:30):

I got you. I got you. Yeah. I thought you needed to go… I didn’t expect you to go there. I thought you’d go with the pint of course, at the local pub. And well, I thought you might’ve gone Earl Grey Tea, right? Which seems to be a English phenomenon, so to speak

Ian Glover (04:44):

I’m a spirit man, spirit and wine.

John Verry (04:47):

Yeah. You and me both. So thank you again, the idea behind having you on was Crest, I think is something that a lot of the world knows about, especially those folks over in the UK, a little bit newer here in the United States. So how would you do to the people listening? How would you explain what Crest is?

Ian Glover (05:04):

So I think if I start with the problem that we’re trying to solve, then for the CSO audience I think it’s really hard to try and buy cyber related service. That all could divide because it’s really difficult to assess the knowledge capability and consistency of the delivery of service by the individuals. And it’s really complicated to buy because a lot of the elements are technical. So if you’re trying to buy penetration testing, first of all, how can you trust the individual to know that they’re doing the right thing? How can you understand their level of competency in terms of what they’re doing? So they’re not going to adversely affect your environment or your systems.

Ian Glover (05:43):

And then how can you make sure that they’re going to protect your information? So in other words, the vulnerabilities that are found in anything they’ve got related to that [inaudible 00:05:51]. If you didn’t drop that to incident response, then at the time you’re suffering the incident, it’s really difficult then to identify who’s actually going to provide you with the type of support you need to actually help you through that process.

Ian Glover (06:05):

And therefore it’s very much a knee jerk type buying and it’s a very critical buy too because you want to make sure that you’re buying the right individuals. And then even with things like security operation centers, you can have as many as the same products in the world, they can all be siting there, but if they’re not configured correctly, they’re not turned on correctly and we don’t understand what they’re doing and there’s no escalation, then again, it’s a difficult thing to buy.

Ian Glover (06:30):

So I think we provide support to the buying community in that space. So what we’re doing is we’re trying to identify a trusted organization. So in other words, an organization that’s had its policies, processes and procedures externally audited, and then technically validated. And in addition to that, utilized skilled, knowledgeable and competent individuals. And I think that’s the essence of it. What we are there to do is to provide support to the buying community, to make sure they understand how to buy good.

John Verry (06:59):

Got you. And in terms of what… So I know Crest stands for Certified Registry of Ethical Security Testers. And if I recall correctly, and I’m sure if I don’t, you’ll correct me, you started with what [inaudible 00:07:13] Crest certified is more on the penetration testing area, but you’ve expanded that into some of these other areas that you’ve talked about, right? Incident response, security operations, any other areas that you’re currently through Crest certifying companies?

Ian Glover (07:26):

So we accredit the companies and we certify the individuals. So the credit part for the company is where we do that external audit and validation that they’ve got everything in place. And the only other one that we currently look at is threat intelligence. We believe that threat intelligence is going to be a very big thing if it’s not now, in terms of understanding the types of attacks that organizations are likely to suffer in the future. So it gives them that level of anticipation.

Ian Glover (07:55):

So what we’re trying to do is we provide a stack of services. So in penetration testing, we do assessment in terms of people’s vulnerability analysis, we looked at penetration testing, and then we look at their simulated target, attack response or red teaming. So there’s different tiered approaches as there is in again, in their [inaudible 00:08:13] threat intelligence and in incident response.

John Verry (08:16):

Mm-hmm (affirmative). And I actually, that area of threat intelligence actually makes a lot of sense to me because I think that’s one of those areas where perhaps people over promise and under deliver. I know that we’ve kind of subscribed to some threat intelligence services and it was just a churn of commonly publicly available information, open source stuff that had a lot of noise with it. So is that the idea there? Is that if organizations, you don’t want organizations to have a false sense of security with the threat intelligence that they’re receiving?

Ian Glover (08:48):

I think threat intelligence is… I’m surprised you didn’t throw a term like artificial intelligence in there, or some other thing [crosstalk 00:08:54] is that if you walk around the trade shows right now, we’re going to find a lot more artificial intelligence related stuff. A couple of years ago, there was an awful lot of emphasis on threat intelligence. When you actually dug beneath the surface, what you’re actually finding was that the organizations providing those services may be at a quick look on the dark web, they might have access to some SOC outputs.

Ian Glover (09:20):

They might have access to some of the SOC related information so they can look historically, but really they weren’t doing that rounded intelligence in terms of gathering information. So again, smoke and mirrors I think is a bad term, but really, it’s another one of those services that is really difficult to buy. I [crosstalk 00:09:39] too with the second generation of threat intelligence service providers who can do bespoke threat intelligence, or they can do continual threat intelligence.

John Verry (09:49):

The reason why you’re suddenly laughing. The reason I didn’t use the next generation is I remember talking with a guy on the phone and he told me that he had a threat intelligence feed that was… and he referred to it as a second generation, next generation artificial intelligence threat intelligence feed. And I just… the conversation didn’t last long after that.

