CREST is an international not-for-profit with the goal to help create a secure digital world for all by setting standards, supporting national governments, quality assuring private sector companies, and certifying individuals in the cybersecurity industry. It is a participant in Common Good Cyber, our global initiative aiming to guarantee sustainable funding so that nonprofits involved in critical cybersecurity functions can stay devoted to bringing value to the ecosystem. We interviewed Nick Benson, the CEO of CREST, to discuss the organization’s work, the importance of collaboration to build trust, and how our efforts make it easier for organisations to do the right thing security-wise.
First, can you please share a little bit about CREST and its mission?
CREST is an international not-for-profit representing the global cybersecurity industry. Since 2006, we’ve led the cybersecurity community in collectively raising the standards of cyber service providers and professionals – essentially quality-assuring the sector and providing confidence to the buying community, governments, and regulators. Our mission is to build capability, capacity, consistency, and collaboration across the industry through services that nurture, measure, and enhance the performance of individuals and organisations. In plain terms, we work to raise the bar for cybersecurity practices worldwide, which in turn helps build trust in our digital world.
CREST accredits cybersecurity companies and certifies professionals to rigorous, internationally recognised standards. We have a truly global footprint – over 420 member companies across 50 countries, and thousands of certified practitioners around the world. We collaborate with governments, regulators, academia, and industry partners to grow cyber ecosystems in every region. By focusing on professionalisation and quality assurance, we help ensure that when an organisation engages a CREST-accredited provider or professional, they know they’re getting proven expertise and adhering to high standards of security.
As an international nonprofit representing the global cybersecurity industry, what are the biggest risks ahead?
We see a number of significant risks on the horizon. First is the sheer pace and sophistication of cyber threats. Cyber attackers – from organised criminals to nation-state actors – are continually upping their game. Ransomware, for example, continues to be a global scourge, and emerging technologies like AI could be a double-edged sword, potentially enabling attackers to launch more automated and targeted attacks. At the same time, the attack surface is exploding: as businesses embrace cloud services, IoT devices, and digital transformation, there are more entry points than ever, which can be exploited if not properly secured. Keeping up with this fast-moving threat landscape is a constant challenge, and it requires us to stay proactive and innovative in our defence strategies.
Another major risk is the worldwide shortage of skilled cybersecurity professionals. The demand for talent far outstrips supply in many regions, which means many organisations may struggle to find experts to protect them. Building cyber capacity – essentially growing the pipeline of skilled practitioners – is critical to address this gap. This is a core part of CREST’s mission, and something we’re tackling through certification programs, partnerships with academia, and mentoring initiatives to bring new talent into the field. If we don’t collectively solve the skills gap, all the best technology in the world won’t fully protect us.
We’re also very mindful of the risk of fragmentation in security standards and approaches globally. Threat actors do not respect national borders, so if one country or sector has weaker defences, it can become the weakest link that attackers target. We must work together internationally to harmonise cybersecurity practices and consistency of standards, leaving no gaps for adversaries to exploit. This is why collaboration and knowledge-sharing are so important.
Finally, I’d add that many of the organisations that keep the Internet secure (including nonprofits) operate with limited funding and resources – if those critical efforts aren’t sustained, that’s a risk for all of us. Addressing all these challenges is exactly what drives CREST and our members every day.
How does your work in cybersecurity help to address opportunities and risks associated with new technologies?
New technologies invariably bring new opportunities and new risks. Part of our job at CREST is to make sure the services provided by the cybersecurity industry keep pace with innovation. One way we do that is by continuously updating our standards to cover emerging tech domains. It turns the opportunity of new tech into something that can be embraced safely, rather than simply a new risk.
Another way we address new tech is through thought leadership and community building. CREST Focus Groups drive standards and thought leadership in various technical disciplines including penetration testing, incident response, red teaming, security operations centres and threat intelligence. We bring together practitioners and subject-matter experts to discuss emerging issues (for instance, security implications of AI or the latest tactics in cloud security) and to develop guidance.
Collaboration is key here: we often partner with specialised organisations to stay at the forefront. Through our Community Supporter initiative we have strong links to other cyber nonprofits such as the Center for Internet Security, with whom we deliver the CIS Controls Accreditation and OWASP, using their Application Security Verification Standard as the basis of our OVS accreditation.
By partnering in this way, we combine our expertise with others in the field and ensure the cybersecurity community is tackling new technology challenges collectively. Ultimately, our work helps the industry seize the benefits of innovations like cloud and AI while mitigating their risks – whether that’s through updated training and certifications, publishing research and guidelines, or sharing knowledge across our global community. We want to ensure that as technology evolves, cybersecurity evolves right along with it (or even a step ahead).
You build collaboration in the global industry and have publicly supported Common Good Cyber. What key elements would further strengthen collaboration in this field, and how do you see Common Good Cyber contributing to its success?
Collaboration is absolutely vital in cybersecurity – no single entity or even country can tackle the big challenges alone. There are a few key elements that I believe would strengthen collaboration across our industry. One is more open information sharing: when threats or incidents emerge, sharing insights and threat intelligence quickly and widely can prevent other organisations from falling victim. We need to keep breaking down silos between companies, sectors, and countries when it comes to communicating about threats.
Another element is alignment of standards and best practices. If we can agree on high standards (for example, for incident response or penetration testing) and promote mutual recognition of frameworks, then authorities and organisations from different regions can more easily work together and trust each other’s work. This is something CREST actively works on – creating, and recently publishing for free, common standards so that a “quality” service means the same thing everywhere.
