CompTIA signs on GRC specialist FortMesa to strengthen new CompTIA Cybersecurity Trustmark program

CompTIA launched this new program in December, and FortMesa will help MSPs to take advantage of the growing compliance market by leading them through the assessment and certification processes.

Matthew Fisch, FortMesa’s founder and CEO

FortMesa, which makes several tools for MSPs, with their GRC [governance, risk and compliance] platform being the main one, has come on board the new CompTIA Cybersecurity Trustmark program. Their GRC platform will support the Trustmark program through a scalable cyber credibility model for MSPs.

FortMesa is a relatively new company, which first came to market in 2019. They are nominally based in Spencertown N.Y, a tiny hamlet in the western part of the Hudson River Valley town of Austerlitz, which itself has only 1600 people. That is because that is where Matthew Fisch, FortMesa’s founder and CEO, and a longtime Hudson River Valley resident, works from home.

“I’ve been running a security practice from home for a few years,” Fisch told ChannelBuzz. “When we launched FortMesa, we did direct selling to the enterprise in our proof of concept stage, with the centre of our value proposition being our ability to scale out to the edges. We went channel in early 2021, and closed down our direct sales at that point.”

Today FortMesa has between 40-50 partners, who are mostly MSPs, and who are located all over the world

“We just entered the Canadian market in the last year,” Fisch said. “We are working with CYDEF [an Ottawa-based security company with a Zero Trust solution] and we are distributing them and they are introducing us to other partners.”

Fisch said that FortMesa helps MSPs sell security more effectively.

“We help them take compliance technology to their customers,” he indicated. “Today compliance ruIes are on every security form, and customers understand it. MSPs have been behind the times there, but are catching up, although you do have some who are effective at it, and some who are not.”

FortMesa’s support for MSPs provides service delivery and evidence through their platform.

“This is something that was originally designed for very large enterprises,” Fisch said. “MSPs and small business, even mid-sized enterprises, don’t work that way. We map the compliance journey for them.”

Fisch said that while FortMesa and CompTIA share a similar ethos, their focus here is somewhat different, allowing FortMesa to add additional value.

“With CompTIA, we had an interesting opportunity,” he indicated. “They had a slightly different market need than us. Theirs is pressure from regulators, because many customers don’t feel safe. MSPs only have a short period of time to figure out how to self regulate themselves effectively – and CompTIA is leading the charge here.”

This version of the CompTIA Cybersecurity Trustmark program dates from last December, although CompTIA has been active in trying to develop this for several years, with the Trustmark+ 2015 initiative being the first.

“They had some uptake before but there was an overall issue that until recently, it was still very early to market,” Fisch said. “As a result, small businesses didn’t understand the need for certification because that informed knowledge of compliance and why it is important was not widely understood. We think that the time is right now for standards, and CompTIA is the first on the block. In December, the Cybersecurity Trustmark program was put together by their advisory board. We are now taking the first group of Trustmark candidates through Certification, and we are hopeful by CompTIA Channelcon at the beginning of August, they will all be through assessment and the certification program to some degree. There is a waiting list now, but it is developing quickly, even though we are still early days.”

Fisch emphasized that both customer and MSP awareness of the need for effective compliance has reached the point where solid demand from both is just about here.

“My read is that over the next two years, we will see widespread adoption,” he said. “MSPs need to provide evidence that their practices are in conformity with compliance requirements. In two years, it will not be possible to run an MSP practice without this. There are alternatives to what we do. MSPs could use spreadsheets to do the same thing, but our automation makes it ten times easier for them.”