Interview with Rowland Johnson, President, CREST International.
Rowland focuses on driving initiatives to increase engagement across the 300+ CREST members and all CREST-qualified individuals globally. He is responsible for working internationally with governments, regulators, and other key industry stakeholders to build stronger technical cybersecurity ecosystems. He was instrumental in CREST’s international growth and integral in creating CREST chapters in Singapore, the USA and Hong Kong.
Rowland was a founding director of cybersecurity company Nettitude and oversaw its acquisition by Lloyd’s Register in 2018. Following the acquisition, he worked with the leadership team as a strategic advisor focusing on global growth.
Rowland works closely with international governments and regulators to increase capability, capacity, collaboration, and consistency in cybersecurity ecosystems.
In this podcast, Rowland Johnson shares the history of the CREST organisation since its launch in 2006 and how, over the years, the initial focus on the penetration testing space has grown to include incident response, threat intelligence, red teaming, vulnerability assessments and security operation centres (SOCs).
Since the launch of the CREST Singapore Chapter in 2016, Rowland also shares that it has grown “from no organisations that were really identifying as being cybersecurity providers within the region” to currently 91 members in Asia.
Rowland also offers his view that the penetration testing sector has evolved over the years, and “it was a little bit like oil and water” between the offensive security experts and SOCs or red-teamers. Now, he said, “there is understanding that if you are going to make your SOC effective, you need to be targeting it using exploitation techniques that are being seen in the wild. No better way to do that than the pen testing team and red team working together.”
Rowland also touches on recent initiatives such as the CREST OWASP Verification Standard (CREST OVS) and CREST’s guideline on “Defensible Penetration Testing.”
One reason is today’s “patchwork quilt of different standards and regulation.”
While the needs of stakeholders may differ, Rowland believes that harmonisation of standards (or standardisation) – from competencies to reporting, is key to build a baseline and minimum set of expectations – whether it is to deliver vulnerability assessment or other types of cybersecurity assurance assessments.
For example, standardisation of reporting requirements would allow the organisation to perform comparisons between assessment periods or between different vendors conducting the assessments to understand better what “good” looks like.
At the same time, he also emphasises the need for a Code of Conduct and that individuals should be held accountable when for example, they deliver a scoping engagement. Rowland says that the industry “need to be professionalising,” which means moving “goalposts away from where it was historically.”
Wrapping up, Rowland urges organisations to clearly set out its scope and drivers for engaging the buyer.
“I think that’s the biggest challenge, and CREST’s feedback from the buying community suggests that when things have gone wrong, typically it’s because there was a disconnect in what the buyer thought they were looking for.”
“If the buyer goes into the engagement with a clearly understood set of goals and objectives, it is going lead to a much better outcome.”
Recorded 18th October 2022 , on-site at the Singapore International Cyber Week 2022, Marina Bay Sands.