Discussions on the certifications required for a job in the various functions that make up cybersecurity have been going on for some time. From CISSP to CREST, knowing what to study for can be a challenge for anyone coming into the industry.
The most qualified penetration tester in the UK is Gemma Moore, co-founder of Cyberis, and Infosecurity got the opportunity to talk to her about the need to recognize certifications in the pen testing sector. “It’s just a job I love,” she admits, saying that the market “has room for everyone, and more” as it is growing all the time.
Cyberis was founded in 2011 “to be more client focused on what we were doing” and focuses on technical assurance, training and consultancy, including incident response, while the assurance side of the company provides penetration testing services.
Despite this, Moore said that there is new demand coming in, being met with a shortage of resource “as pen testers are hard to find and they cost a lot of money.” However, pen testing is at the more desirable end of cybersecurity, as it taps into skills learned at capture the flag events and white hat hacking skills, and while businesses now know what penetration testing is and what a tester does, “it is as much about the person you are as what you know” in terms of how good a pen tester you’re going to be.
She said that there is a certain mindset and approach that is hard to find, and most pen testers tend to be “10º offset to the rest of the population” and tend to be more curious people. She said that some people do apply to Cyberis and ask them to “make them a pen tester” and they can be trained up, while a pen tester engages for between five and 20 days and has a certain level of skill, while someone working internally as an engineer or analyst will be seen as a long-term hire.
Moore praised the work of CREST and Tigerscheme as the CESG CHECK scheme was not able to keep up with the demands of the public sector. “There are certain certifications where you can trust that they know something and CREST certifications are certainly those, and if someone is Tiger Scheme certified they certainly know their stuff, while there are some that are more global like OSCP,” she said.
Are pen testing certifications struggling because of a lack of globally-recognized certifications? Moore said that CREST is in the middle of becoming global believed “the appetite is there to rely on CREST certifications globally and it’s been great for the UK” as people can go to a company and be sure that you have got a test you can rely on. “The maturity in terms of those certifications worldwide just isn’t there in the same way as it is in the UK, and I hope CREST being more global will help that,” she said.
One thing cited to Infosecurity is the low quality skills cited by some people claiming to be pen testers, which affects the wider sector. Moore agreed with this, saying she had got a report which was a Nessus scan “with Nessus crossed out and replaced with the company’s name and it cost them thousands of pounds.” While the Nessus scanner is fine, Moore admitted that there is room for vulnerability scanning in technical assurance, but with no context around it “it is more or less useless as it doesn’t tell you what to worry about.”
As the most certified pen tester in the UK though, does she see certifications as a crucial part of hiring future employees? Moore admitted that recruiting pen testers and selling them on to customers is why they need to be sure with people’s capabilities. However, you will find some people have the “badge” but that is helpful to explain to someone else what level they are at, but they lack overall capabilities.
She said that it is about the person, as some employees do not have degrees and they have brilliant people who do not have a degree, and they become brilliant pen testers. She said that she has worked with people with computing degrees and people with newer ethical hacking qualifications “and they are fine but pretty much don’t have a different level of knowledge from those people with a networking background or IT support who are curious and want to come into it.”
Moore said that pen testing is about doing, and not just writing about it, so while a degree may get you an interview, for Cyberis, if someone looks promising from a good covering letter, we will almost always talk to them. “It is the ones who want to come and work for you, they are the ones you always want.”
She concluded by saying that pen testers “have a very broad set of knowledge to a very limited depth” but it is common that a pen tester will be “a jack of all trades and a master of some.”