IT security is constantly changing, which means it can be hard for businesses to keep up. This guide from CompTIA educates IT solution providers on the importance of providing clients with up-to-date IT security, identifies the risks of inadequate or poor security, and examines the technology shifts and factors affecting security in in the workplace.

1. Eight Steps to
IT Security Success
A practical guide for solution providers
www.comptia.org/communities
www.comptia.org/communities
Q U I C K S TA R T G U I D E
P OW E R E D B Y :
www.comptia.org/communities

2. Eight Steps to
IT Security Success
Solution provider Jacob K. Braun prefers a reasoned approach when selling IT security
to clients. Rather than trying to scare clients, Braun appeals to their sense of ethics.
“I ask them: ‘What would your clients say if they knew you didn’t have security in
place?’” says Braun, the president and chief operating officer of WakaDigital Media
Corp., a managed services provider (MSP) based in Amherst, MA.
“You can approach it from the fear factor, but the fear
factor can backfire pretty quickly,” he says. Scare tactics
put clients on the defensive, and that makes it much
harder to sell them the solution they need, he adds.
No one really questions the need for security, even if too
many clients still don’t have a good grasp of everything it
entails, say Braun and others in the IT channel. The onus,
therefore, is on solution providers to educate clients on
security risks, assess those risks, and address them in a
comprehensive way. They also need to ensure their clients
comply with a growing set of federal and state data-protection
regulations.
“Security is much more than perimeter firewalls and
anti-virus protection. A truly secure approach must be
multi-faceted and comprehensive,” says Jim Hamilton,
senior director of member communities at the Computer
Technology Industry Association (CompTIA). CompTIA is
based in Downers Grove, IL, and is known as the largest
nonprofit trade association in IT.
A truly secure environment provides protection,
prevention, and remediation. To achieve all that, say
security experts, a security platform has to perform
multiple functions in what is called a multi-layer
approach: firewalls to control network access, tools that
filter Web content and e-mail, encryption protocols, and
intrusion prevention and detection. Security also entails
policies and tools that control the use of passwords,
www.comptia.org/communities
2 www.comptia.comptioar.go/crogm/mcounmitiems unities
mobile and VPN connections, which users access which
data, and how to react when a data breach or leak occurs.
The proliferation of cloud-based solutions and
technologies such as social networking and virtualization,
say security experts, make the already-complex endeavor
of securing IT environments even more intricate. New
challenges such as protocols for using social media and
how to apply security policies to virtualized networks
have to be addressed, says Tim Larocque, director
of sales at Ottawa-based Interwork Technologies, a
distributor of IT security solutions.
“Those are significant challenges that I don’t think
most solution providers are taking the time to address,”
Larocque says.
Step 1: Leverage compliance regulations
for security growth
Solution providers that take the time to understand
security requirements stand to gain from a healthy,
growing market. The need for security never goes away.
It keeps increasing as hackers find new ways to break
into networks.
Market research firm Gartner predicts 4 percent growth
in 2010 in security-related software sales and 3 percent
in security services. Those are healthy enough numbers,

3. quick start guide
P OW E R E D B Y :
IT Security
3
especially on the heels of a major recession, but MSPs and
providers of cloud-based services say they are seeing growth
rates of 25 percent or more.
“We’re seeing very, very healthy growth in the security
market,” says Larocque. “It’s a very predictable and recession-proof
market.” Interwork partners, he says, are enjoying growth
rates of as much as 40 to 50 percent.
One major driver, according to IT security experts, is the
need for organizations large and small to comply with data
protection laws. Businesses that handle sensitive data, be it
financial information, medical records or legal documents,
have to comply with a growing set of regulations, both at the
state and federal levels, imposing strict requirements on how
to handle the data.
Federal laws enacted since 1996, such as the Sarbanes-
Oxley Act, which applies to accounting practices, and HIPAA
(Health Insurance Portability and Accountability Act), which
addresses medical records, have created a cottage industry of
compliance-focused solutions and services.
Forty-five states and the District of Columbia also have passed
regulations designed to prevent breaches and protect privacy.
More laws are on the way, including a data breach-prevention
bill now under consideration in Washington, D.C.
