The CBEST framework has been described as a major step forward in how to deal with threat and technical assessments.
Speaking at the Enterprise Security and Risk Management conference in London, CREST president Ian Glover said that the existing approach to penetration testing is more than adequate for organisations, appropriate for current attack vectors and meets the vast majority of requirements, but there are currently systems which are part of the national infrastructure that, if affected, could have an adverse effect on the economy.
“We would like up-to-date information for real incident information and that is at the maturing phase, and know what is most relevant is up-to-date threat intelligence, and know what the threat is that you are exposed to,” he said.
“There has been a proliferation of companies offering services and, as with open testing, we need a way to differentiate to see who is professional and who is offering what they say that they do.”
He said that when CREST was tasked by the Bank of England to create the CBEST framework, he wanted to make something which “really makes sense” and is something for businesses and stringent for critical assets.
“We want the ability to build a scheme to build in geographically and with new CREST [accredited] companies coming into this space, it is emerging as it is pulling in companies who do Big Data and small boutiques and do specific examinations in terms of threat examinations,” he said. “This is a fantastic opportunity to do something in this area but does not upset the regulators.”
He said that CBEST is exciting and demonstrates that the UK is driving this area in cyber security, and paired with the National Security Agency’s cyber hygiene offering, there is the opportunity to offer a global standard. “A really exciting time for the industry and to make a difference on the international stage,” he said.