Cybersecurity accreditation for web dev/infrastructure team
Discussion
Not sure if this should be here or in Jobs & Employment matters, but whatever 
I've been in the web development game for 25+ years and currently run the infrastructure and ops side of things for a specialist web dev company. Over the past few years, we've been upping our game in terms of getting ISO 27001 accredited, improving our processes and generally being much more grown up in how we do things.
We've always been hot on the cybersecurity side of things, but it's all stuff we've learned and developed on the job. Some of the tenders we've recently had, and some of our larger clients, are asking for formal accreditation. I've looked into this but quite frankly the array of courses and accreditations are now at the 'confusopoly' stage where there's so much on offer and so much overlap that I'm lost. None of the people we're looking to get accredited are inexperienced starters - we've all got several years under our belts so don't want to waste time and money on entry-level stuff.
Any pointers before I just take a blindfold and pin approach?
I've been in the web development game for 25+ years and currently run the infrastructure and ops side of things for a specialist web dev company. Over the past few years, we've been upping our game in terms of getting ISO 27001 accredited, improving our processes and generally being much more grown up in how we do things.
We've always been hot on the cybersecurity side of things, but it's all stuff we've learned and developed on the job. Some of the tenders we've recently had, and some of our larger clients, are asking for formal accreditation. I've looked into this but quite frankly the array of courses and accreditations are now at the 'confusopoly' stage where there's so much on offer and so much overlap that I'm lost. None of the people we're looking to get accredited are inexperienced starters - we've all got several years under our belts so don't want to waste time and money on entry-level stuff.
Any pointers before I just take a blindfold and pin approach?
We are the same, we provide bespoke development and the hosting environment.
One direction that might be of interest is https://www.tenable.com/education
Tenable have some great tools to scan your servers and applications.
Happy to talk it through with you what we do, if its any help?
One direction that might be of interest is https://www.tenable.com/education
Tenable have some great tools to scan your servers and applications.
Happy to talk it through with you what we do, if its any help?
What are you looking for.. accreditation for your business? If so.. and UK gov/local authority are in your customer base, look at ISO 27001 and cyber essentials/cyber essentials plus (though the world is shifting towards alignment with NIST 800-53 Etc)
If it is for your staff.. then that is a very different thing... (and very, very confusing hodge podge competition certifications.. ).
Tools like tenable, nessus etc definitely things you should consider interns regular vulnerability scanning (and subsequent vuln management), both scanning internally and externally.. but aren't accreditation per se, just one of the many things you will most likely need to do to maintain your accreditation.
For US markets, SOC2 type 1 or 2 attestation can help.
I would start by, who is your customer base/target customer base, and what do they care about/ask for?
UK or Europe,US or wider overseas? If UK, government? Regulated commercial sector (eg financial services, energy, transport, health etc.. aka critical national infrastructure) or unregulated commercial?
Note that many professional services firms/ suppliers to heavily regulated sectors find the requirements from their regulated customers being flowed down to them.. so they may inturn care about these in their own supply chain
If it is for your staff.. then that is a very different thing... (and very, very confusing hodge podge competition certifications.. ).
Tools like tenable, nessus etc definitely things you should consider interns regular vulnerability scanning (and subsequent vuln management), both scanning internally and externally.. but aren't accreditation per se, just one of the many things you will most likely need to do to maintain your accreditation.
For US markets, SOC2 type 1 or 2 attestation can help.
I would start by, who is your customer base/target customer base, and what do they care about/ask for?
UK or Europe,US or wider overseas? If UK, government? Regulated commercial sector (eg financial services, energy, transport, health etc.. aka critical national infrastructure) or unregulated commercial?
Note that many professional services firms/ suppliers to heavily regulated sectors find the requirements from their regulated customers being flowed down to them.. so they may inturn care about these in their own supply chain
Edited by HiAsAKite on Friday 5th January 23:43
judas said:
Some of the tenders we've recently had, and some of our larger clients, are asking for formal accreditation. I've looked into this but quite frankly the array of courses and accreditations are now at the 'confusopoly' stage where there's so much on offer and so much overlap that I'm lost. None of the people we're looking to get accredited are inexperienced starters - we've all got several years under our belts so don't want to waste time and money on entry-level stuff.
Any pointers before I just take a blindfold and pin approach?
If clients aren't asking for anything specific and you just want something to tick a box, have a look at "Cyber Essentials": https://www.ncsc.gov.uk/cyberessentials/overviewAny pointers before I just take a blindfold and pin approach?
I did an ISO27k implementer course with IT Governance a few years back, something like that would be a good starting point if you want to get it for your own company, or get your staff trained up to start putting customers through it.
ISO27k is more about the processes and governance than the technology. Obviously Technology underpins it, but for example getting accredited wouldn’t check if you’ve patched your stuff, they’ll check if you have a published patching policy, how you manage compliance, how you inform your staff of it etc. Cyber essentials and CE+ is a lot lower level and more directly technology centric, it does ask/check if you’ve applied patches and doesn’t cover if you have a policy on it.
ISO27k is more about the processes and governance than the technology. Obviously Technology underpins it, but for example getting accredited wouldn’t check if you’ve patched your stuff, they’ll check if you have a published patching policy, how you manage compliance, how you inform your staff of it etc. Cyber essentials and CE+ is a lot lower level and more directly technology centric, it does ask/check if you’ve applied patches and doesn’t cover if you have a policy on it.
