Mar 20, 2014

CRESTCon & IISP 2014 - A Retrospective

Yesterday I had the pleasure to visit the CRESTCon & IISP conference 2014 in London at the Royal College of Surgeons. It was a great and enjoyable conference although it differed quite a lot from what I was expecting beforehand.

This short article will tell you about:

(1) What CREST and IISP are
(2) My experiences with the CRESTCon & IISP conference in comparison to other industry conferences like Defcon
(3) Why you have to put CRESTCon & IISP into the geo-context of the UK to understand how it works


CREST stands for 'Council Of Registered Ethical Security Testers'. Unlike many other countries, the United Kingdom has an institution that looks after quality assurance for Penetration Testing. If you are from the UK, this will be no news for you but since I understand that the number of countries where no such body exists is bigger than the number of countries where there is one in place, I will spent some words on how CREST works.
CREST offers courses and certifications for Penetration Testers. The most popular certifications are Check Team Member and Check Team Leader. In contrast to other countries having a more fragmented certification landscape, the CREST certifications offer a solid, straight-forward career path for Penetration Testers. Penetration Testing companies can become members of CREST and get their Pentesters CREST certified.

The Institute Of Information Security Professional (IISP) wants to encourage youngsters to engage into a career in technology. IT and IT-Security as one aspect of technology is therefore supported by IISP which acts as a non-profit organization. It is driven by the British government. An example of IISP's projects is attending school events and informing pupils about possibly career paths in technology. German readers may be reminded of an initiative of the German Chaos Computer Club, called 'Chaos macht Schule' (Chaos is making school) (CMS). The purpose of CMS is also to encourage young people to dive into technology and to wake their creativity in connection with technology.
Furthermore, IISP acts as an accreditation authority for the security industry in UK.

My Experience With CRESTCon 2014

Being on my first visit to CRESTCon, I instantly recognized the somewhat small dimension of the conference. About 300 professionals attended CRESTCon 2014 and the main event took place in 3 medium-sized halls. This is a big difference compared to massive conferences like Defcon or Blackhat, but not a disadvantage in any way. The opposite is true, because the size of the conference makes it easy to talk to people and to get into interesting discussions.

A selected number of CREST-member companies had stands in the exhibition hall. Everyone readily offered information about their companies. All companies present were engaged in the field of offensive security and the representatives ranged from organizations like OWASP, the British Military Forces up to big corporations like HP.

Talks were being held in parallel in two conference halls. One track had a technical orientation while the other one was more focused on business / managerial / more general topics. The quality of the talks I heard was very good and the speakers were well known professionals within the industry. The tracks covered a broad range of topics such as malware analysis and re-engineering or a discussion about the ethics of penetration testing in the age of Edward Snowden.

However, the main focus of CRESTCon was not on the two main tracks but on the networking and the getting-together with other professionals. It reminded me of a Who-Is-Who of UK's security professionals and companies. Everyone was happy to start a discussion or to talk about the latest developments in the security industry. I got into contact with many different interesting people on various levels of corporate hierarchy and industry 'fame', if such a thing even exists. 
Because of its smaller size, CRESTCon had a much more familiar touch than bigger conferences like Blackhat or Defcon.

The Geo-Context Of CRESTCon

I have not seen something comparable to CRESTCon in Germany or any other country, neither in size nor with the heavy focus on (human) networking and (human) communication. From my point of view this can be traced back to several factors.

As I mentioned earlier, the UK has a special situation regarding Penetration Testing and offensive security because of the quality-control mechanism of CREST. It is rather easy for the CREST-body to organize an event like CRESTCon because of CREST's dissemination in UK's IT security market. Because of the professionalization of the quality control in Penetration Testing in the UK, companies are somewhat urged to attend events like CRESTCon. Don't get me wrong, nobody was forced to attend CRESTCon, but it seems to be a good industry practice for enterprises offering Penetration Testing services to keep healthy relationships with an important control-body like CREST.
Coming from Germany, I found this situation especially interesting, since we have no comparable body or even unified certification like it exists in the UK. If this is positive or negative for the industry may be discussed in other places, but it nevertheless certainly affects the way business is conducted within the IT security industry of a country.

TL;DR: One has to understand CREST's quality-control function for Pentesting within the UK to see the nature of CRESTCon. Although CRESTCon is a small conference with 300 participants, the networking effect is overwhelming. The talks are great but since they are only accompanying the main get-together, don't expect them to be on the level of Decon or Blackhat.

No comments:

Post a Comment