What is CREST?
The name CREST gets thrown around a lot in the cybersecurity industry and it’s important to know what it is before you consider it as a certification.
CREST is one of the many ways to be certain that the cybersecurity team you’ve hired for your organisation are qualified, knowledgeable and skilled. CREST is ruled over by a collection of security specialists, experienced in their field. They also advocate for high standards, wide-spread awareness and ethics in the cybersecurity market.
Why is It Still Relevant?
So I approached two of our own penetration testers, Luke Hill and Kieran Twidale-Smith, to find out why CREST is still relevant. Luke told me, “CREST is relevant for pen testing businesses as many government departments require CREST-approved people to do the work”. I asked why CREST wouldn’t be considered relevant, after all, it must be up to date for it to be used by top-tier government officials. “When we talk about why CREST isn’t relevant, that’s more to do with the qualification’s syllabus which is stuck on technology from 2005 and doesn’t include cloud stuff and other new technologies”. That being said, CREST doesn’t have to be your certification of choice. There is also Tigerscheme and Cyber Scheme that can be used but “CREST are by far the biggest”.
Tigerscheme and Cyber Scheme are very similar to CREST but have different exams. Luke informed me that CREST, Tigerscheme and Cyber Scheme are “all considered equivalent by CHECK”, the NCSC’s way to approve companies that can perform cybersecurity services. When asking about Tigerscheme, Kieran told me that their assessments “show you’re at a standard to complete security tests on infrastructure and web applications”.
In conclusion, CREST is still relevant as it’s still seen as a worthwhile certification in the eyes of CHECK. Episode 12 of the 404 podcast talks about this exact subject in depth if you want to have a listen.