Chris Johnson helps IT companies WIN with a new cybersecurity trustmark!

Show Notes

Chris Johnson is a cybersecurity compliance strategist at heart. 

As a former MSP, Johnson focused on helping small to mid-size businesses make the strategic IT decisions and technology implementations that improved their cybersecurity posture. 

He is currently CompTIA’s senior director of cybersecurity programs and ex-officio chairperson of the CompTIA Security Community. In this role, he champions the abilities of MSPs looking to focus more on cybersecurity.

Chris joins Carrie Richardson on WIN to talk about the new Comptia Trustmark certification program, and how this new certification will help security-focused MSPs WIN!

Carrie Richardson and Ian Richardson host the WIN Podcast - What's Important Now?

Carrie helps businesses improve their sales and marketing teams.

Ian is certified in Eagle Center For Leadership Making A Difference, Paterson StratOp, and LifePlan.

Learn more at www.foxcrowgroup.com

Book time with them here: https://randr.consulting/connect

Be a guest on WIN! We host successful entrepreneurs who share advice with other entrepreneurs on how to build, grow or sell a business using examples from their own experience.

Transcript

Hi, good afternoon and thank you for joining me today. My name is Carrie Richardson, and I'm one of the partners at Richardson and Richardson. And today I am your host of WIN. What's important now, joining me today is Chris Johnson, who works with CompTIA.

Chris, can you tell us a little bit about your role with CompTIA? 

Yeah, sure. It's great to be here. So I run compliance programs under the cybersecurity programs and initiatives for mia, which is part of the membership side. And it's one of those, we say programs. And I came on board with what.

Programs plural, are we referring to? I only know of the one and that would be the trust mark. So I got the big eyes from Wayne who said, I think you can figure out where this goes, that we might have more than one program down the road. So today it is a program of one. But in the near future or not too distant future, I'm sure that it will be morphed into multiple program.

All right, so the trust mark was something that I wanted to talk about today. When we talk about opportunities and how people are winning, how is this going to impact the managed services space? How will it impact the managed services firms themselves, and what impact will it have on their clients? So I think one of the things that, you know, a why the trust market and what's the relevancy today with all of the different regulatory frameworks that are out there, the different choices that solution providers could go after.

And I think part of the challenge has always been, if I'm not regulated or required to do this, why am I going to do this? And, I think that's a fair assessment. And we talked about this a little bit before, depending on where you're at as an MSP from a maturity standpoint, you, your growth changes, right?

It's maybe less about how many new clients can I add, but how many, how much more efficiency can I get out of the current client base? And then reevaluate do we want to continue growing? And I think the same is true as Cybersecurity's been thrust upon us. It's not something that we went looking for.

We didn't. . Back when I had my msp our goal wasn't like, number one, we're gonna be cybersecurity focused. That's the number one thing on our plate. No, that was not why we, always said we can do it better than the company that we worked for. We can make sure that there's less downtime. That was the driver.

Today it's like how do I keep you from having to pay a PR firm to explain away what just happened and why all the data is somewhere on the dark web and you should still do business with me? And The trust mark isn't necessarily the end all be all to solve that problem, but it was a way for us to go.

MSPs need a starting point. They need a provide me a, set of controls and safeguards that I can align my organization to that will give confidence, both with my internal staff that we're doing the right things and going in the right direction. And, then also to your point of why the clients would wanna see this is hey,  I'm, being measured against a set of standards to show my posture as it pertains to cybersecurity.

And the reason we weren't successful on a larger scale before is because we, didn't maybe do it in the right timing. So I think the need for the trust mark wasn't quite there yet. And, the way that it, it is today, and the other component that's been added is it is an audited annual. An annual audit is, required.

So this isn't just like I attest to doing it, you should trust me cause I say so. So there's some there's definitely some trust but verify going with this. So it's not a self audited trust mark who will be doing the auditing. So I don't have the definitive on the who other than they will be certified auditors.

So if they, have the iso, I forget the number that goes after that for the certification to be a certified ISO auditor. But along those lines, that's what we're looking for. So we are working with a couple different organizations today to spell out what the actual audit looks like.

And then we're also working on what does an accreditation board look like? So we don't want an MSP who say the, three. Company versus the 50 person company. While the idea would be the auditor is objective with both of those entities, we know that's still very difficult as an auditor to go, I'm looking at this through the same objectivity, knowing full well that they can't be really the same as far as their maturity or capability at that.