Ian Glover (10:08):

No, absolutely, yeah. [crosstalk 00:10:10] as well.

John Verry (10:12):

Yeah. So you mentioned that you are certifying the company, right?

Ian Glover (10:19):

No, we’re accrediting companies.

John Verry (10:20):

Accrediting companies, sorry. I say that [crosstalk 00:10:22]. So you accredit the company-

Ian Glover (10:24):

[inaudible 00:10:24] the individuals.

John Verry (10:24):

Yeah.

Ian Glover (10:26):

So the companies, we do a lot of analysis. So really it’s the hardest invitation to tender that organization will ever see. So we do it from an evidential based. So we go through their policies, processes, and procedures, something to abide by. We would have a lot of problems actually getting access to, we then validate that by onsite audits and we appropriately do technical assessments. And then we renew that every year and then we completely go through the process of going every three years. It’s a really rigorous process that we go through. And then for the individuals, we run the examinations for them, and our examination’s coming up at sort of three levels. So we have practitioner, registered and certified. Practitioner level is probably two and a half thousand hours after entering the industry, so it’s a professional level qualification.

Ian Glover (11:16):

And then registered is around about 6,000 hours. We don’t measure it, but typically that’s what we see that somebody would have to have to be able to pass that type of exam. And then our certified is probably 10,000 hours. And then we reexamine everybody every three years. So someone would hope that they’re moving through their career pathway from practitioner to registered to certified. Even at the top level, we make sure that they’ve kept all of their skill, knowledge and competence up to date by reexamining in them.

John Verry (11:45):

Right. So we’re a member of Crest, we’re a Crest certified pen testing company. And we think the program is excellent, and I do agree that you do a deep dive into what we’re doing to make sure that we say what we do and do what we say, and we do it appropriately and well. Question for you, if there are some reasonably good certifications for individuals for pen testing, I’m a huge fan of the CEH, but the OACP is a pretty good assessment. How come you guys chose to develop your own sort of individual certification program?

Ian Glover (12:20):

So Crest has been around for 12 years and at the time there wasn’t really very much else apart from some of the courses from [inaudible 00:12:29] and then some of the things from ISI council, particularly CEH. But I think over that period of time, if you take, for example, ISI council, then they’ve got their ECSI, that qualification significantly above a CAG, even I could pass CEH and you really would [inaudible 00:12:46]

Ian Glover (12:48):

The ECSA was based on the syllabus that we developed for our practitioner level examination and we have an international mutual agreement between ourselves and them in terms of that. And then if you look at the next step up, they’ve got their license penetration tester. So what they’re doing is they’re combining training with the certification, which we think is a good plan. Crest doesn’t run training because we are certification body in the individual space, but we are trying to build those relationships. So it’s clear to organizations and individuals what those qualifications mean. So CEH is an indication that you have some interest in the subject, that you can run some vulnerability analysis tools, but it really doesn’t demonstrate your capability as being a penetration tester. If you look at offensive security, then the primary two offensive security qualifications we really like. And again, we have a relationship with them where we do a recognition.

Ian Glover (13:45):

So if you look at the offensive security RCP, then what you’ve got is you’ve got a really good practical examination. It’s reasonably well proctored, but what it doesn’t do is it doesn’t look at some of the elements associated with actually doing the work. And so to get an hour of registered level, what you’d have to do is do the offensive security, then you’d have to sit out multiple trusts and bond form elements rather than just doing the technical assessment. So what we’re trying to do is to work with the major industry providers to provide both clarity in the marketplace, career pathways for individuals, and to make sure again, the buying community is tying those things together, by understanding what they’re buying. I think the other really important thing is where we operate those equivalencies.

Ian Glover (14:29):

We still underpin that by our effective and implementable codes of conduct and codes of ethics. So the company signs up to a code of ethics and so does the individual. So if there’s ever a problem, then what we can do is Crest will do the investigation on behalf of the buying community. And I think if something that’s critical is that type of penetration testing, but instant response is the same threat intelligence I think is the same then to have the ability to have somebody who would do an investigation and support you if you have a problem. I think it’s really important. And if we want to be a profession, that’s what we need.

John Verry (15:02):

Got you. Yeah. You’ve heard of the… probably heard of the concept of a credence product. There are certain products that you can do research before you buy them. You can look on the internet and you can look at stars on Amazon and say, well, this is probably going to be a pretty good product for me. And then there’s certain products that are experiential products. You really can’t tell how good the product is until after you experience it. But once you have, like dinner at a fine restaurant or a play, then you’ll know whether or not that was a value to you, whether it was well done. And then you’ve got this concept of credence, which is even after you’ve experienced it, you don’t know if it was any good. You know what I mean?

