CompTIA has announced a new credential designed to help managed service providers position themselves to end users and cyber insurers as leaders in security best practices.
The IT membership organization soft launched the new certification, called the Cybersecurity Trustmark, during ChannelPro’s Cybersecurity Online Summit event today.
“The goal and objective that I have for this in the next three to five years is for it to actually become the globally adopted industry standard,” says Wayne Selk, vice president of cybersecurity programs at CompTIA and executive director of its security information sharing and analysis organization (ISAO).
Built around a customized, MSP-specific set of controls borrowed from NIST, the Center for Internet Security, the ISO 27000 standard, and other respected sources, the credential aims to provide a roadmap channel pros can use to earn third-party validation that they employ rigorous measures to ensure the safety of their own environment and end user environments.
“What we’re trying to do is give them the absolute foundational set of controls that can best protect their business today and also at the same time get them sixty to seventy percent of the way there if they need to get SOC 2 Type 2 [certification],” Selk says.
Tentatively scheduled to launch officially next March, the Cybersecurity Trustmark will replace CompTIA’s existing Security Trustmark+, which debuted in 2008 and was last updated in 2014. CompTIA members and other channel pros can add themselves to the credential’s wait list now.
When fully in place, the infrastructure surrounding the trustmark program will include a set of accredited outside auditors. “They’ll understand the standard, they’ll understand the controls, and they’ll completely understand the guidance that goes with those controls,” Selk explains.
After being audited, MSPs will apply to a forthcoming accreditation board for final, formal designation as Cybersecurity Trustmark holders.
Channel pros will clear three stages on the road to achieving full-blown Cybersecurity Trustmark status, beginning with a “readiness path” in which they assess their current compliance with the new credential’s recommended best practices.
“You buddy up with somebody who’s kind of gone through implementing a lot of these controls already in their business,” Selk says. “The goal there is to help the organization identify gaps.”
At the self-attestation stage, MSPs must document, on their own with oversight from the accreditation board, that they meet trustmark requirements. To reach the fully audited stage, they must get an audit report from a certified third-party auditor and final approval from the accreditation board.
Selk foresees two primary motivations for completing that process, beginning with the ability to do more business with customers subject to regulatory mandates. “Those individuals specifically are looking for something other than the word of the MSP saying, ‘hey, we’ve got you covered,’” Selk notes.
More importantly, he continues, having the Cybersecurity Trustmark will eventually help MSPs get cyber insurance coverage for their customers and tech errors and omissions coverage for themselves more easily. Fully audited trustmark holders in particular could qualify for lower premiums and higher limits on those policies.