Capacity. We think that there's the checks and balances there and to your self attestation. So there is a piece of this that we're calling self attestation, and what that really means is I am self attesting to having done the work.  and then there would be a partial audit or a like cherry picking of some of the safeguards and controls to say, Hey, yeah, you are doing what you say you are.

We think you're at a point where you should continue to move forward and go after the fully audited version of the trust mark. 

So if you've got a three person business and a 50 person business, will the burden of proof be identical for the three person business and the 50 person business? Is it putting an unfair burden on the smaller business to have to prove that they can do the same thing as the 50 person business? Or is that kind of the, goal to eliminate the people who aren't able? 

Wow. So that's a loaded question. So yes. So the idea no, That's a fair question. 

Sorry. Not sorry. Yeah.

Funny. Haha. No, haha. Yeah. I think that the way I would,  respond is to say that the, safeguards and the controls themselves, they don't distinguish the size of the organization that needs to satisfy the control. That being said if you I'll just give an example. Active and passive scanning two of the safeguards that are in there.

I think that a larger organization is more likely to be able to produce evidence that supports that both of those are happening relatively easy. Whereas a smaller entity may go, Hey it's just two of us. We have our laptops and we regularly are not even on the same network. That would be under object, an objective viewpoint would say.

There's not going to be an active and passive scanner that sits somewhere else, but that doesn't mean we don't have evidence that's supportive on that laptop of saying, I am aware of my surroundings and I can satisfy through sort of compensating control or an explanation of why I don't have those things.

And I think that's where the maturity comes in. So if I can defend why I don't need to satisfy that safeguard, then I think that's still doing it at the same level as the 50 person company or whatever the size might be. We're all snowflakes, right? I No matter how we wanna build a snowman until we get to building the snowman, we're all very unique snowflakes, right?

I gotta tell you, after working with thousands of MSPs, that is not true. No, they're not snowflakes. They're not snowflakes. Oh. But they believe they're identical challenges at every stage of development through the managed services space. And I think that this is gonna be an interesting move towards more regulation, not less, which I would say is needed in our industry.

And I think many people would come fight me on that. 

So I agree with you. So one of the things. So to my snowflake comment, I am in the mindset of we believe we are snowflakes, not that we are in fact snowflakes. We would like to think we're the only ones that have the problems, right? I think in the regulation space, we're seeing it, especially when you go outside of the US regulation is happening on the solution providers space and one of the challenges we have, whether it's being defined or not, is what defines a solution provider in the first place.

You could be Borderline more consulting on SaaS cloud applications, and then the list goes on and on of MSSP or MSP and, we don't want to go down this rabbit hole of splitting hairs on that. And I think that's one of the challenges. So one of the suggestions that's come up is what if the trust mark was, that's what defines being a solution provider.

If you can pass trust mark. Then there's confidence in the way you approach security and, that maturity that goes with it to say I don't really care exactly what you do as a business. We're saying that you're meeting the criteria to build confidence qualify for insurance, things like that.

I think more regulation. It all depends on where the regulation comes from. So I think because we've been so loosey goosey in the industry on what defines the solution provider, the last thing we wanna see happening is this like wide brush stroke that puts everybody into a category that maybe doesn't work.

And if we be beat, say the federal government to the table. A a self-regulated model. And when I say self-regulated, I don't mean if I have an M S P, I'm regulating myself, but more of the private sector has come to an agreement of saying, we're recognizing this third party who does OB objective audits with accreditation, and we're gonna accept that.

And I think that. Is maybe to your point, like it is more regulation, but without having government strings attached to it, which I think as busy as we've seen CISA and, other departments of government, like the number of resources that they have to allocate to some of this stuff just isn't on the scale that they really need.

So anything we can do to offset the demands that are placed on them and deliver something that meets or exceeds their expectations is I think is a win for. So if I think about this like a Illa certification right now, when you hire a tech, Who has achieved a certain level of certification unequivocally that they are able to do X, Y, and Z.

Sure. Same with idle. Using a specific set of language, a specific set of tools to measure. Sure. If someone says that they are idle level, whatever, You should be able to assume that if they can pass that test, they can do all of the things listed as qualifiers to pass that test. Yeah. Is it a similar approach as far as Hey, we know that if they have the trust mark, these 10 things have to be true.

Yeah, so it's funny you, used the, analogy that stays inside the CompTIA UN under the CompTIA umbrella. So when we refreshed the trust mark, which used to be called trust mark plus, we took the plus sign away for the very reason you just described. If I go get a plus network plus security, plus all those that end in pluses, we know that those are definitively, or by definition, those are for an individual.