John Verry (15:35):

If you went to the proctologist and you had a colon scan, you go in, he puts you to sleep, you wake up, he says, things are good, things are bad, but you really have no idea whether or not they did what they were supposed to do. And to me, pen testing is sort of the same way. I think, and I’ve had a lot of clients actually say to us afterwards, like, “Hey, this is great news. You didn’t find anything wrong or you just didn’t know where to look. How do I know which?”

Ian Glover (16:04):

Absolutely. Yeah.

John Verry (16:05):

So to an extent, Crest is the answer to that, right?

Ian Glover (16:10):

I’m not sure that were the answers to your particular problem [crosstalk 00:16:14].

John Verry (16:17):

I meant the pen testing. Pen testing, not the [inaudible 00:16:17].

Ian Glover (16:18):

But yes, what we’re trying to do is to validate that the individual is competent to do that work. And really importantly, the combination of that with the trusted organization is a very important thing. Otherwise, you can have a really technically competent individual, but if they’re not supported by the organization that they work for in terms of the protection of client-based information, the processes they go through to ensure that they’re not breaching any governance rules or any data protection rules is really important. And I think an individual in this particular marketplace needs that underpinning of working for a professional organization. And that’s the combination of those two is I think, where our strength lies.

John Verry (16:58):

Right. And the other thing too, is when you get those really brilliant people, they tend to follow a level of instinct, and a good penetration test of course, is going to have a methodology that’s followed, that ensures that what needed to be looked at is looked at. So I think that’s the other advantage to having that, like you said, that validated methodology and knowing that the individuals are following it, because that way you know the completeness, not only the intelligence of the individual or the technical competency, but that they followed that methodology to ensure that they’ve addressed everything, which needs to be addressed to provide that level of assurance too, correct?

Ian Glover (17:32):

And it comes right down to such things as if they put a program on your network worth what they’ve taken away. So those sorts of things just sound like normal, ordinary procedural things. But I think you’d be very surprised sometimes in terms of some of the indications we get from the buying community about their experiences. So we are absolutely trying to improve the buying communities experience. In addition to that, the work we do with the regulators, I think is also providing a greater level of assurance as well, which is again, another really important concept.

John Verry (18:05):

Got you. All right. So let’s talk about that concept of value proposition, right? So you provide value to the service provider, that being a company like ours, that comes to your organization and gets validated and you provide value to the recipient of our testing services. So let’s start with someone like Pivot Point or any of your other Crest certified penetration testers, or instant response or wherever they might be. What’s the value proposition that you provide to folks like us?

Ian Glover (18:32):

Well, obviously what we’re trying to do is to develop a sort of preferred supplier list. So if you did an internet search on somebody doing penetration testing or incident response, I can assure you the list would be very long. So the very least, what we’re trying to do is to bring that list down to an acceptable position. And therefore there’s a differentiator in the market for the Crest member companies. In addition to that, we do an awful lot of research. We do research in terms of such things as disruptive delivery methods. We’re doing something at the moment, again on stress and burn, which is quite important at the moment. We’re looking at all forms of diversity. So there’s that social responsibility element. And in addition to that, we working with governments and regulators all over the world, really trying to identify and open marketplaces for those types of organizations.

Ian Glover (19:23):

So for a new adopter, it’s a definite differentiator in the marketplace [inaudible 00:19:28] as you mentioned, Crest is very strong and therefore it’s almost a mandatory within the industry that you need to have that to work in certain regulated environments. And we’re seeing that now happen in places like Southeast Asia, we’re seeing that happen in Australasia. And then we’re starting to see that happening more and more in the US.

John Verry (19:48):

Mm-hmm (affirmative). Yeah, and the one other benefit from my perspective is that I am no longer somebody who could do any pen testing myself, I could probably pass the CEH as well, but again, you would want me to do the testing. And to me as a managing partner here, one of the things that I liked about it was knowing that we had passed that accreditation and certification process gone through your audit. It allowed me to know that what we were doing was correct, was the right thing, that we were doing things in a way which would be consistent with providing a high value service to our clients. So I think that helped us from that perspective, as well as helped me from that perspective, to know that we were doing things the way I thought we were doing them.

Ian Glover (20:25):

Well, I think it also allows some of the more boutique related organizations to put some structure behind their business and allow them to grow. I think, again, if you look at the experience in the UK and places like Singapore, when we first went to Singapore, you couldn’t find dentist’s insurance with penetration testing, it just wasn’t available on the marketplace. And the argument was that therefore, we shouldn’t be looking for that, but our argument was that we absolutely should be looking for that and we should be putting pressure on the insurance market within the Singapore marketplace to actually provide those sorts of products.

Ian Glover (20:58):

So now we have more than 40 organizations that are accredited in Singapore. We’ve gone from a much more boutique, very small contracting type model to quite significant growth in terms of what art classes as proper developmental companies. So really good quality organizations that are growing. And I think to put that ecosystem in place to allow that, so as she starts to happen in the fruition to come forward in terms of making the marketplace grow and mature, I think adds a huge amount of value. I don’t think it really adds more competition, I think the competition therefore, is you’re competing with equal related organizations.

