Has anyone had any experience with the CREST certifications? They seem to be very popular in Europe with some countries saying that they are going to require anyone performing Penetration Tests or other Cyber Security testing to be "Registered and Certified", basically a license to hack. It looks like CREST is the chosen certification for this.
From discussions I have had with members of my cyber security team in Europe and Asia, licensing of cyber security personnel is in the discussion phase currently, with Malaysia taking the major lead on this. In Europe, CREST ( http://www.crest-approved.org/about-crest/crest-mission/index.html ) seems to be the certification of choice, replacing the CISSP or CEH certifications.
ISC2 needs to pay more attention to this, there have been calls as early as 2014 for the US Government to consider the licensing of Cyber Security Professionals, much like Doctors are licensed.
I think that the call for licensure depends on what function of “Cyber Security” a practitioner is performing.
I believe there have been calls for folks performing external Audit and Forensic services to the public to be licensed. And traditionally, these types of positions are required to be licensed in most U.S. states. The public accounting firms corner the market on these types of services for just this reason, because they are the major employers of Certified Public Accountants (“CPAs”) with their corresponding state license.
In design-build functions, such as those manufacturing and producing security appliances, this may also hold true. This falls under ABET and the Professional Engineer qualification, with its corresponding state licenses.
On the other hand, you have folks that are configuring individual pre-manufactured products, and integrating them into business computer enterprises. These folks have traditionally not been licensed, but certifications have distinguished them as professionals. This is similar to other industries such as accounting where you have Certified Management Accountants (“CMA”) that perform business services without a state license, but then have their work certified by the CPA with a state license.
In my observation, it has become unfortunately common in the U.S. for self-proclaimed Computer Security Consultants to come into a public engagement and perform very high cost “Services” without actually doing anything value-added. For example, they will come in and run an automated (and often free) security tool, print a branded report card, and produce that as their finished product without any interpretation or analysis. Businesses rely on these external “Audits” to be authentic and thorough especially when they are required to meet statutory information protection requirements – thus the call for licensure.