And a third element is multi-sector engagement: bringing nonprofits, governments, and the private sector together. Each has a role to play – governments can convene and support, industry brings expertise and innovation, and nonprofits (like Common Good Cyber, the Global Cyber Alliance, and others) often act as the glue or catalysts for joint initiatives. When all these stakeholders collaborate, we can achieve far more, whether it’s training the workforce, improving baseline capability within the cybersecurity community, or responding to global incidents.
As I mentioned before, we’ve tried to embody these elements through the CREST Community Supporter initiative, formalising partnerships with over 30 organisations that share our values and mission. By combining the strengths of the nonprofit community, we believe that the combined capability is stronger than the individual parts. Common Good Cyber exemplifies the kind of collaboration we need. We publicly supported Common Good Cyber because we see its mission as deeply aligned with ours. It’s rallying a coalition to support cybersecurity as a common good, making sure that the nonprofit organisations who work tirelessly to keep the Internet secure get the backing they need. This sort of initiative contributes to success by filling a critical gap: it galvanizes resources and attention for efforts that fall outside pure commercial or government activity, but which are essential to everyone’s security.
I see Common Good Cyber bringing people and organisations together in a new way – bridging policymakers, industry leaders, and philanthropists to support the broader cyber ecosystem. That kind of convening power can lead to more funding for cybersecurity nonprofits, more adoption of best practices, and more integrated efforts globally. From CREST’s perspective, when we have partners like the Global Cyber Alliance and Common Good Cyber focusing on sustaining and scaling the nonprofit side of cybersecurity, it complements the work we do in professionalisation and standards. Collaboration begets more collaboration, and becomes more self-sustaining as a result.
CREST have been working for almost 20 years to provide confidence to your global community. What is the secret ingredient to building that trust, and how can GCA and Common Good Cyber be helpful in this space?
Nearly two decades in, I’ve found that the “secret ingredient” to building trust is consistency with integrity. Trust isn’t built overnight in cybersecurity – you earn it by delivering quality and being reliable year after year. At CREST, we’ve maintained high standards from day one and have been very consistent in applying them. Whether we’re certifying an individual professional or accrediting a member company, we hold them to a rigorous, impartial benchmark. Over time, people see that a CREST accreditation or certification truly means something, because we don’t compromise on those requirements. This consistency, coupled with our not-for-profit ethos, has been crucial. Being a not-for-profit means our only agenda is to develop and strengthen the industry itself, not to serve shareholders or chase short-term profit. We make decisions for the long-term good of the cybersecurity community, keep showing up year after year and I think people recognise that commitment to the common good. We’ve built trust by always putting quality and the community first, and by being transparent and fair in how we operate.
Another part of building trust is demonstrating competence and value through real-world impact. Over the years, CREST has been entrusted to run programs and support initiatives for governments and industry bodies, which in turn reinforces trust in our organisation. For example, we’ve worked with regulators in places like the UK, Australia, Singapore, Dubai and others to embed CREST standards into national cybersecurity frameworks. We’ve also worked directly with financial services regulators such as the Bank of England and their CBEST program which is based on CREST’s red teaming accreditations and certifications. Each successful collaboration or program builds confidence not just in CREST, but among all the partners and communities involved.
When it comes to how the Global Cyber Alliance (GCA) and Common Good Cyber (CGC) can be helpful, I’d say they are already playing a hugely important role in the trust equation. Trust in the big-picture sense comes from a community effort – it’s not just one organisation, but many, working in concert. CGC tackles the sustainability challenge. It advocates for cybersecurity to be treated as a public good, which means finding ways to fund and support the nonprofits and volunteers who are often doing behind-the-scenes work to keep us all safe. CGC is essentially saying: let’s not take those unsung security efforts for granted; let’s actively sustain them. By pushing for new funding models and greater awareness, CGC helps ensure those trustworthy services (like open-source security tools, threat-sharing networks, Internet infrastructure maintenance, etc.) continue to exist and improve.
In the end, GCA and Common Good Cyber help amplify the trust-building that CREST and others are doing by broadening the support system. GCA brings in expertise and resources from across sectors to solve specific security problems, and CGC brings everyone to the table to support the broader ecosystem as a common cause. Their work means that more organisations can afford to implement good security, and that vital initiatives don’t fall through the cracks due to lack of funds. From my perspective, when the community sees that kind of unified front – standard-setters like CREST, operational alliances like GCA, and advocacy coalitions like CGC all reinforcing each other – it sends a powerful message. It says that we’re in this together for the long haul, and that we’re committed to a secure digital world for all. That, ultimately, is what builds and maintains trust: a shared, sustained commitment backed by real action on all fronts.
About Nick Benson:
Nick is the CEO of CREST International, a non-profit, over-seeing the delivery of the CREST mission globally. Nick works with national governments, the private sector, non-profits and academia to further the capability, capacity and consistency of the cyber service sector.
Nick has a track record of building and leading teams through transformation, having previously been the Chief Operating Officer of ORX, the largest global trade association supporting operational risk management in financial services.
Before ORX Nick worked in executive roles across finance and risk management divisions at Nationwide Building Society, one of the UK’s largest retail financial services providers.
Nick started his career at KPMG in their IT advisory divisions in London and Sydney, also qualifying as a Chartered Accountant (ICAS) in 2005.