John Verry (21:36):

Exactly.

Ian Glover (21:37):

You’re not trying to beat with a contractor who’s bought Nessus.

John Verry (21:41):

Yeah. Yeah. So it’s funny, you should say that because one of the things which is amazing to me is we might go into an organization, we might quote, let’s say $10,000 for a pen test. And it’s equally likely that someone is going to ask me, why are you so much more expensive than somebody then it’s going to be that, why are you so much less? Because there is no definition of what this is. Now, and this idea that somebody is offering “the same service for one 10th of the price”, you and I both know that that’s not the case. So I agree with you.

John Verry (22:10):

One of the things that I do like about this is that if they are looking at other Crest entities, then yeah, you’re looking at apples and apples. And so I do think even the playing field a little bit, and I think that makes it a little bit easier for… I mean, one of the challenges I think any buyer has is how do I compare to proposals for pen testing services. If they’re both Crest accredited companies or Crest certified, sorry, I keep screwing up the terms. I think that you’re actually providing a very valuable service at that point because it allows them to do that. And I never really thought about that.

Ian Glover (22:42):

And if you look at our buyers platform, so on our website, there’s a buyers platform. You can actually go down to the level you need in terms of the skill, knowledge, and competence of the individuals working. So if you’re doing a noncritical type function, you might be able to get away with having a practitioner do the work and a registered individual sign it off. But if you’re doing some of the more critical aspects, then absolutely you should get the work done by a certified individual and signed off at that level.

Ian Glover (23:09):

Where you’re doing work within the critical national infrastructure, then there are some additional certifications in terms of simulating targeted attacks. So these are very much sort of red teaming, but proper red teaming, and we think that those require some additional skillsets. It’s fine to be able to go in and do a penetration test. But if you’re looking at areas of critical national infrastructure, it’s critical that you’re not going to knock them over, or you’re not going to do false positives and make things worse.

John Verry (23:37):

Mm-hmm (affirmative). Yeah. And red teaming is almost a totally different discipline than conventional pen testing. So the idea of having a way to differentiate those makes total sense to me. Well, the other thing which I just thought of, which is really interesting as well, and I never really thought about this. And one benefit to us is, there’s some level of protection from an Arizona missions perspective. I don’t know if you use the same term in England, but in the US if, as a company like us doing what we do, we need to carry out a lot of what we call ENO insurance, Arizona missions.

John Verry (24:05):

In the event something did happen and we can say, hey, we were following a certified methodology that’s been validated by the best entity in the world to validate our approach, I would think that that would be something which would help protect us in that particular circumstance. So that’s also an interesting perspective on it.

Ian Glover (24:22):

But it’s also good for the buying community as well, because if there is-

John Verry (24:25):

Let’s talk about that.

Ian Glover (24:27):

… and there is a complaint, then the first thing we do is calling your policies and processes that we’ve accredited and then we validate to make sure that you’ve actually been adopting them and you’ve been doing it in practice. So from our perspective, it’s a double edged sword because what we’re doing is we’re submitting stuff to us in saying, this is what we do this is how we operate our business. And then if there’s a problem, I’m coming back to you and saying, demonstrate to me that you’ve actually taken… actually complied with the processes that you submitted to us. So it’s very important, and I think that provides clarity in the marketplace, and I think helps both the buyers of services, as well as the suppliers of service, and also [crosstalk 00:25:08] pen testers as well.

John Verry (25:10):

Yeah. I think that transparency is important. So I think you’ve touched on a lot of them, but I’ll let you summarize them with a little bow here. So we talked about the benefits to folks like us, the service provider, the tester, what would be the benefits to the end organizations that would consume one of your Crest certified partners products?

Ian Glover (25:30):

So again, from the buying, from the buyer’s perspective, what we’re trying to do there is to make them an educated buyer. And that’s really our aim in those areas. So to provide them initially with an indication that the organizations that are accredited by Crest and the people that are used are certified, I think provides an awful lot of confidence in terms of the ability for that work to be conducted. I also think if things go wrong again, the codes of conduct, and the fact they were enforceable is really important to us.

Ian Glover (26:03):

We do strike people off, we have struck people off. We do do investigations where we ensure that the organization improves its position. All of those things I think are really important to the buying community because these are professional services and therefore should be operating as a profession. I think the other part that we haven’t mentioned in that is the benefit for the individuals who hold their certifications, that there is a proper career pathway, that you enter a practitioner and you come out certified and then there’s certain specializations out the back end of that. Within our community you really understand the difference between being a certified person or somebody that carries a practitioner level qualification. And I think that career pathway is really important.

Ian Glover (26:48):

It helps organizations like you to understand somebody’s CV, but it also helps the buying community to understand what they’re buying and at what level, but it helps the individuals to orchestrate their career pathway to make sure it’s moving in the right direction.

