The cybersecurity industry is not functioning the way it should, says Rowland Johnson, President of cybersecurity accreditation non-profit CREST International. He is referring to the often confusing language surrounding cybersecurity products and services that result in an asymmetry of information between buyers and service providers.

For instance, one provider’s “security assurance activity” could be another organisation’s “penetration test” or “vulnerability assessment”. “To your average buyer, that’s just confusing,” says Johnson.

The job of buyers becomes even more challenging when considering the often confidential nature of cybersecurity transactions. When organisations are looking to engage a service provider, they often use past references as an indicator of an organisation’s reliability. But within the cyber domain, such transactions or partnerships are usually protected under a non-disclosure agreement, as nobody wants to be identified as having multiple vulnerabilities detected within their systems, Johnson explains.

Even sample reports may be difficult for buyers to understand, as there may be ambiguity and inconsistencies in the reporting. There continues to be a gap as organisations understand that they need cybersecurity services but are unsure of what services to procure and how to do so, he continues.

Accreditation to verify credible solutions

In light of these challenges, Rowland believes that accreditation may signpost credible solutions for these organisations.

CREST helps to do so by assessing the key considerations that governments, regulators and industry have and deciding what the most important attributes are when measuring a service capability. This could include the financials of an organisation, how long they have been around, their insurance policies, and how it stores and communicates data, among others.

Beyond the cybersecurity provider’s general performance, CREST also offers discipline-specific assessments. In the field of penetration testing, for example, accreditation may assess a provider’s methodology for testing, how they identify and report vulnerabilities, their procedures to weed out false positives, and so on.

The last thing CREST looks at is the “skills and competencies that exist within the organisation itself”, Rowland says. They do so through assessments of cybersecurity professionals, which are designed to “identify whether an individual is appropriately skilled and competent for the services that they deliver,” he explains.

This ensures that cybersecurity professionals are still able to carry out their work when hiccups occur. For example, when a cybersecurity tool fails to work, the practitioner will need to be able to dig deeper and be able to troubleshoot the problem.

“There’s lots of different pathways to demonstrate skills and competencies,” he says. “Our suggestion is to look at qualification as indicators, but not exclusive indicators.”

For example, Johnson suggests that organisations also take into account whether the cybersecurity provider is actively conducting research or demonstrating thought leadership within the industry other indicators of a service provider’s reliability and service quality.

The accreditation process for both the services themselves and the professionals delivering them can be delivered in the form of programmes. CREST recently launched a programme called the OWASP (Open Web Application Security Project) Verification Standard (OVS). The verification standard will provide an organisation with a scalable and consistent approach to web and mobile application security standards, according to CREST’s website.

It is only when an organisation has both strong security testing services and high standards for individual employees’ skills and competencies that they will become a CREST OVS Accredited Provider, Johnson explains.

Defining better international standards

Cybersecurity professionals, government agencies, and regulatory bodies are constantly looking at defining good cybersecurity standards, Johnson says. In the past, the cyber industry has been adverse to the idea of defining standards as they tended to think that it implies a race to the bottom or that every product or service needs to look a certain way. But without which, the cyber industry may lack standards altogether, he notes.

Another obstacle in setting standards is that many cyber organisations get “stuck in the weeds of what is best” and fail to take any action as a result, Johnson observes. Instead of exclusively focusing on what is best, Johnson proposes for organisations to instead aspire to create good standards first.

“Once we’ve got good, let’s try and get better, as opposed to always trying to focus on what is the best thing,” he explains.

Standards set also need to be international, as cybersecurity does not have borders, he adds. In cyber, it is common for organisations to procure a service from one country, but deliver it in another.

Johnson says: “Unless we tackle this internationally, what you end up with is a patchwork quilt of different regulations and legislations that are trying to align organisations to the needs of a local market, despite the fact that cybersecurity services are both bought and delivered in an international format.”

For instance, the United Nations has an Open-ended Working Group on cybersecurity matters. The Working Group had held their third meeting in July this year, which saw them publish a set of recommendations including voluntary, non-binding norms of responsible State behaviour. This includes a call to share knowledge and good practices on cybersecurity, and not engaging in actions that may damage the critical infrastructure of other nations.

Join Rowland Johnson at GovWare 2022, where he will be speaking at ‘Tech Talk: A New Dawn of the Global Cybersecurity Market: Buying Cybersecurity Services with Confidence’, happening on 20th October, at 12.50pm, at the Exhibition Hall in Sands Expo and Convention Centre. 

This article is published in partnership with GovWare 2022.