Cyber security certifications like CREST and NCSC have become a staple of the industry. For many businesses evaluating potential providers, these logos offer a reassuring stamp of approval.
But here's the catch: when every proposal in your inbox is adorned with the same prestigious badges, those certifications no longer help you differentiate between options. They signal legitimacy and baseline competence. But not excellence, nor alignment with your specific business needs.
So, what do these certifications actually mean? And once they're accounted for, how do you identify a provider that will deliver real security outcomes, not just paperwork-ready compliance?
What Do CREST & NCSC Certifications Actually Represent?
Before we dive into what really matters in choosing a provider, it's worth understanding what these widely recognised certifications stand for:
CREST (Council of Registered Ethical Security Testers)
CREST accreditation is an internationally recognised mark of quality for cyber security providers, especially in areas like penetration testing, incident response, and threat intelligence. CREST member companies undergo rigorous assessment of their technical capabilities, ethical standards and organisational processes.
In short, a CREST badge means the provider:
- Has passed a formal, independent evaluation
- Employs professionals with validated expertise
- Follows tested methodologies aligned with best practices
NCSC Cyber Essentials / Cyber Essentials Plus
The National Cyber Security Centre (NCSC) backs the Cyber Essentials scheme a government-endorsed baseline that helps organisations protect against common cyber threats.
- Cyber Essentials covers five core controls (firewalls, secure configuration, user access control, malware protection and patch management).
- Cyber Essentials Plus involves hands-on technical verification by a qualified assessor.
These certifications reassure clients that a provider has implemented fundamental cyber hygiene measures and that they know how to apply the same for others.
Certifications Are Baseline, Not Differentiators
If every provider you're evaluating holds CREST and NCSC accreditations, those qualifications cease to be distinguishing factors. Instead, they serve as table stakes minimum entry requirements akin to food hygiene ratings in restaurants. Necessary? Absolutely. Sufficient? Not even close.
Certifications validate technical capabilities and adherence to recognised standards. What they don’t reveal is how a provider will perform under pressure, whether they understand your industry context, or how effectively they can communicate risk to non-technical stakeholders.
What You Should Be Looking For
Choosing a cyber security provider requires deeper scrutiny. Below are the criteria that truly separate signal from noise:
- Industry-Relevant Experience
Look for a provider who has demonstrable success defending businesses like yours. Cyber security challenges vary wildly across sectors: financial services, healthcare, manufacturing and retail each face unique threat profiles. Experience in your space means fewer assumptions and more relevant protection.
- Clear, Human-Centered Communication
Can they explain complex security issues in plain language? Are they transparent about risks, tradeoffs, and limitations? A provider who communicates well ensures your leadership team stays informed and empowered, without needing to decode technobabble.
- Team Depth and Sustainability
Evaluate the breadth of expertise, not just the brilliance of a few individuals. If a provider’s knowledge is siloed within one or two key personnel, your risk exposure increases when those individuals are unavailable.
- Real-World Results
Ask for measurable outcomes. Have they shortened incident response times for other clients? Reduced false positives? Helped companies achieve compliance in complex environments? Numbers speak louder than logos.
From Checkboxes to Confidence
Too many cyber security strategies are compliance-driven: they revolve around ticking boxes to pass audits, often resulting in a false sense of security. The best providers will help shift your posture to confidence-based security, a proactive, continuous and resilient approach.
This means ongoing testing, scenario planning and iterative improvement—not just writing a policy and shelving it for a year.
Try the Monday Morning Test
Here’s a practical way to assess a provider's true capability: ask them to run a 90-minute tabletop exercise simulating a realistic cyber incident with your leadership team.
This isn't a sales pitch. It's a litmus test for how well the provider understands your business, communicates risk and identifies operational gaps. During the exercise, pay attention to:
- Their ability to facilitate real-time decisions
- How they translate tech into business implications
- Their suggestions post-exercise, do they prioritise tools or focus on impact?
Tabletop exercises often reveal critical vulnerabilities that are missed by standard audits. A provider who navigates this with confidence is more likely to stand by you in a real crisis.
Turning Insight Into Action
Post-exercise, the right provider won’t try to overwhelm you with a shopping list of expensive tools. Instead, they’ll help you categorise issues using an Impact vs Readiness framework:
- High impact, low readiness = urgent priority
- High readiness, low impact = monitor or defer
- Everything else = balance accordingly
This strategic triaging ensures your security investments are aligned with actual risk, not hypothetical threats.
Final Question: Beyond the Certification
When it’s time to choose your provider, ask this one powerful question:
“How do you go beyond your certifications to deliver real impact for clients like us?”
Their answer should reveal whether they’ve done more than earn credentials—they’ve gained trust, delivered outcomes and adapted solutions to unique business contexts.
In Summary
Certifications like CREST and Cyber Essentials are vital—they ensure a baseline of credibility, safety and professionalism. But that’s just the beginning.
The real differentiators are:
- Sector-specific expertise
- Strong communication
- Measurable outcomes
- A strategic, confidence-building approach
- And a commitment to partnership over pretense
Because in cyber security, it’s not the badges that protect your business, it’s the people behind them.