John Verry (27:02):

Got you. And then you did mention I think at one point, that there are either certain organizations or certain governmental entities that have embraced, if you will, and prefer Crest certified entities. Can you touch on that briefly?

Ian Glover (27:18):

Absolutely. So I think the regulated community is a really interesting one and I think we’re going to learn a lot about what our industry should look like for the future in terms of looking at what they’re doing. We worked very closely with the bank of England, for example, to develop something that was called C Best, this world’s red teaming based on threat intelligence. So we call it stimulated, targeted attack on response. And basically what we’re trying to do there is to provide a regulatory tool.

Ian Glover (27:47):

So what they’re doing is they’re utilizing the industry to help them to do that level of assessment on their critical infrastructure. So in the UK the top 38 systemic risk areas in financial services have been assessed by C Best organizations, and those reports have gone to the regulator for action. And I think that’s absolutely something that we’ve never seen before in this particular space. I think there is still some maturity that that will come through in the marketplace because at the moment it’s not necessarily being completely used as a regulatory tool as other regulatory tools are. But I think we’re just about to launch something called Star Fs. So this is similar to targeted attack on response in the specialist area of financial services and that’s been adopted by much wider community. And what we’re seeing there, again, the regulators are using that as a benchmark against which to measure their performance.

Ian Glover (28:43):

We’re also seeing similar things with aviation. For example, IOTA in Europe and we’ve seen similar things within the civil aviation authority within the UK. And again, critical infrastructure is being assessed. We’re looking at things like the NIST directive and actually putting some technical measurements in place to ensure that somebody actually complies with that directive. So to base that as a regulatory tool is really very important. I think it’s been [crosstalk 00:29:10] by others because what we’ve now seen is people like the Hong Kong investment banking community, we’ve seen mass in Singapore, some monetary authority in Singapore. We’ve also seen directives coming out from the European central bank in terms of doing this type of work in a regulated environment, and that’s beginning to promulgate in different parts of European in various forms.

Ian Glover (29:32):

And the more consistently we can apply it, the better it is for the buying community and also the better it is for the suppliers because they understand what they have to do to get into those positions. And we’re actively looking at other areas of critical national infrastructure right now.

John Verry (29:48):

You mentioned this, which framework would that be? The same MC, the security framework. Which framework were they looking at?

Ian Glover (29:54):

It’s the NIS directive.

John Verry (29:56):

Okay.

Ian Glover (29:57):

[crosstalk 00:29:57] for critical national infrastructure, this is a [inaudible 00:30:01] requirement, and previously the work that’s been done in there is very much sort of questionnaire based. I think the civil aviation authority, not because it’s UK based, but I think they’ve done a fantastic job of of taking that. So they’ve confined the NIS directive with their cyber assessment framework for the aviation industry. They send out a questionnaire to their regulated environments, the questionnaire comes back to the regulator, but then they use Crest organizations to go and validate that those responses were fit for purpose. And again, that’s a huge tool at that point because they’re getting the skill and knowledge and competence of the industry to support that type of regulated activity. I think that would be quite a dramatic change in the way that we provide services in the future.

John Verry (30:48):

Any thoughts on IOT? We’re seeing just a tremendous amount of focus in that area now. I think it’s driven by California state bill 327. So we’re seeing more of an emphasis on that kind of testing. And that’s definitely a different type of testing and a much more complex form of testing. Have you guys looked at that at all, and anything coming down the pike?

Ian Glover (31:10):

So I normally class the internet things in various categories. So you’ve got the internet of stupid things, you’ve got [inaudible 00:31:18] things and you’ve got the internet of weak stuff. And I think what we’re looking at with a critical national infrastructure, what we’re doing is looking at that assurance in terms of the ITOT relationship in [crosstalk 00:31:34] things like switching plants, in things like all the elements associated with a critical national infrastructure.

Ian Glover (31:40):

So from my perspective, what we need is a process for looking at the assurance in those areas and I also think we need a process for putting pressure on some of the major providers in their area of that type of switching environments to actually improve the way that they do cyber related security. If you then look at the internet of useful things, then it’s a really difficult environment because what we’re seeing is replication of the same software over and over again.

Ian Glover (32:11):

So it’s the same tricks and the same software, and therefore the vulnerabilities you find in one product are just expanded everywhere. And therefore some of the vulnerabilities that are associated is completely inappropriate. And I think what we need to do is to find a better way of designing out those sorts of problems. And also I think, if you look at semi autonomous and autonomous vehicles, again, our members have probably looked to all of the major manufacturers of autonomous and semi autonomous vehicles. I think we’re making significant improvements in the way that cyber security is operated in that space. I also think what we’re seeing is a segmentation between critical functions and noncritical functions. If you wanted to attack a vehicle, you go for the easiest option. Therefore, if you can get from [inaudible 00:33:00] systems, the control systems, that’s really bad.

