Security council clarifies its intentions
The head of Australia's new council for security testers has publicly addressed the industry for the first time, clarifying its role and seeking to put minds at ease.
Taking the stage at the Open Web Application Security Project's 2012 Appsec Asia Pacific Conference, the CEO of the newly established Council of Registered Ethical Security Testers (CREST), Alastair MacGibbon, said that the council is at a very early stage, and that its future would be shaped by the feedback from the information security industry.
"My job is to help grow CREST Australia, but it can only be done in conjunction with the very broad community of information security professionals in Australia," he said.
MacGibbon said that the reason for forming a professional body in Australia was primarily due to the market's unregulated nature, and to provide a means to differentiate testers from someone who may do a professional job, but could otherwise be running as a backyard operator.
"What we're trying to do is to create a point of differentiation, so that you as a company, with overheads, with trained staff that you're paying decent wages to, will be able to differentiate yourself in a market that is crowded and has no real barrier to entry," MacGibbon told the conference audience.
To address the lack of regulation in the industry, MacGibbon sees CREST as a means for the industry to self-moderate itself, perhaps before more drastic measures such as regulation are needed, and that if the industry is mature enough to watch over itself, then mandatory licensing will not be required.
In keeping with that spirit, MacGibbon highlighted that being a member of CREST would be completely voluntary.
"No practitioner will be forced to sit the exam. No company will be forced to join CREST. It won't be like building a house or installing an electrical product where a person has to have an electrical trade certificate or a master builder's licence to lay the foundations for a house. No one is proposing that and I don't see it happening any time in the future," he said.
"I want to make it very clear that CREST, at least the board that currently exists in CREST, and certainly I, don't imply in any way that any company that doesn't join CREST or very professional people who choose not to be served by CREST, we're not suggesting in any way that they're not talented."
MacGibbon also responded to criticism over the exams that are used to attain certification in the UK CREST counterpart, which the Australian version is using as a guide.
"We can all be critical of the exam that exists, or of the tests that will be applied, but, if not them, then what? Because you have to have some type of standard," he said.
"The dentist that you go to sometime in the next year might have done dentistry 20 plus years ago, but still practices as a dentist. Lawyers that you might employ, as much as we probably hate doing it, might have done law school 20 years ago. Now they have continuing legal education, they have a regime that tries to keep them up to date, but we all know that unless they studied that particular case law that just came out, then they won't know about it. It's the same as any form of examination, but you have to have something."
While MacGibbon acknowledged that exams could be considered flawed, he views them as a good starting point, especially since they have been working with relative success in the UK, and it makes sense to use that experience rather than build a new professional body from the ground up and make the same mistakes.
"We can't sit there as a group of 1000 people or two or three thousand people and say, 'Look, what do we really think these companies are going to need as their entry criteria to get into CREST?'"
He said that most of the UK criteria for entry into CREST are sensible measures, such as whether an organisation carries appropriate insurance — measures that a professional penetration-testing business would already carry. He again stressed that in this early stage, he is extremely receptive of feedback.
"If you see CREST do things that you think is actually damaging to the industry, let me know. I sincerely want to know. This is going to be a process of not total democracy, but certainly, hopefully, one of co-creation and participation by a broader group."
The organisation's next steps are to establish a website and agree on the entry criteria for members. While it has not finalised the cost of membership, MacGibbon stated that they should roughly mirror the costs in the UK, and, although no formal decision has been made on recognising exams taken by "sister" CREST chapters, it would be likely that members would be able to carry exam credit between chapters. At the moment, membership costs in the UK are £7000, with additional costs for exams.
MacGibbon acknowledged that the cost is not cheap, but told ZDNet Australia that rather than raising the barrier for smaller businesses entering the market, he sees it as a means for them to increase their profitability and exposure by gaining membership.
The idea of introducing a low-fee option has been bandied about, with CREST UK establishing student membership rates, and could be a possibility for CREST Australia, but MacGibbon said that if this were to be considered, it would have to happen later down the track.