KUALA LUMPUR (July 17): An internationally recognised certification and accreditation framework for Malaysia's cyber security industry is in the pipeline, with the signing of a memorandum of understanding (MoU) today between the UK-based Council of Registered Ethical Security Testers (CREST) and the Association of Cyber Security Testers for Kuala Lumpur, Selangor and Putrajaya (PPKS).
The MoU was facilitated by the Asian Institute of Chartered Bankers, which is the professional body for the banking services industry in Malaysia.
CREST is an international not-for-profit accreditation body representing the technical information security industry, while PPKS is a professional society established for the purpose of driving the level of professionalism within the cyber security industry in Malaysia. PPKS is also plays a role as the local chapter for CREST.
PPKS chairman Mohammed Fadzil Haron said there is a strong need for service providers to strengthen the standard and rigorousness of penetration testing with the escalating intensity of cyberattacks, such as the recent WannaCry ransomware attack.
Penetration testing is an exercise whereby authorised parties simulate an attack on information technology systems or infrastructure with the objective to uncover potential vulnerabilities or exploitable gaps with the current security controls.
"With attacks such as WannaCry, understanding the threat and usage of threat intelligence information is critical to perform penetration testing on institutions," he told a news conference.
The partnership between the two organisations will pave the way forward for the industry to provide greater assurance to clients on the quality of services rendered by CREST certified penetration testers, benchmarked against international standards.
At present, there are about 43 service providers in Malaysia who are CREST certified.
"We are targeting to get [up to] 10 more service providers to be CREST certified in the next year or so, at the same time we would like to open the opportunity not just for service providers but for staff of financial institutions to get their individual certifications," said Mohammed Fadzil.
CREST president Ian Glover said the MoU will provide a platform for collaboration between regulators, government and cyber security service providers.
"The next stage is to work with our partners here to establish the process to accredit organisations and certify individuals.
"This collaboration will provide capability, capacity and consistency within the domestic cyber security market," he said.
Glover added that a CREST qualification is one of the toughest to obtain in the market.
"What we have seen in other regions is the quality organisations putting clear water between them and those organisations that can't meet our standards, gradually what happens is the buying community understands how to buy good [services] and they will look at those sort of requirements
"On an international basis we have about 2,000 people qualified within the CREST community... we go through a full accreditation in the organisation which is extremely difficult, we don't just accept anybody into the organisation and our qualifications are by far the hardest in the market in terms of their complexity," he said.