This is an abbreviated version of an article that was originally published in CompTIA World, issue 14, 2024-2025.
In a time when MSPs are increasingly a target of both hackers and lawsuits from compromised customers, it’s imperative to find a way to show clients, prospects—maybe even your own team—that you have attained a certain level of cyber knowledge and skills. Trust and faith are powerful ingredients to a successful business relationship.
Aligning your organization to an industry-recognized cybersecurity framework or set of standards can go a long way to build that trust. To aid in that cause, CompTIA Community members worked together to help develop the CompTIA Cybersecurity Trustmark, an updated version of a prior Trustmark that is foundationally based on the Center for Internet Security’s 18 Critical Security Controls, as well as controls from other globally recognized frameworks. The CompTIA Cybersecurity Trustmark is a valuable pathway for MSPs to follow to improve their cyber prowess, according to the first companies to earn the distinction.
“Having an industry-recognized assurance that checks boxes and validates to third-party assessors speaks a lot to an organization and provides more value to MSPs,” said Yong Oh, senior associate director at AEM, a Reston, Va.-based MSP that has earned the trustmark.
For example, showcasing the trustmark helped Alvaka Networks reduce the time it took to win one client from multiple hours to just 10 minutes, according to Kevin McDonald, COO and CISO at the Irvine, Calif.-based MSP. “Our industry is laden with marketing terms, acronyms and promises that too often do not align with the firm making the claims. Differentiation is vital to getting above the immense noise and gaining the trust and patronage of the more sophisticated clients we seek out,” McDonald said. “Having an outsider’s review drives better understanding, lowers internal resistance from the top down and supports consistency of investment from all involved.”
Alvaka had the first (and now retired) version of the CompTIA Security Trustmark+ and jumped at the chance to earn the new trustmark to demonstrate to clients that it was serious about its security posture, McDonald said. “The trustmark shows partner auditors that we do not wait for client opportunity or regulations to push for improved security,” McDonald said.
Proving Cyber Skills, Impressing Clients
Clients and prospects still ask questions but sharing results from an audited process minimizes the inquiries and time it takes to answer them—expediting the sales cycle. “On several occasions the risk manager of a large new client questioned our security practices as part of due diligence. After reviewing the trustmark certificate and descriptions, the client asked to talk with someone at CompTIA. After that dialogue, we were able to fast track the whole vendor cybersecurity review process,” McDonald said. “The trustmark has created a clear differentiator for us in the marketplace and led to closing new business.”
CloudTech24, a UK-based MSP, is pursuing the trustmark to demonstrate its dedication to cybersecurity in a market riddled with those who are not, according to Craig Bird, managing director.
“MSPs face challenges to stand out from competitors and instill client confidence,” Bird said. “This helps by providing clear standards for governance, controls, and processes, and enabling MSPs to differentiate themselves effectively.”
The process will take time, but it offers a reassuring confirmation that the trustmark isn't merely superficial, Bird said. “It has been a valuable learning experience and an opportunity to conduct a comprehensive review of our cybersecurity practices and understanding of our strengths and weaknesses,” Bird said.
“The process is rigorous and thorough, requiring dedicated time, resources and expertise. It's essential to approach it with a realistic understanding of the commitment involved. But also recognize that the process is not just a positive outcome of achieving a badge—it’s an opportunity to implement positive security changes within your business.”
What Does It Take?
The CompTIA Cybersecurity Trustmark is not a one-time or permanent distinction. After all, the cybersecurity climate changes every day. Companies that earn the trustmark will be audited annually to ensure they’re still adhering to industry standard processes and guidelines. That will make it even more valuable to MSPs who maintain their trustmark standing because they can continue to prove to customers that they are not stagnant in their cyber posture.
“With that scrutiny comes an obligation to not just maintain our defensive posture but to improve upon it and show consistency throughout the year,” McDonald said.
How hard is it to earn the CompTIA Cybersecurity Trustmark? What is required? To start, MSPs should get familiar with recognized industry standard frameworks and controls including CMMC, NIST CSF and HITRUST, SOC and ISO and CIS. The CompTIA Community Cybersecurity Programs team provides written and verbal guidance on how the controls are expected to be met. Obtaining the CompTIA Cybersecurity Trustmark isn’t quick or easy—and that’s a good thing, said Oh. It’s important that every “i” is dotted and every “t” is crossed across the entire organization.
Customers’ businesses and MSPs’ reputations are on the line.
MSPs must provide access to a governance, risk and compliance (GRC) platform that requires each control to be addressed—allowing them to determine if they fully or partially meet implementation and enforcement obligations.
“It took planning, outreach to employees and a lot of documentation for about 140 controls,” Oh said. “There were processes that needed improvement and we had to communicate with our employees on a frequent cadence as to what’s happening in the industry and how that applies to our business.”
For example, AEM set up access reviews for multiple groups across the MSP organization—groups consisting of resources that deal with distributors, Microsoft 365 and various cybersecurity products.
“We’ve got close to 2,000 groups and we only have about 300 employees. People have multiple responsibilities. Group owners help facilitate, govern and manage their groups,” said Oh. “That’s important because we don’t know when a guest or contractor is no longer on a project or an employee transfers to another department. We also have employees take more ownership in security in that sense to oversee and manage the groups they’re responsible for.”
Want more? Read the full article in CompTIA World.
Learn more about the CompTIA Cybersecurity Trustmark.