LooneyTunes said:
If clients aren't asking for anything specific and you just want something to tick a box, have a look at "Cyber Essentials": https://www.ncsc.gov.uk/cyberessentials/overview
We take clients through cyber essentials and CE+. If thats what you need OP feel free to PM me and I can arrange a meeting for you with one of my techs to talk it through to see where you are at and how much work would need to be done to achieve either or.I run a Cyber Essentials certification body - I'm happy to advise if required. It's a baseline certification which is a self-assessment and is then marked by a certification body.
I can't emphasise how basic it is but NCSC have assessed that if you follow it, you will mitigate somewhere in the region of 70% of common attacks. Do bare in mind that it only takes one user to click on a link to cause you a whole world of pain so it absolutely isn't a panacea to dealing with cyber attacks but it will help improve your resilience. It is also a requirement for most, if not all, contracts with the UK public sector (including councils etc).
Cyber Essentials Plus is the next step along but there is a lot more effort required with that.
I've had clients come to me with zero experience in this field and I've had to put huge multinationals (dealing with the UK arm of the business) through it who've already had ISO27001 certification - some of them will struggle with it.
I can't emphasise how basic it is but NCSC have assessed that if you follow it, you will mitigate somewhere in the region of 70% of common attacks. Do bare in mind that it only takes one user to click on a link to cause you a whole world of pain so it absolutely isn't a panacea to dealing with cyber attacks but it will help improve your resilience. It is also a requirement for most, if not all, contracts with the UK public sector (including councils etc).
Cyber Essentials Plus is the next step along but there is a lot more effort required with that.
I've had clients come to me with zero experience in this field and I've had to put huge multinationals (dealing with the UK arm of the business) through it who've already had ISO27001 certification - some of them will struggle with it.
Sorry for the delayed follow-up and thanks for all the useful replies.
To add some more useful information:
Maybe I should just ask him what on earth he needs and expects
To add some more useful information:
- We are already ISO 27001 and Cyber Essentials certified. We were CE Plus accredited too, but this has lapsed for various time/resource-based reasons. It will be back in place in the next couple of months once we have the headspace to complete the application.
- We have all internal/developer machines under central control already, using Sophos Central, Addigy, intruder.io and other tools
- Our client base is a mix of small businesses, larger charities and education institutes, non-profits, and medium to large businesses. The majority are UK-based with some having global operations/locations.
- The majority of our sites are hosted in Pantheon, a specialist hosting service for our platform of choice, Drupal. This deals with a lot of the bread and butter CS concerns out of the box.
Maybe I should just ask him what on earth he needs and expects
judas said:
The vague and woolly brief from my MD was about getting my infrastructure team each accredited with some well-know/recognised CS qualification, rather than the organisation as a whole. He suggested doing the AWS or Google CS certification, but my concern with that is it is very much focused on their way of doing things in their products and services. Over the past five years we've moved a lot of stuff out of AWS and have only ever had a few things in Google Cloud - that approach seems like a dead end even if it does give us a well-known name to plaster over our profiles.
Maybe I should just ask him what on earth he needs and expects
… and perhaps ask him if he’s sure that what he wants is going to be better received than something more holistic. Making sure the organisations cyber security stance is appropriate is arguably more useful and impressive than only having techies certified. Get him fired up about company-wide education and testing? As has already been said, it only takes a clown elsewhere in the organisation to allow a breach…Maybe I should just ask him what on earth he needs and expects
judas said:
Sorry for the delayed follow-up and thanks for all the useful replies.
To add some more useful information:
Maybe I should just ask him what on earth he needs and expects
If he wants to have people certified, then it could be something as straightforward as a vendor agnostic certicate - for cloud, it could be something as straightforward as CCSK (https://cloudsecurityalliance.org/education/ccsk/) which is vendor agnostic whereas (and obviously) AWS / Azure / Google Cloud certs aren't. To add some more useful information:
- We are already ISO 27001 and Cyber Essentials certified. We were CE Plus accredited too, but this has lapsed for various time/resource-based reasons. It will be back in place in the next couple of months once we have the headspace to complete the application.
- We have all internal/developer machines under central control already, using Sophos Central, Addigy, intruder.io and other tools
- Our client base is a mix of small businesses, larger charities and education institutes, non-profits, and medium to large businesses. The majority are UK-based with some having global operations/locations.
- The majority of our sites are hosted in Pantheon, a specialist hosting service for our platform of choice, Drupal. This deals with a lot of the bread and butter CS concerns out of the box.
Maybe I should just ask him what on earth he needs and expects
It sounds like he needs some training needs analysis to be fair...
CSSLP would be worth looking at. Maybe not for all staff but certainly for lead devs / head of development. Could look at CC for all devs.
Both from https://www.isc2.org/
While it's not a certification, I've heard very good things about the Hack Yourself First course:
https://www.troyhunt.com/workshops/
Both from https://www.isc2.org/
While it's not a certification, I've heard very good things about the Hack Yourself First course:
https://www.troyhunt.com/workshops/
Gassing Station | Business | Top of Page | What's New | My Stuff