Step 2: Don’t ignore the cloud, celebrate it
Next to compliance, the increasing popularity of cloud
computing is the biggest driver of the IT security business, say
security experts. Gartner predicts cloud-related business will
grow to $150 billion in 2013, more than triple what it was two
years ago at $46 billion.
Interestingly enough, security and the cloud have a paradoxical
relationship, says Earle Humphreys, chief executive officer
of ITEEX, a channel development company with a strong
focus on security. Many end-user organizations, accustomed
to having all their hardware and software on premise, where
they can keep a close eye on them, have reservations about
tapping the cloud for business-critical applications. They worry
about whether their applications and data are secure enough
in the cloud. As a result, says Humphreys, some put off cloud
computing plans.
“If you take a look at the top reason not to adopt the cloud, it
is security,” he says.
Still, and here is the paradox, while security may hamper the
adoption of cloud computing, the business of security receives
a significant boost once end users decide to go ahead with
cloud-based implementations. For one thing, the cloud makes
it possible to centralize management of entire IT environments.
On Patrol With the CompTIA IT Security Community
To help solution providers stay abreast of developments in IT
security, both at the regulatory and business level, CompTIA
recently created a collaborative group to foster discussion among
peers and share resources.
The CompTIA IT Security community, which developed the CompTIA
Security Trustmark business credential, keeps members informed
of IT security developments through a regularly updated blog. The
community also encourages members to share best practices, help
solve collective problems, and build relationships that can lead to
valuable partnerships. Members include VARs, managed services
providers, distributors, vendors, and other industry experts.
Through the community blog, members have been able to keep
track of significant industry discussions, such as the national data-breach
legislation proposed in Washington D.C. While different
states are addressing specific actions when a data breach occurs,
no Federal law has yet been established. Though Congress has
discussed the legislation, it’s unlikely that anything will be passed
until late 2011. CompTIA is lobbying for passage of the bill on behalf
of the industry and will continue to provide frequent updates to the
IT Security Community.
The group is also working to establish a code of conduct, a one-page
document intended to help members meet their obligations
to the industry and their constituents. These responsibilities include
the protection of customers and their IT environments, reliable
service, and the advancement of community and CompTIA goals. A
draft of the code has been distributed to the group, and members
are expected to ratify it in short order.
Other activities the group is currently engaged in include creating end
user education for compliance and regulations, identifying security
issues related to new technologies, developing security education
tracks for solution providers, and developing an industry awareness
campaign for the CompTIA Security Trustmark business credential.
Find out more about the CompTIA IT Security community at
www.comptia.org/communities

4. www.comptia.org/communities
4 www.comptia.comptioar.go/crogm/mcounmitiems unities
As a result, security is at least as good or better than in
strictly on-premise environments.
In addition, the cloud eliminates most upfront on-premise
software and hardware investments, which makes it
irresistible to organizations under constant pressure to
maximize their IT dollars without adding staff or expensive
equipment.
Making the cloud even more attractive from an economic
standpoint is that as cloud-based solutions proliferate, the
cost of the solutions decreases, says Scott Barlow, vice
president of sales and marketing at Reflexion Networks, a
vendor of hosted e-mail services based in Woburn, MA.
The cloud is changing the security business, and
solution providers are cashing in. The technology itself,
be it e-mail filtering, intrusion detection, or anti-virus,
often is sold at cost or even at a loss, says Interwork’s
Larocque. Providers make up for the upfront loss
by packaging the technology with monitoring and
management services that they perform remotely and
charge users for on a subscription basis.
Step 3: Weave security into every
opportunity
For solution providers, security is both a requirement
and an opportunity. It’s a requirement because of clients’
regulation compliance needs and an opportunity because
of those needs and the expansion of the cloud.
So while security traditionally has been considered a
specialty in the IT channel, the market dynamics now require
at least a basic level of security competency. “Security must
be an element of every solution implemented and managed
by solution providers,” says Hamilton.
Especially if you’re delivering managed services or hosted
solutions, there is simply no way of skirting client security
needs. “Security should be sold as part of every MSP
sale because security touches everything in a customer’s
enterprise,” says Todd Jones, general manager of
Watchman Computer Services, a security-focused MSP in
Denver, CO.
When taking over part or all of a client’s IT environment
remotely through a managed services arrangement or
delivering applications over the cloud, solution providers
Master the CompTIA Security Trustmark
Since its launch in 2008, the CompTIA Security Trustmark business
credential has become the industry standard for solution providers
wanting to assure customers they have the experience and know-how
to secure their IT environments.
