Accreditations play a vital role in enabling cybersecurity providers to demonstrate their organisational capabilities and expertise. One prominent example is the CBEST Accreditation. Achieving CBEST-approved status and utilizing testers with CREST certifications signifies that an organisation and its security practitioners have evidenced the highest level of skills and capabilities required to deliver specialized testing services in the financial sector.  

CREST has recently gained significant attention due to its alignment with the Digital Operational Resilience Act (DORA). This legislation aims to enhance the operational resilience of financial entities operating within the European Union (EU). Set to take effect on 17 January 2025, DORA mandates rigorous testing protocols carried out by highly qualified and experienced professionals, including those certified by CREST. 

To dive deeper into the importance of CREST, we spoke with Jonathan Armstrong, Head of Accreditation at CREST. He shares insights into why companies seek accreditation, the skills required to achieve this, and what the future holds for accreditation in the security industry.

The responses below are direct quotes from Jonathan Armstrong.

The Value of Earning CREST Accreditation

1. As cyberattacks are on the increase, we’re seeing a corresponding increase in vendors wanting and needing the necessary accreditations to fulfil this demand from end customers. What does having CBEST accreditation mean?

CBEST accreditation provides the highest level of assurance for vendors offering cyber resilience services to the financial sector. It demonstrates that the organisation has not only a solid operational foundation, but also a proven history of delivering high-quality services. To achieve this accreditation, vendors must also employ professionals with the highest CREST certifications, ensuring that skilled experts operate within well-structured, well-governed environments. This combination of technical expertise and strong governance gives financial institutions confidence that these providers can handle the most sophisticated and critical security challenges.

2. What are some of the specific values that CREST brings? 

Since its inception in 2006, CREST has grown into a global leader in the cybersecurity community. By collaborating with our members and their technical experts, we have earned a reputation for setting and maintaining industry-recognised standards across a wide range of cybersecurity disciplines.

Our mission is at the heart of everything we do: we develop and measure the capabilities of the cybersecurity industry, work to expand the pipeline of skilled professionals, and set global standards to ensure consistently high-quality services.

Our mission is at the heart of everything we do: we develop and measure the capabilities of the cybersecurity industry, work to expand the pipeline of skilled professionals, and set global standards to ensure consistently high-quality services. Through active engagement with the global cybersecurity community, we leverage shared knowledge and expertise for the benefit of the entire industry.

3. How difficult is it to attain CBEST accreditation? Walk us through the typical stages of the process.

Attaining CBEST accreditation is a challenging process that requires organisations to undergo multiple assessments, including several levels of validation and verification. Organisations must also demonstrate a proven track record of delivering services to the financial sector, ensuring they are well acquainted with the unique challenges in this space. Not forgetting that employees must maintain their individual certifications, proving that they not only possess the necessary skills, but are continually keeping them up-to-date.

4. How does CREST prioritise the importance of organisational accreditation compared to the qualifications of individual professionals within the organisation?

CREST recognises the crucial role that both organisational accreditation and individual certifications play in delivering high-quality cybersecurity services. For optimum assurance, both elements must be carefully considered and integrated.

While skilled professionals provide a strong level of technical assurance, they must operate within mature organisational structures that have well-defined processes and practices, ensuring transparency, consistency, and reliability.

While skilled professionals provide a strong level of technical assurance, they must operate within mature organisational structures that have well-defined processes and practices, ensuring transparency, consistency, and reliability. Organisational accreditation serves as the foundation upon which these individual skills can be fully leveraged and utilised. 

Additionally, while buyers are naturally concerned with the expertise of individual testers, it is equally important to ensure that the organisation has the commercial capability to support its services. This includes financial stability, robust technical controls, and appropriate commercial insurances to safeguard against any potential issues. 

All about Digital Operational Resilience Act (DORA)

5. Everyone seems to be talking about DORA. What are the top benefits this will bring to financial entities, and the wider security landscape, in 2025?

At the heart of the CREST mission is consistency, and that’s why I see the top benefit of DORA in 2025 as the introduction of a unified and consistent framework across the EU. This will allow financial institutions to demonstrate compliance across multiple member states, eliminating the need to navigate varying regulatory standards. 

At the heart of the CREST mission is consistency, and that’s why I see the top benefit of DORA in 2025 as the introduction of a unified and consistent framework across the EU.

The inclusion of third-party providers under this framework is equally important. It aligns with the broader understanding that, in order to be secure, we must defend as one. By bringing service providers into the fold, DORA strengthens the entire ecosystem, ensuring that resilience is built collaboratively across both financial institutions and their partners.

6. How can companies prepare for operational resilience testing, especially if they don’t have a regulatory body overseeing them currently?

A core part of CREST’s mission is collaboration, and this applies directly to preparing for operational resilience testing. Even if a company does not have a regulatory body overseeing them, they can proactively prepare by working with experienced external providers who hold industry-recognised certifications, such as those under the CBEST framework. These providers bring invaluable insights from real-world testing scenarios, ensuring that companies benefit from best practices that have already been tried and tested in highly regulated environments. 

Companies could start by conducting a thorough internal assessment of their current resilience capabilities, focusing on key areas like incident response, system recovery, and business continuity. Engaging with external experts early in this process could be valuable helping companies to identify gaps and strengthen their operational resilience before regulatory scrutiny.

7. How do you think accreditations, security frameworks, and regulatory bodies will shape cybersecurity over the next 12 months?

At CREST, we are uniquely positioned within the global cybersecurity landscape, engaging with national regulators, authorities, and key stakeholders worldwide. While each country faces distinct challenges based on their local market needs, the core cybersecurity threats remain similar across borders. From our perspective, there is an increasing focus on using accreditation as a driver for both capacity and capability growth within the industry. This reflects a broader trend towards formalising cybersecurity practices and ensuring quality assurance through standardised frameworks.

In response to these needs, we recently launched the CREST Cyber Accelerated Maturity Programme (CREST CAMP), a pivotal initiative initially funded by the UK Foreign, Commonwealth and Development Office (FCDO). CREST CAMP is designed to accelerate the maturity of cybersecurity service providers in regions that have identified a need to improve their local cybersecurity ecosystems. Through targeted mentoring, training, and guidance, CREST CAMP supports companies on their journey towards professionalisation and full accreditation.

CREST CAMP is designed to accelerate the maturity of cybersecurity service providers in regions that have identified a need to improve their local cybersecurity ecosystems.

This initiative marks a significant shift in how development funds are being directed, with a growing recognition of the private sector’s critical role in national security. Governments increasingly rely on private sector expertise to address resource shortfalls, while the broader economy depends on high-quality private sector cybersecurity providers to function securely. We expect accreditation to continue being a key mechanism in building resilience and trust within global cyber ecosystems, helping both public and private sectors bolster their security posture.

Conclusion

CBEST and CREST are crucial accreditations for cybersecurity providers, particularly in the financial sector, as they ensure the highest level of capability and operational assurance. With the upcoming DORA regulation taking effect in January, CREST’s role is becoming increasingly significant, as a mechanism to identify high quality and capable providers. Accreditations will play a crucial role in advancing cybersecurity practices, fostering resilience and trust throughout the global cyber ecosystem.