Ian Glover, president of infosec accreditation body CREST, is stepping down from his post, he told the organisation's annual general meeting yesterday.
Sources whispered of Glover's departure to The Register ahead of a mass mailout today to members of the organisation, which oversees some industry-recognised penetration testing exams and certifications in the UK.
"My retirement is something I have been planning for some time and, while I leave with a heavy heart, I am confident CREST will continue to move forward in the hands of an excellent team," said the man himself in a canned statement emailed round CREST member organisations, following his 13 years at the helm.
CREST had not responded to The Register's request to interview Glover by the time of writing. He will remain in post for another three months.
Glover was president of CREST when the exam-cheating scandal broke last year. A major CREST backer, pentesting firm NCC Group, had been creating cheat-sheets and walkthroughs for CREST certification exams.
- We'd love to report on the outcome of the CREST exam cheatsheet probe, but UK infosec body won't publish it
- CREST exam cheat-sheet scandal: New temp chairman at UK infosec body as lawyers and ex-copper get involved
- CREST cancels two UK infosec accreditation exams after fresh round of 'cheat sheets' are leaked online
- NCC Group admits its training data was leaked online after folders full of CREST pentest certification exam notes posted to GitHub
Numerous ex-NCC sources told The Register of an internal culture where exam candidates were shown marked copies of past papers, in apparent breach of CREST’s non-disclosure agreement. Unlike school exams where past papers are freely circulated, CREST was supposed to rigidly control all of its exam materials to prevent their public disclosure at any stage. One source told us at the time: "The content of the exams and syllabus is intentionally extremely vague and under heavy NDA."
People who worked hard to pass their CREST exams expressed disgust to El Reg that a significant backer of the industry body appeared to be spoon-feeding its staff the answers, raising questions about the exams' integrity and the competence of people who ultimately sign off clients' crown jewels as secure. Those clients include the British government and critical national infrastructure operators.
Rob Dartnall, chairman of CREST, said in a congratulatory statement today: "On behalf of the CREST (GB) Executive I would like to thank Ian for everything he has done for CREST members and the cyber security industry.
"As president, he has transformed CREST and he can be very proud of the work he has done to develop and professionalise our industry. Truly a legacy to be proud of."
Last month the infosec body announced that its investigation into the cheat-sheet scandal would not be published. The investigation was carried out by a retired senior police detective who, the public was assured, had no connections to CREST or NCC.
A couple of weeks ago Glover was handed an "outstanding contribution" award by SC Media, which publishes cybersecurity magazines.
Glover's LinkedIn profile also lists him as president of the Bloodhound supersonic car project.
While the creation of CREST and the setting-up of its certification schemes were a big move towards professionalisation and standardisation for the UK infosec industry, Glover's stewardship of CREST through the fallout of the exam scandal has prompted grassroots infosec folk to express anger at what some of them see as the body's lack of public candour as well as perceived conflicts of interest with NCC Group.
At least one of the NCC senior managers on CREST's board also stepped down yesterday. Mark Turner, a former chairman of the body, retired from the CREST executive "because he had served six consecutive years."
We are told the organisation's bylaws make this an automatic process. It is not yet known whether Turner will seek reappointment. ®