The vendor-neutral, business-level credential identifies solution
providers that follow best practices, established protocols, and
documentation methods in delivering security solutions to clients.
For solution providers, there is no better way to stand out from the
crowd when delivering security services and technology to clients,
says Todd Jones, general manager at Watchman Computer Services,
a Denver-based managed services provider.
“Security touches just about everything,” he says. “It’s really
important in the marketplace to have a standard of security best
practices.”
Earle Humphreys, chief executive officer of Information Technology
Executive Exchange (ITEEX), a security-focused channel
development organization, says the Security Trustmark program
solved a problem in the IT channel. End users often were reluctant
to engage solution providers because they had doubts about the
providers’ level of expertise in security.
“There was a credibility issue that was hurting vendor sales,” says
Humphreys, who worked on contract with CompTIA to help develop
the Security Trustmark credential. Now, he says, end-user clients
have a reliable way to vet IT security services providers, while the
providers stand to get more businesses by achieving a business
credential.
To earn the Security Trustmark credential, solution providers have
to complete a comprehensive review process that includes an online
assessment and the submission of various documents detailing
company processes and practices. Security Trustmark applicants
also are subject to unannounced audits, and once they receive the
credential, they have to undergo an annual review process.
The Security Trustmark business credential differs from the various
CompTIA certifications, such as CompTIA A+, CompTIA Network+
and CompTIA Security+, in that it covers an entire organization,
versus validating individual competency.
Find out more about the CompTIA Security Trustmark at
www.comptia.org/securitytrustmark

5. quick start guide
P OW E R E D B Y :
IT Security
5
accept a level of liability that didn’t exist in the old break/
fix, project-based client engagements. “If you don’t do some
basic security for your client, you’re putting your business at
risk,” says Humphreys.
“Security is a discipline. It is part of the fabric, the expertise
that you are selling your customer,” says Jones. “Any provider
that approaches this as anything else is on the verge of
doing a disservice to their customers and short-changing
themselves. It is not a ‘bolt-on, set-it and forget it’ product
that can be sold, installed, and then you’re on to the next sale.”
To help solution providers meet their security requirements,
CompTIA in 2008 launched a business credential, the
CompTIA Security Trustmark. The vendor-neutral, business-level
credential identifies solution providers that have proven
they follow security best practices in accordance with
CompTIA standards (see sidebar on page 6). The Security
Trustmark gives solution providers credibility, says Humphreys,
who worked under contract for CompTIA to develop the
Security Trustmark credential.
Step 4: Embrace best practices
Much like their clients’ networks, solution providers are
handling a heavy load when it comes to security. To ensure
they do right by their clients, security experts recommend that
solution providers adopt certain practices.
Achieving a Security Trustmark credential, say experts, goes
a long way to show clients you have the proper expertise and
employ the best practices to protect their IT environments. In
addition, solution providers should do the following:
• Educate customers
• Perform vulnerability assessments
• Make sure tools from different vendors work together
• Set policies for clients on safe computing practices
• Know security regulations
• Partner with other solution providers for expertise
• Maintain communication with clients
Subscription-based IT Security Services Gain Traction
More and more solution providers are giving up on trying to
squeeze profits out of IT security technology. But they don’t mind,
so long as they get to charge the customer monthly or quarterly
fees to deliver security as a service.
Tim Larocque, director of sales at Interwork Technologies, an
Ottawa-based distributor of IT security solutions, says deals in
which solution providers sacrifice profits upfront in the expectation
of future recurring revenue are increasingly common. Over time,
the recurring revenue more than makes up for the upfront profit
loss, he asserts.
Whether they lump security with an overall managed services
package or sell security as separate hosted services as part of a
SaaS contract, the primary goal is to establish a recurring revenue
stream from the customer. Clients in recent years have warmed up
to the idea of paying subscription fees for cloud-based services
that would cost a lot more if they had to deploy and maintain the
technology on premise.
In addition, handing over to a solution provider that can handle
remotely the burdens of updating anti-virus and spam-filtering
subscriptions, maintaining firewalls and managing patch manage-ment
keeps in-house IT staffing budgets down and allows compa-nies
to better focus on their core business. To be sure, the cloud-based
security model is gaining traction, say security providers, but
education is still necessary for clients who fear that cloud-based
solutions are less secure.