Ian Glover (33:03):

So therefore what you need to do is to separate those critical functions from non-credible functions. And that could be everything from indications to breaks, but if we can separate those things off and have a higher level of assurance on those critical functions, I think that’s a very important thing. So I think there’s a lot again, we can learn from the aviation industry in terms of segmentation of critical and noncritical systems.

John Verry (33:26):

Yeah, no, I agree completely. And I do think that the focus is there, but it’s interesting because you mentioned the fact that these same vulnerabilities get deployed on lots of devices, even if they’re less critical devices. I mean, so we go back to the Mariah botnet, right? Which was terabit denial of service could take down governments and pretty much anybody they wanted to with a distributed denial of service attack that was caused by a bunch of video cameras being deployed with the same vulnerability and someone being able to take control of those devices and use their bandwidth.

John Verry (33:57):

So it is a really interesting world with that, and anything you guys can contribute there would be great because I do think it’s something, especially as 5G comes into play and as you talked about artificial intelligence, that machine learning component of it, we’re embarking on a brave new world that… And I think we’re a little ahead of ourselves in terms of what we can do versus what we can do securely. So anything that folks like you can help us get to a point where we’ve got a good framework, a good structure, a good set of standards that work well for that world is something that I would love to see.

Ian Glover (34:35):

So it’s only, I mean the idea of good standards in this particular area of the business I think is very important. The difficulty is trying to get a standard that’s going to evolve and move fast enough to actually mirror the sorts of things that you are describing. If we go along [inaudible 00:34:52] route, it will take three, four years minimum to get past publicly available specification before you even start moving into a proper standard. And therefore by the time it gets there, it becomes a management standard rather than a technical standard.

Ian Glover (35:09):

And I think what we’ve got to do is to look at a different way of doing some of those technical standards and persuading organizations to actually spend maybe a tiny bit more money, but in the big scheme of things, not a great deal to actually look at good products. And I think what we need to do is move away from speed to the beach to having a more longevity in terms of the products that are actually developed and put into the marketplace.

John Verry (35:34):

From your lips to God’s ears. All right. So I think we did a pretty good job of covering everything out on my list. Anything else you want to add about Crest?

Ian Glover (35:43):

I think we’ve talked quite a lot about the sort of consulting business and I think what we’re currently doing is working in the advisory space. So if you look at big traditional consultancy firms, then the advisory spaces is you look at something and it gives some advice and guidance to somebody about what they should be doing. My view is that we are now starting to see really heavy fines coming through different forms of data protection, quite rightly so, and the protection of personal information or good governance. And I think where organizations are suffering breaches now, I think your audience is therefore right in the front line. So you’ve got the chief information security officer there, the person that’s going to be standing in front of a governmental committee, in front of an audit committee, in front of the shareholders, in front of the board itself.

Ian Glover (36:38):

And they’re answerable to the actions that they’ve taken. And all of a sudden they look around behind them and realize that the people that have been providing them with advisory services aren’t necessarily there. The penetration testing organizations, they’re not invited in the room, but the report said, which has probably got quite a lot of [inaudible 00:36:57] in one form or another that they’re using evidence against the individual. In other words, to demonstrate they haven’t taken appropriate measures. And I think if you look at the way the fines are being levied at the moment with some of the data protection legislation, it’s based on turnover, not in terms of any tangible impact that any individual or the company itself has suffered. And that’s a really unusual way to levy a fine. So you’ve got these [crosstalk 00:37:24]-

John Verry (37:25):

Ian, real real quick. When you say turnover, I think that’s an English term. You mean revenue, not employee turnover. Okay, good.

Ian Glover (37:31):

[crosstalk 00:37:31].

John Verry (37:33):

Sorry about that. [crosstalk 00:37:34] Don’t use the term bonnet either, okay? Because we won’t understand that either.

Ian Glover (37:45):

Absolutely. So what I believe is we need to start to move towards an opinion by service. So there needs to be this concept that a professional in this industry is willing to stand up and say that in our opinion, the organization has taken appropriate action. You’re never going to get 100% security and therefore there’s always going to be a subjective viewpoint here in terms of the level of security that’s provided. And I think what we need is that professionals in this space to start to provide that type of an opinion in the same way as you would for your financial audits. For example, for your accounting, what you do in terms of the more traditional elements associated with health and safety. And those sorts of things have got proper standards in place and they form part of the board reports that go in a consistent way, and it’s signed off by a professional person.

Ian Glover (38:37):

And at the moment, we are criticizing senior management for not understanding the terminology we use, and sometimes criticize them for not understanding risk. But I can assure you that most of the senior management absolutely understand risk. We’re just not using the right type of language and the right type of tools. If there was a major problem within the organization associated with money laundering or somebody who was taking the pension fund and spending it inappropriately or there wasn’t good governance in place and they filed the audit, absolutely, things would happen immediately because that would have a detrimental effects on the share price and they’d have a detrimental effect on the way that the organization’s management is viewed.