We remove the plus sign because we want to establish the recognition that the trust mark is an organizational wide, it is your organization move with the with the asset, correct? Correct. Called a person an asset. , the right organization as a whole can be certified versus each individual person.

Correct. Within the organization being certified. Correct. Yes. And so along those lines, one of the things that we were discussing last week was we were at the C C, F. One of the conversations that came up was, As I look at the trust mark, there's an opportunity to go, okay, for like security awareness and skills training, what does that mean inside my organization?

It's oh, that's funny. Funny you should ask. We have all of these different certifications that CompTIA already has available that one could use to help crosswalk and say, I know that if I have technicians or engineers that work for my organization, Capable of satisfying these certifications.

Then they're also gonna be good candidates for helping me as an organization solve for in addressing these controls and safeguards that our organization needs to achieve. I always like to think about something in terms of how is this going to help me generate revenue or protect revenue? And when I think about a trust mark, I think that all things being equal as consumers are the people that are buying managed services or managed security services.

Eventually, with all things being equal, they're going to choose A partner that is, has is, has proven that they are going to. My security as seriously as they take theirs. And I believe something like a trust mark is needed to demonstrate that it becomes a competitive differentiator, not just something that you have to do to check boxes and have an enormous amount of bureaucracy come across your plate.

But what differentiates you from the guy down the street? This trust mark can do that. How do people, start sharing that message with their clients and their prospects in a way that. Clearly demonstrates the value of having the trust mark. It's, interesting. So there are current active trust mark holders from before we sunset or, retired the, previous one and, it's obviously still in use as far as value until this one completely replaces that. Now you can't go get the old trust mark today, but if you have it and you're showing that you're moving towards the new one, obviously we want to, honor that. The, interesting thing is, especially when you look at state and local government today I haven't seen a lot of it in the federal space.

We're seeing a lot of that get defined by the cmmc path today. But. State, local government side. We've seen like where municipalities or areas of critical infrastructure are asking in RFPs like, what sort of certification or auditing or evidence that you can deliver to us that supports a maturity, that gives confidence that if you were awarded this bid, that we're not gonna be splashing the, front page of tomorrow's newspaper.

And we've even heard it said,  in those meetings where all of the bidders get put into the same room when they're planning or prepping an rfp, getting input, having other solution providers say, this is an unfair advantage. This isn't fair to that. Ms. P. Who fill in the blank has the trust mark and you're using that you're, basically discriminating against the rest of us.

And it's no one's telling you not to go get the trust mark, not to mature your business in a cybersecurity model. So I think that's a really interesting differentiator in itself. And I get asked that question a lot from an opportunity standpoint, and I always say, , if the opportunity is what's driving you to do this, odds are it will be a very far away reaching goal because you're, trying to get there before you've finished all of the steps.

But if you recognize that the opportunity, because you have the trust mark, then the focus on getting that done will be paramount, knowing full well that it'll pay its dividends back once you. And will CompTIA be the person that becomes the recognizing or auditing body? Or will there be third party bodies that are certified in a testing?

To certification. Yes. Auditing will not be internal to Comp Tia. It has never been an internal, it has always been through third party. What we are looking at doing is that internal through our volunteers, through membership is standing up that will be where our accreditation board comes from. So we get that view of a different type of objectivity like we were talking about before, where it's like the three person company versus the 50 person company.

Being able to put that in front of a group that has those mixed experiences based on those different size of organizations and being able to go, Hey, if we apply the right amount of scrutiny to this, we can see that both companies meet the criteria to satisfy the trust mark. Even though the auditor may have said they failed on this two safeguards.

Point wise makes them fail and we're like, wait a second. If I use a compensating control and I look through the lens appropriately, I can say they are meeting or exceeding. They just don't have the same level of application in their organization that a larger entity might. How does this impact the sub million dollar msp?

So I think the sub million MSP space, and that's really getting into where I think there's a lot of MSPs. I think it creates a lot of opportunity and, it's gonna be twofold. One is to be able to not necessarily grow to being a. A big entity yourself and still be successful. Cuz a two-person company at a half million dollars is not a that's, a pretty impressive feature.

People, I take that action actually. Yeah. If I choose, I'm in half a million dollars in one employee, or 3,000,020 I'm gonna go for the one. And we can even go back if we go back 10 years. I think that was a really near impossible feat to scale or stay at that and not have huge forget cybersecurity side of it.

