What’s changing?
We are now asking that all individuals involved in the delivery of a CREST accredited service register with CREST. There are two parts to this process.
The first is a new requirement of the member accreditation process. The second is optional and we have designed it to add value to both our members and the industry as a whole.
1. The individual provides some basic information that allows CREST to identify them as a unique entity. As part of this process the individual will be sent the CREST Code of Conduct to read and electronically sign. The application will then be reviewed and the individual will be issued a CREST ID
2. The individual provides additional information about skills, training, examinations and experience. CREST is asking for this information to gain a better understanding of individual competencies, as they relate to each accredited CREST member organisation. This information will be used to present organisations with skilled and competent teams more effectively to the buying community, governments and regulators.
The redesigned CREST website has a significant focus on connecting buyers of cyber security services with CREST member companies and is important that members are able to demonstrate their skills and experience. It is only through people completing step 2 that CREST will be able to do this effectively for its members.
All information shared with CREST through these two accreditation changes will be treated with the strictest of confidence and it will not be shared outside of CREST without the permission of the individual. No data shared through this process that is personally identifiable to any individual will be shared with CREST Councils, focus groups, or any other stakeholder that engages with CREST.
How does it work?
We have designed the process to be as quick and simple as possible.
Why Is CREST doing this?
Step 1 – The signed Code of Conduct
From our most recent member survey and meetings, workshops and webinars that followed, CREST received stakeholder feedback that we need to further our efforts to support the industry to professionalise. Part of this is ensuring that both organisations and individuals are more accountable for the services and the guidance that they provide.
We are all aware of instances where individuals delivering cyber security services have behaved inappropriately. Sometimes because of training issues. In other instances, individuals have consciously chosen unethical behaviours.
CREST relies on member organisations to guide and train teams in line with accredited policies, procedures and methodologies. However, we have little ability to enforce any sanction or remediation activity. By asking all individuals to sign up to a code of conduct, they are being asked to attest to following a set of rules, guidance and principles befitting of a CREST accredited company. This enables CREST to have direct engagement with individuals, and both encourage and enforce ongoing professional standards and norms.
Step 2 – Skills, knowledge and competency questions
A lot has changed since CREST was set up 15 years ago. For example, CREST now has member companies around the globe. We have democratically elected councils in Southeast Asia, the Americas, Australasia, The European Union and the United Kingdom.
To support mobility of labour and contracting markets, CREST has not historically tied the skills and experience of employed individuals directly to the accreditation process. However, this approach means there are increasing numbers of organisations accredited by CREST but there is reduced insight into the skills and competencies of their workforce.
Although CREST has no plans to tie the measurements of skills and competencies directly to the base accreditation process, we recognise the importance of providing greater signposting to buyers of competency.
Following discussions with members and other stakeholders, we are confident that this approach will better support member organisations at all levels. We also expect to introduce additional accreditation tiering alongside the current discipline focused accreditation standards.
A data driven approach to CREST’s future
It is hoped that this approach will improve member engagement and allow CREST stakeholders including buyers and regulators, to make informed data-driven decisions instead of ones that are based on gut feeling or intuition.
By gathering insight from multiple data points including, training, examinations, years of experience, industry experience and other specific skills and competency measurements, CREST will gather a rich dataset that captures regional and sectoral analytics.
CREST will clean and anonymise the datasets stripping details about individuals and member organisations. It will be aggregated and normalised to provide insight into the regional and sectoral based skills and knowledge that exists across the globe.
Once this data has been collected, anonymised and normalised, CREST will issue a Competency-Measurement consultation document to all CREST accredited companies. This will present CREST member companies with an opportunity to shape and influence CREST’s future accreditation tiers. CREST plans for the consultation period to take place in H2 2022, with the new accreditation tiering being formally launched in 2023.
CREST recognises that this signals change and for some stakeholders this may cause uncertainty, but we hope to be able to alleviate this with the ease of transition and the benefits that it will bring. The cyber security industry is growing and maturing at a rapid rate and buyers needs in 2022 are different to the needs that first existed when CREST was formed in 2006. CREST needs to evolve to ensure we remain valuable to our member companies and the other stakeholders that we engage with.
For any queries or further guidance please contact [email protected]