The MSP Success Thought Leaders Program invites leaders in the small business IT/MSP industry to share their insights and advice with MSP Success readers.
In the race to offer specialized compliance services around the Cybersecurity Maturity Model Certification (CMMC), NIST, or other standards, many managed service providers and managed security service providers (MSPs/MSSPs) might be missing out on a significant market—EVERYONE ELSE.
Contrary to what you may be reading or hearing from vendors looking to push services, or even from your peers, the majority of small to medium-sized businesses (SMBs) don’t necessarily require certification or compliance with these stringent standards. Their primary needs still revolve around fundamental IT services such as helpdesk support, routine maintenance and monitoring, data backup and disaster recovery, and a high-level security stack—your bread and butter as an MSP.
Are You Prepared to Make the Investment?
Bear in mind that it can require a significant investment to build an MSSP practice that can handle compliance requirements like CMMC/NIST 800-171, HIPAA, PCI, SOX, or GLB. Unless you are already a big MSSP, the investment may be more trouble than it’s worth results-wise. This is because of training costs, the complexity of using multiple sets of tools, and the top salaries you’ll need to offer to bring security specialists on staff.
Training costs for engineers. When you introduce a new piece of software into your security stack, your employees need to be trained on it. This involves dedicating hours to educating them and investing sufficient funds to ensure they grasp the new software effectively.
Multiple sets of tools required. If you do venture into niche compliance, you’ll find that you need multiple sets of tools to address specific regulatory requirements potential clients may have.
For instance, there are two distinct versions of Duo, namely Standard Duo and FedRamp-approved Duo. Similarly, there are also variations in endpoint detection offerings. SentinelOne offers Standard SentinelOne and FedRamp-approved SentinelOne, for example. Understanding the nuances between versions becomes crucial when aligning with specific compliance frameworks.
In addition, there is uncertainty regarding the necessity of using FedRamp-approved versions, so you face the additional challenge of determining whether these specialized versions are mandatory for compliance or if there’s flexibility in choosing standard versions based on the specific regulatory landscape.
Finding and retaining talent. Your security expert is the person you rely on to stay updated on compliance trends, rules, and improvements. Usually, this is a senior engineer that you’ll need to keep on your team, often by offering competitive pay.
The Market May Be Smaller Than You Think
Even if you determine that the investment detailed above is doable, the market opportunity may not be as large as you think. Many of the companies that DO have budget for compliance already have a full in-house IT department and are just looking for one-time consulting for compliance. So, keep in mind that this might not result in continuous revenue for your business.
In addition, the specialized staffing, training, services, and products you need for these engagements might only be applicable within that one small market niche.
Based on the information from the Department of Defense posted on December 26, 2023, there are about 212,650 prime contractors and roughly 8,300 subcontractors, according to the Federal Procurement Data System. Check out page 314 of this document from the Federal Register for more details.
Since there are over 625,000 manufacturers in the U.S., it is plain to see that not all of them need to bother with the CMMC.
Why You Need A Two-Pronged Approach to Marketing
Don’t get me wrong. I am all for adding compliance to your toolset as an additional service, but not as your main focus. I wouldn’t have been able to successfully grow my MSP without identifying and then expanding within a few key verticals, but if I had limited myself to just advertising niche services, Direct iT would never be where we are now.
That’s why I recommend taking a dual approach to your marketing, assuring that businesses seeking specialized solutions understand your broader IT offerings as well. When advertising, showcase your expertise in basic IT support, and what makes your company different. Is it white glove service? Is it rapid response? Build this into your messaging.
By marketing a diverse range of services, you can become the go-to solutions provider for both niche AND everyday IT requirements, building trust and appealing to a wider audience.
While the advantages of offering specialized certifications are undeniable, the reality is that the broader market seeks dependable, day-to-day IT assistance rather than compliance-focused solutions mandated for specific sectors. By recognizing the prevalence of these needs, your MSP/MSSP can position itself as a provider of comprehensive and accessible IT solutions tailored to the practical requirements of the majority, rather than a select few governed by intricate compliance standards.
For more information about Direct iT, go here.
