Landing the Big One: Implementing a Cybersecurity Framework Is the Ultimate Trophy Fish

By Miles Jobgen

Mar 18, 2025

Share this post

Before me was probably the largest trophy marlin I had ever seen. Though hanging on the wall, I could feel the power it once controlled. Subtle coloring reflected light, its raw nature on display, everything working in tandem. It occurred to me what an effort it must have been to reel in such a magnificent specimen. And yet I had no understanding of the detailed preparation and daily persistence of the angler behind the catch.

Likewise, it’s hard to understand the effort it takes an MSP to successfully implement a cybersecurity framework. After all, frameworks do a good job describing the “final state,” where everything works great and runs like a well-oiled machine. They tend to come up a little short, however, when it comes to helping you get there. Even at GTIA (well, at least when we were CompTIA) our approach to the Cybersecurity Trustmark was to scour the world of cyber and risk frameworks for elements that best fit the modern managed service provider. The 177 safeguards identified provide a comprehensive view of a fully implemented risk and cybersecurity management program, integrated by documented policies, properly configured logical controls and informed staff.Miles Jobgen

Sounds like a pretty nice trophy fish, if I do say myself.

But in the 18 or so months since the launch of the Cybersecurity Trustmark, we have started to notice three distinct patterns in how and where progress through the program slows down:

  • - Leadership support evaporated
  • - Budgeted resources were not enough
  • - Bogged down in minutiae
  •  

To counter those challenges, our focus for 2025 is to provide more help. Let’s start from the bottom up.

Related: 4 Not-So-Hard Ways to Start Your Cybersecurity Trustmark Readiness Path

Bogged Down in Minutiae: Break Through with Improved Prompts

The Cybersecurity Trustmark is a lot. 177 safeguards covering everything from how systems are configured and protected, through policies supporting proper risk management, to the humans living the culture. This document shows what it can look like if your culture, leadership, policies and technology are working together to make each part better. Other frameworks show what it can look like once all of their controls have been implemented. But how?

At this point, many frameworks would suggest getting a consultant to help you implement a management system. Conveniently enough, they may even have a list of people who can help. You, in turn, are expected to pay this other person to tell you how you are running your business in alignment with that framework and give you a binder that you put on your shelf to pull out whenever someone asks you if you are compliant.

We don’t want you to spend more money than you need. You got something like nine streaming apps trying to do that to you already.

Instead, the 2025 version (call it 2.0) of the GTIA Cybersecurity Trustmark includes several prompts for each safeguard. These prompts may call out a specific area of guidance from the safeguard you should pay attention to. They may encourage you to do research or education on topics to help you grasp the scope of a concept. They may explain how one safeguard informs another to help limit your scope of response. But many of the prompts are simply questions about how you have implemented your solutions to the presented safeguard. These prompts are designed to give you something specific to respond to that the assessor will find useful in their evaluation of the level of implementation you have in place. The idea being: Follow the prompts, learn to fish.

Budgeted Resources Not Enough? Explore Delegation and Scope Limitation

Another cause of slow progress is realizing there is more documentation and auditing to be done than initially estimated. This can lead to some paralysis by analysis or even plain ole lack of hours in a day. Breaking through this challenge requires maintaining the perspective that the Cybersecurity Trustmark is not a checklist or badge or a thing you get and move on from. It is an ongoing process for getting better at taking a risk-based approach to the implementation of cybersecurity and business operations.

In other words, it’s OK if you’re not perfect. You’re learning to fish. It takes repetition, learning from failure, learning from success, integrating ideas and trying out something new. And it takes time.

We have also seen MSPs that have been able to delegate roles temporarily as the business focuses on working through the program. Bringing in more people to help with evidence collection and documentation as well as unloading current tasks to other people can allow more time for the Trustmark.

Leadership Support Evaporated? Commit to New Priorities

A critical component to the success of the Trustmark program is the support of executive leadership. Without it, resource allocation becomes a major challenge, continually having to answer “why are we doing this” becomes a distraction, and frustrations mount. It is important to be honest with leadership and for leadership to be honest with itself as to the impetus behind earning the GTIA Cybersecurity Trustmark. Is it a marketing play? Is it a desire to land a specific contract? Is it a recognition that internal processes are working against one another? Is it a desire to be “more secure”?

Without answers to these types of questions, it gets harder to implement safeguards and controls. Luckily, GTIA is also interviewing MSPs that have completed the process and our marketing and promotional efforts will continue. Trying to bring attention to all the excellent anglers out there in the MSP industry.

Enjoy Fishing Season

Helping you understand how each safeguard fits into your overall cybersecurity system, how to know if you’re doing it already or not, what to consider when implementing a control…these are the challenges the new prompts are trying to help you work through.

You’ll find as you work through the prompts that you will get better at knowing what to expect and how to provide evidence of an action being taken. The prompts are designed to work those muscles in a consistent manner, training your mind to view the safeguard as intended, and give you the tools and skills to land the biggest fish of your life.

Learn more about the GTIA Cybersecurity Trustmark.

Miles Jobgen is the senior director, cybersecurity relevancy programs, GTIA.

 

 

Related Posts:

By Sara Yirrell / Dec 20, 2024

Data Is the New Oil: Don't Miss the Rush

Data is now the most valuable commodity in the world, surpassing oil in terms of worth. Just like oil, data needs to be extracted, refined and distributed properly, explained Hollie Whittles, information security and HR director at Purple Frog Systems. But unlike oil, data is limitless and can be used in creative ways to drive value in a business.
By Jennifer Oladipo / Nov 6, 2024

Designing a Business Strategy for Today’s Competitive Landscape

Solid business strategy will always be important in the ever-evolving market, but today’s competitive landscape has changed dramatically. New threats and opportunities are emerging constantly. So how do you design a strategy that not only meets your business objectives but also sets you up for long-term success? J.B. Fowler, vice president of integrator solutions for Domotz, a network and infrastructure monitoring provider, gave ChannelCon 2024 attendees a roadmap for navigating new landscapes, and moving through them successfully.