GTIA’s Trustmark Aims To Let MSPs Differentiate Themselves In Cybersecurity

‘The goal of Trustmark is to give MSPs a standard to adhere to that the community can come together and discuss and that all of us already have some basis in practices that we’re already performing,’ says Marc Menzies, president and CTO of Overview Technology Solutions and chair of GTIA’s Trustmark working group.

A community of MSPs is working with the Global Technology Industry Association to develop Trustmark, a new framework for MSPs and IT service providers aimed at promoting a designation that lets them show that they meet or exceed cybersecurity standards set by their peers.

Marc Menzies, president and CTO of Holbrook, N.Y.-based MSP Overview Technology Solutions and chair of GTIA’s Trustmark working group, told an audience of MSPs at this week’s XChange March 2026 conference that Trustmark brings the best cybersecurity certifications into a single security framework they can use to differentiate themselves.

“So basically, it’s a conglomeration CIS, CMMC, NIST 800-171, New York State DFS 23 NYCRR Part 500, and HIPAA,” Menzies said. “So it’s 177 total controls, or safeguards they’re calling them now, that align roughly with what you guys are already doing. The goal of Trustmark is to give MSPs a standard to adhere to that the community can come together and discuss and that all of us already have some basis in practices that we’re already performing.”

XChange March 2026 is being hosted by CRN parent The Channel Company this week in Orlando, Fla.

With Trustmark, GTIA is not looking to introduce a new cybersecurity standard, Menzies said.

“This is us trying to get our community together to have a single standard that all of us can work towards, but also still aligned to the other things we need to for our clients or for other regulatory, etc., requirements,” he said.

Anybody can fix a computer or perform cybersecurity services, or help people align to a standard, to a framework, Menzies said. And while there are rules starting to be put in place for cybersecurity, for the most part it’s still the “Wild West” in terms of MSP standards, he said.

“What we’re hoping to accomplish is create those rules for ourselves and at least get to the point that we can work with state, local, and national governments, not just in the United States, and also with entities like insurance companies, to recognize this so that we can all come together and say, ‘This is what our standard is,’” he said. “We want to dictate the rules so that we can be self-governing, much like the Bar associations and such.”

Countries around the world are introducing their own cybersecurity standards, but none of them provide comprehensive protection, Menzies said.

“CMMC, as we all know, doesn’t really do everything that you’d want an actual framework to do,” he said. “It doesn’t require you to back up your data, just encrypt it. SOC 2 isn’t even a framework. You can have terrible policies. What we’re talking about here is, based on a reasonable effort, if you did things like implement SOC 2 Type 2 properly, you’ll likely have elements of an alignment cyber essentials.”

With Trustmark, GTIA is looking to align to international standards as well as standards that insurance companies are holding clients to so that all MSPs can fall under the same umbrella, Menzies said.

The point of the cybersecurity Trustmark is to have our MSPs and MSSPs align with best practices in the community,” he said. “It’s also to meet the MSPs and MSSPs where they are now. If you are a larger MSP or a smaller MSP, or this or that, or you’re getting started on your journey, or you’re five or 10 or 15 or 30 years into your journey, you can still be assessed and pass the Cybersecurity Trustmark.”

Trustmark is a maturing framework, and improves year over year, Menzies said.

“If you were here last year, you have to be here next year,” he said. “If you’re not here next year, then you don’t pass. The specifics around that are based on third-party assessors and their analysis, and the reading of notes and analyzes from the year before. Is it a perfect science right now? Absolutely not. Still something we’re working on internally.”

One of the biggest concerns the Trustmark working group at GTIA has that each of the 50 states in the U.S.A. is starting to come out with their own cybersecurity regulations, Menzies said.

"It’s hard to get a silver bullet,” he said. “We’re trying to get as close as possible, and we’re thinking that this has the flexibility to try to align things together. … My personal goals in this are to align locally, federally, with all the state, local governments that apply, to try to create a standard that we could all adhere to that gets our MSPs at least like 80 [percent] to 90 percent of the way there. And if you need to go a little further in order to get CMMC or [other standards], so be it. Again, the goal of this is to give us all a common platform to discuss this on.”

There are a lot of different standards out there, and what the GTIA is looking to do is coordinate everything so that it’s all encompassing, said John Vissichelli, president of ECCO Consulting Group, a Westbury, N.Y.-based MSP.

“Regardless of whether you’re in New York State or you’re following CMMC or NIST or some of the other standards, this aims to help you capture all the requirements with your cybersecurity compliance stack of products and services and help your end clients adhere to that and that you’re able to effectively manage your clients’ requirements from a cybersecurity perspective and your own perspective,” Vissichelli said.

Vissichelli said his company uses many of the frameworks available for cybersecurity but has not received certifications, but getting certified with Cybersecurity Trustmark makes sense.

“One of the things I’m investigating, as I go from working for another company to working in my own company, is making sure that everything I develop moving forward is at a compliance level that lets me speak with strength that my standards and the settings of my company are at a minimum level that’s above what’s out there right,” he said.