Ian Glover (39:18):

And what we haven’t done as an industry yet is to move to that position. We’re still providing advisory services and we’re saying we think you should be doing this and I think we should start to think about how we should move towards an opinion based and I think your audience are absolutely the right people to help us to move that process forward.

John Verry (39:37):

You got me thinking as you were talking, and I never really thought about this as well. One other value if you will, to a Crest test versus a non Crest test is there’s this concept in breach or in being in front of a board after something’s gone on, there’s being negligence or having due diligence. And do you want to be the guy that’s sitting there that said, well I thought we had testing done, we did and they didn’t find anything. Who did the testing? Who were they? How did you know that they were qualified to do that? Who else did you look at? Well, we didn’t choose these guys because it cost $1000 more. Yeah. But they were Crest. I mean, there’s some level of validation that you’d know that they were going to do the work right.

John Verry (40:19):

You pick [Mel’s 00:40:20], they didn’t do it the right way and now we’re in trouble. So that’s actually an interesting point as well, is that it does provide… and I agree with you. I carry the CSO title here and I’ve had a lot of people who, we act as the virtual CSO for a lot of organizations because people don’t want the CSO title, they don’t want that responsibility. They don’t want that risk associated with those decisions. So this idea that you’re protecting yourself by aligning yourself with an open trusted standard and a validated entity is actually a very good point that I hadn’t thought of prior.

Ian Glover (40:53):

And I absolutely think that’s the direction of play that we should take as an industry. And we need the buying community and even potentially some of the regulators to help us along that pathway. And at that point, for cyber related security reports that goes to the board have meaning and they have content. And at the moment they haven’t got meaning because you don’t necessarily understand them and they don’t have consequences because if you don’t do anything about it and you come back the next year and do the same penetration test, the results could be exactly the same. It’s really unusual to do a test. There’s lots of talking about penetration tests, and in actual fact we should be looking at what the output is because that’s the important bit. Have we made any improvements? I think that’s really critical.

John Verry (41:38):

Excellent. I agree with you completely. So this conversation was worth my time because now I’ve got some things running around my head I didn’t have before. So thank you. It’s one of the reasons I always like talking with smart people. I always like to finish with a question or two. The first one is always from one that’s just a little bit more fun. What’s a fictional or real person you think would make either an amazing or horrible CSO and why?

Ian Glover (41:59):

So you did pose this to me before, which always worries me because I’m very bad [crosstalk 00:42:03]. There’s somebody called Randall Vines, which maybe you’ve heard or you haven’t-

John Verry (42:11):

Randall Vines?

Ian Glover (42:12):

Absolutely, yeah.

John Verry (42:14):

No idea what that is.

Ian Glover (42:17):

So he was the first person to both travel to North and South poles by land. The only person who’s ever done that. He, at 65 continued to climb Mount Everest. He completed the pole to pole crossings. Just quite an incredible person, right? That is just this great adventurer. If you’ve never read any of his books or you’ve never heard of him, then please go and find it. But the reason why I think that’s good is because I don’t think he was ever short with challenge. So there was always this view that there’s something more exciting that you can do. There’s something again, that would light up the world and inspire people. And I think that’s really good. I also think that he was really good at planning or he’s really good at planning, but more importantly, he let his wife do the planning for him.

Ian Glover (43:04):

So in other words, he realized his limitations and went to a higher, higher person to make sure. And she was very understanding and let him go away for years. I think if I was married to Randall Vines I think I might let him go away for years as well. But I think the other interesting thing is if you ever read about him, his educational background was very, very unusual. He got thrown out of a lot of schools and had quite a lot of interesting things happening in the army. So again, coming at things from a slightly different direction, I think he is a great attribute. He also selected his teams not on their previous experience or not on the norms, he used to very much look at how he built his teams on their personal attributes.

Ian Glover (43:54):

Can he walk with them across the poles for a long time because I’d imagine that would put quite a pressure on individuals, and therefore this concept of building teams based on some bond between them, I think is very important. I also think-

John Verry (44:10):

I thin that the culture is one of those often overlooked components of any team. And I think it’s security where we’re under the insane amount of stress that we are on an everyday basis. I couldn’t agree with you more that that team culture concept, selecting people as much on their qualities as their qualifications sounds pretty brilliant to me.

Ian Glover (44:31):

And always leading from the front. So he was the first… I remember he had frostbite in one of his fingers, so he went down the shed and cut it off because he couldn’t be bothered to go to hospital. It’s that mentality I think is growing-

John Verry (44:47):

You’re not suggesting that the CSOs listening to this culture cut off their fingers to prove to their team that they’re leading [crosstalk 00:44:55] because we just lost a lot of business at that particular moment. They were already worried about going to the South pole, now you got them cutting off digits?

