The first 16 Australian MSPs have been working to earn the CompTIA Cybersecurity Trustmark Assurance, designed to help smaller MSPs stand out and move beyond cybersecurity control frameworks.
Those Australian businesses are among 200 globally in the Cybersecurity Trustmark program, CompTIA's senior director of cybersecurity compliance programs, Chris Johnson, told CRN Australia earlier this year.
We spoke to Johnson ahead of his appearance in a panel discussion about ‘Evolving Your IT Cybersecurity Business for Tomorrow’s Market’ at the CRN Pipeline conference in August.
Johnson, who spent 15 years providing managed services before moving into a managed security role servicing Fortune 100 clients, commented online earlier this year about “our industry needing a clear path forward that is recognised as a maturity benchmark worth aligning with.”
He spoke to CRN Australia recently about why he sees a need for the CompTIA Cybersecurity Trustmark.
“The Essential Eight – to be candid – it’s not working. And it's not because it's a bad program, it's because the way it was built is a bottom-up approach,” Johnson said.
“If I'm a good technician and I implement multifactor authentication (MFA), great. But if my leadership doesn't buy into doing the MFA, then I'm not getting buy in from the organisation and enforcement will fail.”
He said the CompTIA Cybersecurity Trustmark, which incorporates safeguards from known frameworks, aims to address this by prioritising governance and leadership before work progresses on other aspects of security.
“Governance is hard. It’s not ‘Oh, you just get leadership buy-in, and the culture is going to shift, and it'll be magical,’” he noted. “It’s not like that because leadership tends to say things like, ‘Well, I want this to be a perfect asset inventory, but we only have 80 percent of it documented.”
“Or about policies they’ll say, ‘Well, we haven't got our letterhead on it yet, and it needs to be reviewed.’ Awesome, so glad you got your logo on a policy that says make sure your password’s eight characters long. If you hadn't had your logo on there, no one would have known that they were supposed to adopt this, and now that's why it's failing.”
The “uniqueness of the MSP industry” was a motivator for CompTIA in piloting the CompTIA Cybersecurity Trustmark in late 2022.
“MSPs have multiple customers in various industries with different compliance and regulatory environments,” said CompTIA VP of cybersecurity programs, Wayne Selk, in late 2022. “These customers are looking for something more than assurances from an MSP that they have comprehensive cybersecurity practices in place.”
“What we’re trying to do is give them the absolute foundational set of controls that can best protect their business today and also at the same time get them sixty to seventy percent of the way there if they need to get SOC 2 Type 2 [certification],” Selk told ChannelPro Network at the time.
Speaking about the cybersecurity concerns of smaller MSPs, Johnson said “MSPs are worried about going extinct because they don't buy enough security stack services, or they're afraid that they don't have the right coverage and the gaps are too big that if something happens, they're going to go out of business.”
“What I've seen recently is, ‘I'm in a peer group, one of my peer group members is going through the ransomware or their clients are, and now it's no longer arm's length away. It's happening in my own house.’”
Chris Johnson will take part in the sessions “Strategic Shifts – Evolving Your IT Cybersecurity Business for Tomorrow’s Market” and “Peer Power - How Channel Communities are Evolving to Help Leaders Through Change" at CRN Pipeline on August 14 and 15. See the Pipeline agenda and register your interest in attending.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
