Selling compliance as a service is a “blue ocean” opportunity, so get familiar with the alphabet soup of standards and regulatory agencies.
“Compliance” can be a dreaded word. You might think fist-clenching thoughts of more rules to follow and looming penalties to avoid.
Fear not. It’s time to ditch that old thinking and embrace a new “blue ocean” of opportunity. Put simply: What can compliance do for YOU?
Actually—a helluva lot.
The compliance, governance, and risk market will grow from $42 billion today to an estimated $135 billion in 2030. McKinsey even predicts cybersecurity total market value will soon eclipse $2 trillion. As online business continues to grow, cybersecurity is becoming more paramount, pragmatic, and precisely regulated.
In the MSP space, compliance is not an aspect of business to be shunned—it’s a chance to add more value for your clients while growing your business.
Indeed, compliance as a service is a significant new market opportunity, one that is constantly changing. It will not decrease in scope, scale, or need—it will only grow, as federal and state regulations continue to evolve.
“Every state in the union now has a cybersecurity breach notification law,” says Jon DePerro, former U.S. Army counterintelligence special agent and chief compliance officer of Visibility MSP. According to DePerro, IT services are projected to be the fastest growing segment in the risk, governance, and compliance market. The rules are here, and more are coming.
And therein lies the opportunity: Tapping into this $135 billion market and selling additional and needed services to both existing and new clients.
Security vs. Compliance
You’ll need to get up to speed with the nuances of the compliance space first.
“There is a major difference between security and compliance,” says Will Nobles, CEO of Vector Choice and vice president of client coaching at the sales and marketing organization TMT, the parent company of MSP Success.
Simply put, says DePerro, “Security prevents a change in the current state.” Compliance, in contrast, “isn’t changing a state,” he continues. “It’s creating a state. It’s saying: ‘We are meeting all these standards, and I can prove we are.’”
Whereas security is about keeping the bad guys out and resiliency, compliance is about, “You told me to do these five things, and I am documenting that I am doing these five things to the letter of the law,” DePerro says.
But how does this play out, say, if you get audited? First, you need to know the difference between procedure vs. policy.
Procedure vs. Policy
A policy says what you’re going to do, and a procedure says how you’re going to do it.
“I have yet to go into an MSP, where they have both policies and procedures that they’re implementing simultaneously,” DePerro says.
“You might have a policy that you change passwords every 90 days, for example,” DePerro says. “But have you ever written down a procedure on how that’s going to happen? Have you spelled out who’s going to enforce that? What about an account that’s 91 days old?”
DePerro emphasizes, “If you’ve never written it down, it doesn’t exist. It’s not enough to just kind of ‘know’ anymore. When the FTC or NIST comes and audits, or even ask questions, they’re going to want to see things written down.”
Don’t get caught reacting. Help your clients get policies and procedures in place that will not just protect them from liability, but also progress their business by having easy-to-follow procedures in place, for tasks big to small.
A paved road is easy to follow.
Rules, Standards, and Regulators You Should Know About
OK, so just who is doing this auditing, what agencies do you need to be aware of, and how can you help your clients get compliant with standards before the regulators come knocking?
Here are some of the regulatory bodies and standards you need to know about:
NIST: The National Institute of Standards and Technology (NIST) is a nonregulatory government agency. Founded in 1901 and now part of the U.S. Department of Commerce, NIST develops, promotes, and maintains metrics and standards used within science, technology, and other industries.
These standards help federal agencies, contractors, and other businesses that work with the government meet the requirements of different frameworks, such as the Federal Information Security Management Act (FISMA), which dictates certain cybersecurity standards.
CIS: The Center for Internet Security (CIS) is a community-driven nonprofit organization, responsible for the CIS Controls and CIS Benchmarks, globally recognized best practices for securing IT systems and data.
ISO 27001: ISO 27001 is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC).
Here’s why it might be important to you: “A company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data,” according to NIST.
“A lot of manufacturers can use this as a value-added proposition,” DePerro says. “It’s an easy way to show they’re certified and compliant with an international standard.”
HIPPA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
HIPPA is the de facto No. 1 law of the land in the healthcare-related industry and must be adhered to strictly.
PCI / DSS: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud.
“It’s important to note that the PCI DSS applies to ANY organization, regardless of size, that stores any customer cardholder data,” DePerro says.
CMMC: The Cybersecurity Maturity Model Certification (CMMC) program is an assessment standard designed to enforce protection of sensitive unclassified information that is shared by the Department of Defense with its contractors and subcontractors.
FTC Safeguards Rule: The Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information, or the Safeguards Rule, requires financial institutions to protect the security of customer information. Updates that went into place this past June broaden the definition of “financial institution.”
When it comes to dealing with the rules and regulations imposed by the FTC, DePerro has a few common tips that can get you well on your way to full compliance.
Words to comply by:
• Designate a Qualified individual to implement and supervise your company’s information security program.
• Conduct a risk assessment.
• Design and implement safeguards to control the risks identified through
your risk assessment.
• Regularly monitor and test the effectiveness of your safeguards.
• Train your staff.
• Monitor your service providers.
• Keep your information security program current.
• Create a written incident response plan.
• Require your Qualified individual to report to your Board of Directors.
Don’t Run. SELL.
It’s time to get familiar with the tools, information, and strategies you need to package and sell compliance as a service to your clients. If you don’t, your competitors will.
“Whether it’s something as simple as processing credit cards, your clients have to spend more and more money on compliance,” says Robin Robins, founder of TMT. “So, why shouldn’t they be spending it with you?”
—
Want to keep current on compliance? Subscribe to MSP Success today! We’re going to be continuing this series diving into the ins and outs of compliance as a service.
Want more? Learn more! Find out about the TMT FREE Cybersecurity Reports in the Compliance Toolkit here.
