A new organizational trustmark designed to help managed service providers (MSPs) and solution providers elevate their cybersecurity awareness and readiness was introduced today by CompTIA, the nonprofit association for the information technology (IT) industry and workforce.
The CompTIA Cybersecurity Trustmark details a clear path for MSPs to achieve foundational cybersecurity hygiene, laying the groundwork for a functional security program within the organization. Today’s launch announcement was made during the opening keynote session of the CompTIA Communities & Councils Forum in Chicago.
The goal of the CompTIA Cybersecurity Trustmark program is to raise awareness and understanding of cybersecurity throughout an MSP organization, said Wayne Selk, vice president for cybersecurity programs at CompTIA and executive director of the CompTIA ISAO. We believe the trustmark will help MSPs bring about a positive shift in their overall security culture and have a positive impact on their risk posture.
More than 400 technology companies from around the world have joined the wait list for the CompTIA Cybersecurity Trustmark, including some who have participated in beta tests and early pilots of the program, according to Selk.
The trustmark maps to several control frameworks recognized as industry-accepted best cybersecurity practices, including the Center for Internet Security® Critical Security Controls, ISO/IEC 27001, the National Institute of Standards and Technology (NIST) SP 800-171, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the New York Department of Financial Services (NYDFS) Cybersecurity Regulation.
Companies that participate in the CompTIA Cybersecurity Trustmark program will work toward reaching three distinct milestones.
- A readiness path to help MSPs baseline their current security and risk posture, including a gap analysis and a mentor, if desired.
- Once the organization is ready, the self-attestation path includes an audit review of a subset of controls and provides a report, which will give the organizational stakeholders a list of actions and additional milestones to complete on the journey toward the full audit to earn the trustmark.
- The last path is to go through a full audit of all the controls and provide the required evidence. Upon that audit review, you will receive another report and if accepted by the auditor, the application will be sent to the Accreditation Board for review, approval and acceptance for the awarding of the trustmark accreditation.
- The new trustmark, a successor to the previous CompTIA Security+ Trustmark, launches with the “clear understanding there is more to do for the MSP community,” Selk acknowledged.
That is by design, he explained. We need industry adoption while raising awareness and understanding on why security controls are important.
The uniqueness of the MSP market is a key motivator in CompTIA’s decision to introduce the new cybersecurity trustmark. Selk noted that most MSPs serve multiple customers in various industries with different compliance and regulatory environments.
To keep the new credential current and relevant to the changing cybersecurity landscape, CompTIA intends to make major revisions to the trustmark program each year and minor adjustments every six months.