If you haven’t seen the signs, fireworks and flags ushering in the Age of Compliance, let this be the thing that makes you sit up and pay attention. Compliance is coming to every single industry, and NOW is the time to figure out what you’re going to do about it.
So, maybe you’ve seen this wave of compliance and you’re intimidated by it. Maybe you see it and you want to monetize it. Maybe you see it and you just want to freaking help your clients get through it. No matter where you are right now, you need to find, hone and communicate your position in the compliance marketplace.
I’ve been helping clients with cyber security compliance since 2016, when many of them were required to comply with the DFARS 7012 clause and NIST 800-171 controls to maintain their contracts in the Department of Defense supply chain. I’ve seen a lot develop over these last seven years, and many perspectives to position yourself from. Here’s a rundown of what I learned to help you navigate and determine your position and strategy.
Find Your Compliance Position
Whether you’re an IT consultant, MSP, MSSP or VAR, your clients are going to be impacted by regulatory, insurance or internal compliance requirements. They’re going to ask you for help or guidance – and you’ll need to be clear and ready with what you provide in terms of compliance services.
Compliance Provider – You can choose to become a provider of compliance services only. This usually involves providing assessment of alignment with compliance requirements, management of the compliance program, engineering services, documentation writing (policies, plans, procedures, etc.), formal audits and assessments, training services and regular guidance on compliance.
MSP/MSSP With Compliance Partner – You can choose to be an MSP, MSSP or VAR and align with a compliance provider you will work closely alongside. You provide traditional MSP, MSSP or VAR services – support, engineering, projects, maintenance – and resell security toolsets, hardware, software licensing, etc. The compliance provider gives the direction and guidance for the compliance program; you implement solutions to meet requirements and maintain the environment in some way over time.
MSP/MSSP Providing Compliance Services – You can choose to be an MSP, MSSP or VAR who also delivers compliance services. In this model, you are a blend of both MSP/MSSP services provider and compliance provider. Fair warning: If you’re not excited to dive deep into compliance, source documents and the compliance community, this is not for you. There is too much liability involved in delivering compliance services to not have a deep knowledge of the compliance requirements, with resources to back you up if you don’t have an answer to a question.
Once you’ve determined your company’s compliance position, build services and select products to meet your clients’ needs.
Positioning Compliance As Value, Not Commodity
If you feel like MSP services have become massively commoditized and bring that same frame of reference to compliance services, you’ll underserve your clients and make very little money. To do compliance right, you need to sell and deliver VALUE.
Too often I see technical people look at compliance as a checklist or an opportunity to sell a toolset. Neither of these perspectives will really provide much value, and you’ll often find yourself in an argument over price.
Let’s say you see compliance as a checklist. In this scenario, your approach to compliance is to pencil-whip your client through a series of “have-to-do’s” they will find zero to no value in, and they’ll complain the whole time that they have to spend money and time on it.
Another low-value way I see MSPs and MSSPs approach compliance is by considering compliance a technical toolset you implement. I can see why your brain goes there. Many regulations and compliance requirements include things like data security, MFA, endpoint protection, VPN and encryption. That sounds like technical tools, right?
The fact of the matter is, you can’t “tool your way into compliance.” Cyber security compliance requires a lot more than the selection and implementation of a toolset. It requires policies, plans, procedures, a culture of security and budget preparedness. It requires engagement from the entire organization and the vendors at every single level, not just the IT people.
Think about this: if your clients’ employees don’t comply with the requirements, then guess what? You just failed compliance. Compliance is NOT just relegated to IT. And if you have a client who shows up and says, “I don’t want to think about this – handle it all for me,” they’re putting you in a position ripe for a lawsuit.
And P.S. – Organizations that simply try to meet compliance requirements by checking off boxes on a list are the ones we see on the news about massive breaches or decimated by an incident.
Sell Value, Not Compliance
I specialize in helping companies with CMMC compliance. Every time I talk to MSPs who say they’re not getting traction with their clients on CMMC, their clients won’t listen and they keep pushing action out into the future, I tell them, “You’re probably doing it wrong.” (Okay, I usually just say it really loud in my head.)
Sorry if that makes you feel butt-hurt, but I’m selling compliance services successfully every single day. And the way I’m doing that is by avoiding commodity and selling VALUE. Massive value.
So, how do you shift your position and the client’s perspective from commodity to value?
First, instead of just calling it “compliance,” see it as “the implementation and maintenance of a cyber security compliance program.”
Then look at the program from the perspective of a chief security officer. As the CSO, you’re responsible for all areas of security in an organization. A CSO is constantly uncovering risk to the organization and guiding the organization in the assessment of that risk and how to handle it. That also means the CSO is responsible not just for technical controls, but also administrative controls and physical controls.
The standard approach to compliance totally sidesteps value, and what’s worse is that the CSO or business has never successfully implemented the thing that provides value over time: a cyber security compliance program. And there’s where you can provide massive value (and a profitable service!).
Delivering Cyber Security Compliance Program Management
The thing about compliance is that once you’ve figured out how to implement one cyber security compliance program, you can implement ANY cyber security compliance program. The process is the same.
Where to start? In my experience, the best place to begin is by selecting a set of controls that include technical, administrative and physical, and that address all areas of risk in the business. The most common control sets or frameworks are CIS controls, NIST CSF, NIST 800-171, NIST 800-53 and ISO 27001.
Selecting existing frameworks is helpful because tons of really smart people got together to create them, and this lends credibility to your program. It’s not “IT Princess of Power’s Standard Security Controls” (but that admittedly sounds cool), because why recreate the wheel when others have already created it for you? Remember: you can also add custom controls that address areas of risk or concern for your particular client.
When you’ve selected your control set, it’s time for a gap assessment to identify where the organization is now vs. where they want to be to align with the controls. Before you jump into a gap assessment, it’s vital to identify what physical and digital information and assets the company wants to protect. If you don’t know this information, you won’t know how to most effectively apply the controls.
Once you’ve identified all the areas that are out of alignment with those controls, and you have a list (in my world, that list goes on the plan of action and milestones, or POAM), you’re able to group those POAM items into specific projects, which, when completed, will remediate the items that are out of alignment. Present the list of discrete projects to management in order to identify priority and budget.
Don’t forget: compliance is not just a series of projects you execute. You never actually “become compliant” – it’s a journey. This means you must have a mechanism in place to not only get compliant, but to stay compliant over time – your cyber security compliance program management.
At InTech, we use the Risk Management Plan as the mechanism to do this. Our Risk Management Plan includes yearly security assessments, quarterly risk assessments and periodic vulnerability assessments. So, on a quarterly basis, instead of holding a Quarterly Business Review where we tell our clients how wonderful we are (oh God, please tell me you’re not doing that in a TBR!), we have a specific process and action items we execute on, and the client executes on, then we assess and come together at the meeting to discuss risks to the business and alignment with the controls, get authorization to take action, modify documentation, assure trainings are occurring and do tabletops to stay sharp.
By implementing and maintaining a robust cyber security compliance program for our clients, we show them immense value they aren’t getting anywhere else, and we can charge top dollar for our compliance MRR services (NEVER hourly – we aren’t a commodity!) and become a trusted advisor and someone they want in the trenches with them every day as they go to war in business.
Did You Know That Our Free Exclusive 1-Day Expo For MSPs And IT Services Business Owners Is On Tour!?! Click Here To Register For Your City!