CREST Offering Pen Testing Certification in SingaporeCollaborative Effort with Government Agency, Others
CREST, is launching a chapter in Singapore - its first chapter in Asia - that will offer information security professionals certification and accreditation in penetration testing. The not-for-profit organisation that serves the needs of the technical information security marketplace plans to eventually offer other certifications as well.
See Also: The Essential Guide To Machine Data
CREST is collaborating with Singapore's Cyber Security Agency and the Association of Information Security Professionals on the project.
"Penetration testing is important to assess our level of cybersecurity and an essential service for both large enterprises and SMEs, given the increasing frequency and sophistication of cyber threats," says David Koh, chief executive at the Cyber Security Agency. "By raising the competency standards of our cybersecurity professionals, like penetration testers, we will make Singapore's cyberspace more secure for everyone."
Bridging the Skill Gap
Security leaders welcome the move, saying there's a growing need for penetration testing and vulnerability assessment skills in the region to complement the current risk management framework and establish a cybersecure ecosystem.
CREST will open its examination facility at the Singapore Institute of Technology. The Monetary Authority of Singapore, the Association of Banks in Singapore and the Infocomm Development Authority of Singapore are supporting the effort.
"The demand from both public and private sectors for more InfoSec professionals to monitor and protect organisations from cyber threats has never been greater," says Loh Han Tong, deputy president and provost at the Singapore Institute of Technology. "From a cybersecurity standpoint, today's big data and the internet connectivity of things translate into higher risks of sensitive information being open to attacks. It's absolutely essential that these key information systems are adequately protected."
According to the Infocomm Development Authority, there are almost 15,000 job openings in Singapore for those with information security skills, says Chuan-Wei Hoo, technical adviser for the Asia-Pacific region at (ISC)², another security training organization. The number of available positions is expected to double by 2017.
"Pen testers only made up part of the cybersecurity workforce as we see there are needs for various types of cybersecurity professionals," Hoo says.
Penetration testing is an important piece in the overall security jigsaw puzzle, adds Clayton Jones, managing director for Asia-Pacific at (ISC)².
The Monetary Authority of Singapore, which regulates banks, insurance companies, payment operators and asset management firms, issued new guidelines in 2014 that stress the need to have penetration testing skills, says Andrew Koh, deputy chief manager of China Construction Bank.
"The new penetration certification could help in the creation of uniform standards for pen testing for all users and vendors and formalize common standards and best practices for players to follow," Koh says.
Paying for Certification
Andrew Koh notes that several security vendors already offer various professional certifications, including those for penetration testing, which cost $3,000 or more each.
For the new CREST accreditation, Singapore-based professionals can apply for government subsidies to cover a portion of the cost. Small service providers can apply for government funding to cover a proportion of the costs to be CREST member companies.
Hoo expects great demand for the new CREST certification in Singapore among cloud security professionals because more enterprises are adopting cloud services. And as the community gets more connected for the Smart Nation initiative, concerns about application security are increasing, which could also spur demand for certification, he adds.
The new CREST certification program is a good starting point, but security professionals must continue to acquire more analytical skills on malware analysis and incident response, Hoo says.