Like it just, there were so many variables then because we had tools that weren't mature. We had workforces that hadn't developed Automation or, real follow the process procedures to get to that consistent outcome. And today we see that over and over again where a, new M S P has come out of left field in their region and they're, doing the due diligence and they're doing it right.

And I think this is a great opportunity for them to distinguish themselves from those that are trying to just build a lifestyle brand and don't really care outside of getting a paycheck . 

So we had a little talk before we went live today about your bookshelf. Yes. And I wanted to know what.  On the back there I can see a couple of titles that I'm excited about and that I have read multiple times.

Sure. If you gonna pull one book off the shelf and tell everyone that's listening today to check it out, what book would that be? 

It's funny you like literally put me on the spot cuz what's on the bookshelf is probably not what's currently being read cuz they're sitting here on a stack. Alright, let's see.

Okay, so I have the cyber Fit in 21 Days by Anne Wester Heim. Great book. 

Oh, I cannot say Enough great things about Anne, and I believe that she will be a guest on the show shortly. Awesome. And if not on this show, you can find her on the two seats, community channel. She'll be sharing her career path with us shortly.

So a hundred percent Awesome. Read that.  and then I haven't started it yet, but this was recommended. It's tracers in the dark. It is the global hunt for the crime lords of cryptocurrency. Those are the on my read today. But in the context of what you asked, looking at the bookshelf, there is one book that always comes to mind from the days of the beginning. My MSP  and I could probably in about 10 seconds find it. It's eth Revisited. Michael Gerber hands, fantastic book. Anytime someone says I'm struggling with, and it's okay, I'm just gonna tell you to read this book and, I really mean it. I like read this, sit down, read it. And it changed how I built my business.

It changed my outlook. And anytime I get the complaining from doom and gloom of someone who's been in M MSSP for a long period of time, and I know they've probably at some point in their career looked at or read the book, I always. Are you doing what Michael Gerber says you need to do? And usually it's a, you just I'll just say pie shop.

Yeah. Pie shop. Yeah. Yep But yeah, traction. That's the other one. They're all the same. Yeah, they are. But we also had a quick conversation about why entrepreneurs don't invest in their own education early on in the process. Like why are we the smartest people in the room? Sure.

Until we're not the smartest person in the room. Where do you think that click comes from? We're all of a sudden, you're investing in education, you're rereading books, you're hiring consultants, you're getting trust marks. When does that. So I remember early on when, we were rolling out and we were investing in things like professional services, automation and what RMM tools we were gonna use.

And I remember saying this very naively my, my psa, my RMM may change tomorrow, but my PSA is here to. State. And that was a very naive thing to say. Cause what I really should be saying is as I develop my, processes and procedures and I, and as I mature, I should always be on the outlook for what are the tools and services that help best facilitate that.

Either I'm willing to change to the tool or I'm finding a tool that most closely aligns with me. And I think part of. Naivety that I had was if I would've invested the money in an onboarding with, whether it's ConnectWise or caea or you fill in the blank, if I'd invested the money in paying a consultant to actually onboard us to use the tool the way it was intended, and take a look at how we can most optimize our business, I wouldn't have started with a runway that's 20 miles long.

I literally could have probably taken off vertically into into the airspace, right? So I think that's, Because we also started without money in many cases, right? So the idea is, I can figure this out, we're engineers, I can solve this, I can figure it out. And as we matured, we quickly realized like, we'll never have that knowledge level on being an expert on the tool.

We just want to use the tool. So I think that's largely the, money thing is, what drives that decision making is we're so afraid of spending money. On those things that will make us more successful, including consultants like Richard and Richardson, like just using that as an example. Like I wished I would've had the guts when we were a 500 K sub sub 500 K MSP to go, look, I don't need to go to Cabo this week, or wherever it is for It's continuing to support my quality of life.

And hey, wait, we're a 2 million. We're a 2 million company. How did that happen? Oh wait. We invested in being successful as an M S P. I think that's a great place to end today's Episode win. And I really appreciate you joining us to share a little bit about what's going on at CompTIA. I know that Ian will be joining you on your podcast.

Yes. Sometime in the near future. Yes, and I'll look forward to listening to that as well. I appreciate your time. I know that our listeners appreciate your time, and there will be some show notes that outlined the CompTIA program and they'll tell you how to get in touch with CompTIA and they'll tell you how to get in touch with Chris as well.

So thanks for joining us today and sharing how you're winning, Chris. 

Hey, thanks for having me on the show.