Microsoft to recognise third-party security certification

Microsoft has made changes to its security technology programmes for resellers, recognising non-Microsoft security certification for the first time.

The company has added two new areas of specialisation under the security competency; recognised third-party security certifications as requirements for the competency; and added new partner benefits and business opportunities, said Thomas Dawkins, a group product manager in charge of Microsoft's security partner strategy.

Microsoft uses what it calls partner "competencies" to categorize the technology expertise of its channel companies. Microsoft partners are segmented under 13 competencies; in addition to security, other categories of expertise are licensing, mobility and OEM (original equipment manufacturer) hardware.

The new security management specialty is for partners that do work spanning a variety of systems including Linux, Unix and other non-Microsoft operating systems. The infrastructure specialty is for companies that have more expertise in Microsoft-centric environments, Dawkins said.

Microsoft's security competency is now its only partner programme that recognizes third-party certifications, Dawkins said. "This was a big change for us."

Previously, Microsoft partners that wanted to gain a security competency had to have at least two engineers who were Microsoft Certified Systems Engineers (MCSEs) in security, he said. Now, however, a partner can have one MCSE in security and another that has either an International Information Systems Security Certification Consortium Inc. (ISC2) or Information Systems Audit and Control Association (ISACA) certification.

Marcus Bronson, director of IT for CCD's Vynamics company, a Microsoft managed services and security competency partner, said that with the increasing complexity of providing secure IT infrastructure, having engineers with industry-standard certifications on a project team is a welcome addition.

Bronson said that ensuring that IT infrastructure is compliant with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley requires knowledge of privacy and security issues in the medical and accounting fields, respectively. Security engineers with industry-standard certifications such as ISC2 or ISACA bring to the table broader expertise to meet these government regulations for compliance, and also can give Microsoft advice on how to improve its own security products, he said.

"These are tricky things," Bronson said of the regulations. "When we’re working with people that hold those certifications they bring a level of expertise you can’t get without them. It's good to see Microsoft recognize this [and know] they need to recognize not only their own experts, but others from the field because they have a lot of value."

Another security competency improvement is the addition of more benefits -- such as news groups, early access to security alerts, new training for companies that want to build a security practice and additional guidelines for providing services on Microsoft products -- for those partners, Dawkins said.

Beginning in January or February, Microsoft also plans to open up new business opportunities to security partners by providing additional margins or possible cash incentives for their services, he added. However, the company has not completely solidified these plans but will announce something in January when they are finalized, Dawkins said.