Larocque says Interwork’s most successful partners have concluded
that their security focus needs to be on service, not technology.
As a result, they are enjoying security business growth rates of as
much as 40 to 50 percent, he says.
Scott Barlow, vice president of sales and marketing at Reflexion
Networks, a Woburn, MA,-based vendor of hosted e-mail security,
is seeing similar trends. Reflexion partners, he says, are enjoying
growth rates of 25 percent or more. “We’ve seen significant growth
in the past 12 to 18 months,” Barlow says.
Like Larocque, Barlow says he is seeing solution providers bundle
their security services into managed services packages that also
include remote monitoring and management of PCs, servers,
network devices, and applications. Embedding security into man-aged
services contracts, says Barlow, makes it easier to address the
client’s security needs.

6. Step 5: Re-educate customers
Especially among small and medium-sized business
(SMB), network and data security requirements often
are only partly addressed, and in the worst cases, almost
completely ignored. Business owners, for the most part,
understand threats such as viruses and spam, but they
lack a comprehensive approach to protect their data,
prevent intrusion, and implement policies on how to react
to breaches.
“Small businesses are too trusting,” says Jones. “They’re
not as a concerned as they need to be. They don’t
understand the risk unless you continuously hammer it
away at them.”
“Customers need to understand that security is not
a technical solution you purchase,” says CompTIA’s
Hamilton. “Security is a complex problem that requires a
holistic approach to be effective.”
In their role as educators, solution providers also need to
point out the economics of security—that breaches can
incur high remediation costs and in the worst cases put a
company’s future at risk.
“You’re essentially selling insurance,” says Barlow.
Awareness is key, says Larocque. Business owners may
lull themselves into thinking their data is safe if a breach
hasn’t already happened to them, and as a result, not
make the necessary investment. But they don’t realize, for
instance, that malware is released every five seconds and
an attack on their network could be only a matter of time.
Solution providers must impress on clients that security
threats are real, relentless, and constantly evolving,
Larocque says.
In fact, breaches take place practically daily, as attested
by the Web site DatalossDB.org, which lists and
documents all reported incidents and the number of
records, from zero to the millions, exposed in each case.
“Breaches are a regular occurrence,” says Hamilton.
“Customers cannot afford to be blasé about the
potential risks.”
www.comptia.org/communities
6 www.comptia.comptioar.go/crogm/mcounmitiems unities
Step 6: Promote regular assessments
Security has to be part of the conversation whenever a
solution provider is pitching its offerings to a prospective
customer, says Hamilton. “It can’t be sidestepped anymore.”
As such, it’s a good practice to conduct an assessment of
the customer’s security environment, including desktops
and mobile devices, before deploying any technology.
Assessments typically include checking the subscription
status of anti-virus and anti-spyware tools and testing
existing firewalls for effectiveness.
“It probably wouldn’t take your average VAR more than
a day or two to do a basic security assessment for their
clients,” says Humphreys.
Depending on the size of the client’s IT environment,
an assessment may include vulnerability scanning to
identify holes in the network and potential risks related
to applications and Web services. Penetration testing to
see how easy it is to break into the network may also be
advisable.
Assessments should look beyond technology to also
cover policies, say security experts. Solution providers
may find that a client has no policies in place covering
how to react to data breaches or that an organization
has never instructed its users not to share their individual
network-access information.
Assessment findings should be compiled in a report
to share with the client to demonstrate current
vulnerabilities and formulate a strategy to eliminate the
vulnerabilities and build a solid security environment.
Harmony in security
Humphreys counsels due diligence in deciding which
security products solution providers should use for their
clients. Solution providers may prefer a firewall from one
vendor and anti-virus software from another, but they
need to make sure the different pieces work together.
Otherwise, the result is unwanted complexity or, even
worse, an environment that adds to the vulnerabilities
it is supposed to be addressing. The history of IT is
littered with cases of applications that were supposed

7. quick start guide
P OW E R E D B Y :
IT Security
7
to be compatible but failed to communicate, as well as
environments with different sets of hardware and user
interfaces that turn into real nightmares for administrators.
Hamilton says solution providers must think about the
overall security landscape and how their solution fits into the
bigger picture.
