Journey of a CASP+

Part 2: Finding Real World Value

Justifying the CASP+

Attaining a certification can be a boon professionally, intellectually, and even emotionally. The pursuit of a certification alone can also provide these benefits as they signal a desire to learn and grow, born from an inner drive that any leader should take careful note of. Yet, getting certifications for the sake of getting them is not always the smartest investment of time and money.

You can be great at networking and securing user data without ever having a CCNA or CASP+ tailing your name. The great thing about the Internet is the amount of free, quality information out there that will make someone a better engineer without spending a dime. And while employers tend to favor degrees and badges on a resume, having a healthy list of projects and actionable knowledge could blow away competing resumes that have only dealt with theory and never practice.

Bearing that in mind, it is encouraged to be picky about which certifications you sink your valuable time into as you may one day discover that your employer will not compensate you simply because you passed an exam. Instead, they want to see value in the knowledge you have attained and certified your understanding of. For certain certs, demonstrating this value is easy. Most hiring managers know what to expect of an new hire with an A+, a more seasoned tech with Net+ and Sec+, a senior engineer with a CCNA or CCNP, or a manager with a CISSP.

Yet, what I have found is as the certifications become more advanced or more niche, managers and owners become less sure of what knowledge and skills have been mastered and, by extension, what value can be brought to the table. And so I’ve begun working on a general proposal that justifies the CASP+ to stakeholders by focusing on themes and services that are relevant and can be made to provide value to current and prospective clients.

So What Is It You Do, Exactly?

Leaders and stakeholders prefer the quick and dirty. At a high level, time is even more valuable and writing a thesis on why a role or service needs to be created or filled will result in you being asked for the SparkNotes anyway. In-depth SOPs and process flowcharts are for the next tier down, (which so happens to be where a CASP+ should be), so for now let us try and characterize a CASP+ in a few lines.

A CASP+ engineer is focused on compliance and governance in relation to one or several standards/frameworks that ensure a business is operating in a manner deserving of data stewardship. The value of a CASP+ begins with its validation of expertise in architecting and implementing secure solutions across complex environments. Not only can one design these secure systems to meet business goals, but they can troubleshoot them as well, providing an all-in-one package for the business and the client.

A Day In The Life Of

Okay sure, we have a general idea of what to expect. But what specific tasks and services should an MSP/MSSP dump into their new CASP+ bucket? They can be split into two groups: external offerings and internal services. External services would be offered to current and prospective clients either a la carte or packaged together and include the following:

1. Risk and Vulnerability Assessments
2. Compliance Consulting
3. Incident Response/Business Continuity/Disaster Recovery Planning
4. SOC/NOC as a Service
5. Internet of Things (IoT)-specific Management
6. Emerging Technologies (ex. AI)

Internal services would be baked into the boilerplate B2B relationship between the client and MSP/MSSP. Some examples would be:

1. Centralized responsibility for outage reporting and response
2. Dashboard Management and Threat Intelligence research
3. Policy Template Management to minimize policy drift
4. Product Management (i.e. How they change, new features, roll-outs, updates, vulnerabilities, etc.)
5. Regulatory Change Tracking — being ahead of changing legislation

Of course, MSP/MSSPs and their clients have to operate within the confines of their budgets. Flippantly listing off different offerings and services is easier written than done. However, at the minimum, an MSP/MSSP staffing one or more CASP+s should work toward elevating internal services as there are low cost methods available to accomplish this and it prepares a provider for those clients who wish to take advantage of their newfound offerings. Many of the aforementioned internal services simply require dedicated time for engineers to research and develop tools, policies, and procedures. Entrusting your staff to take the creative lead can bear much fruit.

Take My Word For IT

So what does this all look like? Why are some of these things needed? Let us review some examples of what having a dedicated tech (with dedicated time) would be able to address:

• Aruba switch vulnerability that required remediation via firmware update — How would your organization be made aware of and remediate?
• Recent BitLocker exploit that required a (buggy) Windows update — Does your organization research each patch policy and determine whether its efficacy demands compensatory measures?
• AnyDesk vulnerability that was remediated by software update and credential reset — What sort of asset inventory is in place that allows your organization to quickly glance across your clients and determine if they are vulnerable?
• Firewalls and other critical infrastructure going extended periods without firmware updates — Is there a process in place that tracks the patch status of these devices and ensures they remain up to date?
• HIPAA password policy — Off the top of your head, do you know what HIPAA requires regarding a password policy? How about how other policies? How outdated are your organizations best practices?
• Market competition — What are your MSP/MSSP peers offering that could add a distinctive level of value over your own business? What can you offer that others lag behind on?

Know Your Audience

So who can these products and services be offered too? Without being too facetious, the quick answer is anyone who requires a secure, up-to-date, and forward-looking network. To build upon that, an MSP/MSSP with a capable CASP+ can seek out larger enterprise and government contacts and other specialized verticals and carve out a name in said space. Even SMB clients who had previously sought assistance with maturing their GRC can now benefit.

Closing

In short, having staff that are certified to an advanced and/or expert level (CySA+, OSCP, CISSP, CASP+) simultaneously opens doors that can allow a provider to grow into newer, more challenging and more lucrative spaces. Additionally, they also provide the justification for providing premium services at a premium cost. The next part of this series will discuss an example Risk Assessment program that could serve as the seed concept for a fully developed GRC department.

Thank you!