Ian Glover (45:03):

Absolutely. Yeah. But that loyalty that he builds within his team and also the sort of great inspirational speaker that he is as well, I think to be able to articulate an argument is really important. And also he used to start from zero. So he had no money in the bank and wanted to go to climb Everest or do the poles and therefore he had to go and get the money from people and therefore had to be really persuasive, had to be persistent and had to articulate in a way that he derived benefit for those organizations. I think that’s a good lesson for us all to learn. And I think that loyalty-

John Verry (45:40):

[crosstalk 00:45:40].

Ian Glover (45:41):

Absolutely that loyalty and doggy determination, I think is just inspirational. And I think we should be inspirational leaders. This is a really important subject we’ve got here. And if we don’t try to be inspirational, then we’re not going to encourage the very best people into our industry and we’re certainly not going to get our messages listened to. So again, inspirational leadership I think is something we would look for in an ideal person.

John Verry (46:08):

That was a fantastic answer. And fantastic enough, I want to know who Randall Vines is, so I’m going to look it up and I will also, part of my thinking was such a fantastic answer was my concern you were going to say Boris Johnson.

Ian Glover (46:23):

Political leaders are certainly not [inaudible 00:46:26].

John Verry (46:28):

All right. So on that bombshell and that’s a Jeremy Clarkson, which is another English reference.

Ian Glover (46:33):

Yeah.

John Verry (46:34):

But the last question. You chat every day with folks in our industry, based on those conversations, what do you think might be another interesting topic for another episode?

Ian Glover (46:45):

We’ve been really fortunate recently to get some funding from the Gates foundation, and the idea behind that, I struggled to identify why they came to see us and quite what they wanted to do. But their concept is that if they’re going to raise people out of poverty, then they need access to good banking services that are well-governed and well secured. And in addition to that, we’re taking a community that isn’t used to using technology in any form. And we’ve skipped traditional banking and gone straight into mobile. So there are significant risks associated with that.

Ian Glover (47:19):

And in order for those countries to build what they’re trying to achieve and to actually protect their citizens and get them out of poverty, what we need to do is to build an ecosystem related to cybersecurity. It’s fine for them to buy in services, but we believe that they should also try and develop that domestic capability. So I think to have a conversation about building capacity and capability is really important. And I think putting that into an overall ecosystem will be a really good topic for conversation.

John Verry (47:51):

Interesting. Well, good luck with that. I mean, that’s actually really interesting and a lot of things that the Bill and Melissa foundation are doing a pretty remarkable, so congrats. Hope that goes well for you. And so one last thing before we say farewell, how can folks who either would like to become a Crest certified… I almost had accredit again, entity or anybody that’s in this industry that would be interested in learning more about Crest, get in touch with you guys.

Ian Glover (48:20):

I’m more than happy to share my email address, it’s Ian.Glover@crest-approved. [inaudible 00:48:27]. I’m sure you’ll have some covering notes associated with this they can go through.

John Verry (48:32):

Absolutely.

Ian Glover (48:32):

I would look on our website, it’s very much a push website, so in other words there’s an awful lot of information in there. Nobody’s website is ever perfect, but I think there’s a lot of really good inspirational stuff on there that describes what it is we’re trying to achieve. We also have a Crest advocate YouTube channel where we’ve got about 600 hours worth of professional content, IPR free and free, and I’ll look at our publications or research publications that look at things like areas where we need to improve the industry and what we need to do, but also those elements associated with the social responsibility that I believe we should have as a profession.

Ian Glover (49:09):

So more than happy to email me, I’ll pass it onto somebody sensible to respond. Have a look at our website, there’s lots of detail in there that’s hard to extract, but that will provide some format to ask the questions. And if you’re interested to know more about the sort of subject area, I think we’re really bad at writing white papers, and I think our YouTube channel is starting to be used by academic institutions all over the world as sort of pre-reading lists, so I’d use those sorts of tools as well. But spend a bit of time to find out what we do. It’s a proper not-for-profit organization and we are genuinely here to support the buying community and support the supply community in terms of differentiators and also to help the community understand their career pathways about how to get in and how to develop within the industry, which has been fantastic to me.

Ian Glover (50:02):

I’ve worked in this industry for more than 40 years and I’ve enjoyed every minute of it. It’s a wonderful place to be and it’s great to be able to make a social responsibility difference. And I think we genuinely do that from a technology perspective.

John Verry (50:16):

Excellent. Well listen, we’re fans of Crest and big believers in it and look forward to everything that you guys are going to be moving forward with and pay attention to all of it. So thank you again and not only for what you’ve done over the last 10 years, but also for participating today. So this was a wonderful conversation. Appreciate it.

Ian Glover (50:35):

It’s been great fun. Hope to see you again.

John Verry (50:36):

You got it.

Ian Glover (50:38):

Thank you.

Speaker 1 (50:39):

You’ve been listening to the virtual CSO podcast, as you’ve probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at info@pivotpointsecurity.com. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there (silence).