For solution providers delivering security as part of their
managed services offerings, the easiest way go about this
is to pick a managed services vendor that bundles security
tools such as anti-virus, e-mail filtering, and firewalls, into its
remote monitoring and management (RMM) tool. “That way
you know they picked the friendly products and you know
they work,” Humphreys says.
Step 7: Stick with clear policies
Security transcends technology in that breaches and leaks
often result from human error. A company may have the
best technology available to secure its networks, but if
users are sharing passwords, accessing Web sites that may
contain virus, or e-mailing unencrypted documents with
sensitive information, the technology won’t help them.
Aside from day-to-day safe computing practices, policies
also must address how to react when a threat is detected,
a virus gets through or an application malfunctions and
creates a point of exposure. Watchman Computer Services’
Todd Jones says the discipline of security entails three main
elements: protection, detection, and response.
“Without response you do not have security,” he says. “Every
door can be kicked in, every safe can be cracked, every
fortress can be breached, and every treasure can be stolen
if there is no response. It’s no different with computer and
network security. You can bolt in all the latest and greatest
products, but installed without response, you do not have
security.”
Protocols need to be in place so that users and
administrators know what to do when they receive an
alert, says Jones, who believes that is where security as a
managed service really makes a difference.
For solution providers monitoring their clients’ environments
remotely, that means having a policy in place prescribing
action when an alert comes through. Be it a remediation
Names and Organizations to Know
Solution providers looking for tips about how to deliver
security solutions to their clients face no shortage of sources
of information. Following are some suggestions on where to
get information tailored specifically to solution provider needs.
Find information about the CompTIA Security Trustmark here:
www.comptia.org/securitytrustmark
For updates on the CompTIA public advocacy efforts,
including lobbying for security regulations, check out the
public advocacy section of the association’s web site:
www.comptia.org/publicpolicy.aspx
The CompTIA IT security blog keeps updated on the
association’s IT security community, whose work includes
development of the Security Trustmark business credential
and collaboration with the CompTIA Public Advocacy Office:
blog.comptia.org/category/subtopics/it-security
CompTIA IT Security Community
www.comptia.org/communities
Noel Eberline, director of the CompTIA IT security community,
publishes a blog in which he addresses myriad security-related
topics. Access the blog here:
blog.networkwatchman.com
The Open Security Foundation keeps tabs on security
breaches across the world and publishes a database of all
known incidents causing data losses. The database is updated
just about daily and accessible here:
datalossdb.org
ITEEX, founded in 2002 as a peer-to-peer organization, is a
security-focused channel development company. ITEEX chief
executive officer, Earle Humphreys, worked with CompTIA
on developing the Security Trustmark credential. Access the
company website here:
www.iteex-channel.com
And the ITEEX blog here:
www.iteex-channel.com/blog

8. cleanup, file quarantine, or a patch application, specific
rules should be in place for response and escalation.
Step 8: Study up on regulations
Knowing the regulations that affect IT security business is
easier said than done, considering that federal standards
are still evolving and there isn’t yet a national regulation
that covers breach notifications. However, a number
of states have enacted regulations addressing data
breaches, with Massachusetts boasting the most stringent
laws on the books.
But, as the saying goes, ignorance of the law is no excuse.
“It’s important for the solution provider to know what
the regulations are all about, what they apply to,” says
Reflexion’s Barlow.
Even though solution providers need to become de
facto experts on the law, achieving that status isn’t easy.
Solution providers operating in multiple states have to
contend with regulations that differ from state to state.
Massachusetts mandates that organizations handling
sensitive data, such as finance and medical records,
implement data leak prevention. New Jersey has a
regulation that many in the industry consider bizarre:
When a leak occurs, the affected company is required to
notify the state police before even its clients or partners.
What’s needed is a national standard covering data leaks,
say security experts. CompTIA has been lobbying congress
to pass data-leak legislation now under consideration, and
while there is a chance a bill could be approved this year,
most likely passage will occur next year.
Barlow suggests that solution providers uncertain about
which regulations affect their clients should leverage their
vendor partners. Security vendors have people in their
staffs (with knowledge about regulations and compliance
requirements) who can help solution providers make the
right decisions for their clients, he says.
Partner for expertise
In delivering security solutions and services, solution
providers in some cases should seek partners that have
www.comptia.org/communities
8 www.comptia.comptioar.go/crogm/mcounmitiems unities
the expertise they lack, says WakaDigital’s Braun. A
partner that specializes in security, such as WakaDigital,
can train, assess, and set policies for the client, he says.
In cases where it makes sense, the security partner can
stay in the picture in a consultative role, either as a silent
partner in the background or in a more visible way in
front of the partner, Braun says.
Humphreys believes there are several advantages
to working with a partner. Those include avoiding
infrastructure costs and making up for lack of expertise
in building solutions. A security partner bringing in a
solution already has tested the technology so you don’t
have to and already has experience with issues that you
may never have encountered, Humphreys says.
Of course partnering carries some risks, so it’s important
to ensure a prospective partner “doesn’t have a history
of working to come between you and your clients,” he
says. Humphreys recommends doing your homework by
checking with other companies that have worked with the
prospective partner.
In addition, says Humphreys, though a solution provider
would partner with another to add expertise, the provider
still needs to know enough about the technology. You
want to make sure the solution the partner is bringing
works, or that it isn’t a new, unproven release with bugs
that haven’t been worked out.

9. quick start guide
P OW E R E D B Y :
IT Security
9
Keep Talking
Barlow advises solution providers meet with customers monthly
or quarterly to review the work the provider does to protect
clients’ IT environment. Especially for solution providers
delivering security as a managed or hosted service, periodic
meetings can be key.
MSPs say clients tend to forget the work that goes on behind
the scenes to keep their IT environments in shape and, at
invoice time, question what they are getting for what they are
paying. During the meetings, for instance, solution providers
should go over how they prevented a network attack by
responding to system alerts or how they stopped unsafe Web
surfing by detecting it and alerting the client about it.
Communication with the client should keep business value at
the forefront. Barlow suggests using security arguments to
implement business process improvements, such as replacing
tax and financial forms with electronic files.
Braun agrees with the need for communication. Remind the
client, he says, of how security helps protects their business
investments by talking to them about how much it costs to
remediate breaches that could have been prevented with right
technology and security policies in place.
“At the end of the day,” he says, “you’re not providing IT, you’re
providing business-process management.”
About CompTIA
CompTIA is the voice of the world’s information technology
(IT) industry.
As a non-profit trade association advancing the global interests
of IT professionals and companies, we focus our programs
on four main areas: education, certification, advocacy and
philanthropy. We:
• Educate the IT channel: Our educational resources,
comprising instructor-led courses, online guides, webinars,
market research, business mentoring, open forums and
networking events, help our members advance their level of
professionalism and grow their businesses.
• Certify the IT workforce: We are the leading provider of
technology-neutral and vendor-neutral IT certifications, with
more than 1.4 million certification holders worldwide.
• Advocate on behalf of the IT industry: In Washington, D.C.,
we bring the power of small- and medium-sized IT businesses
to bear as a united voice and help our members navigate
regulations that may affect their businesses.
• Give back through philanthropy: Our foundation enables
disadvantaged populations to gain the skills they need for
employment in the IT industry.
Our vision of the IT landscape is informed by more than 25
years of global perspective and more than 2,800 members
and 1,000 business partners that span the entire IT channel.
We are driven by our members and led by an elected board
of industry professionals.
All proceeds are directly reinvested in programs that
benefit our valued members and the industry as a whole.
Headquartered outside of Chicago, we have offices across
the United States and in Australia, Canada, China, Germany,
India, Japan, South Africa and the United Kingdom. For more
information, visit comptia.org.

12. www.comptia.org/communities
www.comptia.org
© 2011 CompTIA Properties, LLC, used under license by CompTIA Member Services, LLC. All rights reserved. All membership activities and offerings to members of CompTIA, Inc. are
operated exclusively by CompTIA Member Services, LLC. CompTIA, A+, Authorized Service Center, Breakaway, Network+, Security+, and Security Trustmark are registered trademarks
of CompTIA Properties, LLC in the U.S. and internationally. Other brands and company names mentioned herein may be trademarks or service marks of CompTIA Properties, LLC or of their
respective owners. Reproduction or dissemination prohibited without written consent of CompTIA Properties, LLC. Printed in the U.S. Feb 2011 1721-US
www.comptia.org/communities