Compliance is rapidly becoming a key revenue driver for MSPs as businesses face increasing regulatory requirements and cybersecurity risks. With 73% of MSPs reporting a rise in client demand for compliance services in our latest MSP Success reader survey, there’s a growing opportunity to expand offerings, build stronger client relationships, and create recurring revenue streams.
Compliance is “the cornerstone of every single conversation that we’ve had over the past almost two years running now,” says Tommy Thornton, CEO of Automates, an MSP in National City, California. “We go into every conversation with cybersecurity and compliance first.”
“If you’re an MSP and you don’t have a compliance plan and the basics in place, your business is at risk and your clients are at risk,” says Greg Wilkoff, president of Adept Networks, an MSP in Medford, Oregon.
Compliance services are multifaceted and there’s no one-size-fits-all offering, as every industry has unique requirements. And while compliance regulations are getting more “teeth” in terms of enforcement and consequences, MSPs are mindful that many clients and prospects still don’t have the appetite for “eating the elephant” (or paying for it) in one serving.
That’s why we asked our readers to weigh in on how they’re delivering and pricing compliance services, the challenges they face, and the opportunities for growing revenue. Here’s a look at our survey results so you can see how you stack up.
What’s Driving Demand for Compliance Services?
According to our reader survey, 67% of MSPs are offering compliance services currently and 23% have them in development. Among those respondents who are not offering compliance services now, 40% plan to in the next two years.
One driver for demand is the cyber insurance industry, says Roy Richardson, vice president and CTO/CSO at Aurora InfoTech, a cybersecurity and IT support provider in Orlando, Florida. The cyber insurance providers are “not taking ‘scout’s honor’ anymore in terms of you having [security controls] in place,” he says. Now, he adds, they’re coming in with their own forensic teams to make sure. “We’re finding that clients are wanting to align themselves at least with the cybersecurity essential frameworks that are related to cyber insurance. It makes the discussions a bit easier as well with regards to compliance as a whole.”
Another driver is increased enforcement of state and federal regulations.
“Compliance has been wink, wink, nod, nod for so long, and now it’s gotten serious teeth,” says Dan Stewart, CEO of Stewart Technology Group, an MSP in Columbia, Missouri.
Even so, figuring out how to package compliance for clients in a way they can digest and you can deliver is important, says Peter Cole, CEO of PDC Technology, an MSP in Sacramento, California. “With most of our clients, if you go too deep into the regulations and what’s all involved in a security program, it’s like eating an elephant. Their eyes can gloss over pretty fast. So I found that if you listen to what their business objectives are and try to align that with strategy and security, they’re more apt to listen for longer periods of time. And their purse strings start to loosen up a little bit.”
What’s on the Compliance Services Menu?
Demand for compliance services varies with an MSP’s client base. Fifty-five percent of respondents report that 30% or less of their clients are under a compliance requirement in their industry, while just 28% say more than half of their clients are in industries with compliance requirements.
“California’s very compliance driven,” says Thornton. “I would say 90% of our clients, if not almost 100%, fall under some kind of compliance requirement such as FTC Safeguards.” Plus, in his state, businesses that collect personal information have to conform to the California Consumer Privacy Act (CCPA).
MSPs are supporting a variety of compliance frameworks. HIPAA (Health Insurance Portability and Accountability Act) is the most prevalent, cited by 81% of respondents, followed by PCI DSS (Payment Card Industry Data Security Standard) at 71% and NIST CSF (Cybersecurity Framework) at 60%. Today, 45% of respondents are supporting the Department of Defense’s CMMC (Cybersecurity Maturity Model Certification).
The components of an MSP’s compliance offerings vary too. According to our survey, 91% are providing security awareness training, while 88% are offering risk assessments, 86% are providing continuous monitoring, 78% are helping with policy creation and documentation, 71% are providing remediation planning, and 60% offer audit preparation and support.
For their clients with HIPPA requirements, Adept Networks does “everything from putting privacy screens on monitors to making sure that equipment is located in secure locations,” says Wilkoff. He adds that 90% of their clients have compliance needs.
Richardson tailors his offerings to each client and their environment. “It’s not a one-size-fits-all because it really has to be custom tailored to what that gap analysis indicates as a starting step,” he explains.
The Challenges of Scaling a “Cliff”
The top reasons why some MSPs are not offering compliance include lack of demand from their clients (65%), lack of skilled resources (40%), and the expense of getting up to speed (10).
For MSPs that are offering compliance services, the top challenge is educating clients about their compliance needs. That’s true for Stewart, who notes, “The top challenge is getting them to understand they need it, that it does apply to them. It’s not avoidable, and it’s just part of doing business.”
The primary way MSPs are educating clients about compliance requirements and solutions is via one-on-one consultations (87%). They are also using regular newsletters or updates (41%) and workshops or webinars (22%).
Others, like Wilkoff, take advantage of quarterly business reviews to discuss compliance needs.
Besides client education, other challenges to offering compliance services include resource limitations (staff, time, tools), learning curve and expense, staying updated with regulatory changes, and managing client-specific requirements.
Stewart likens the learning curve to trying to climb up a steep cliff quickly. It involves poring through government documents, staying on top of changes, and interpreting for clients what “secure” means in some cases. For example, he says, “Does that mean I have to lock my doors? Does that mean I have to have a door code? Does that mean I have to have rotating passwords? And the answer is ‘all of it.’ There is a physical security layer. There’s a workstation security layer. There’s a two-factor security layer, and so the answer is ‘all of it.’ Once you hit compliance, you better hang on and run up the cliff because there’s so much of it.”
Stewart and Wilkoff say tools like Kaseya’s Compliance Manager GRC (governance, risk, and compliance) help. They also both partner with Galactic Advisors to assist with third-party pen testing.
Survey respondents, similarly, are using a combination of ways to deliver compliance services. Just over half (56%) say they have in-house staff expertise. MSPs are also partnering with a compliance consultant or vCISO (34%), using compliance automation tools (54%), and/or implementing a GRC management platform (41%).
Pricing Your Compliance Services
How MSPs price compliance services varies, and like delivery, many use a combination of models, with 56% of respondents offering tiered pricing based on client needs. Others (37%) include compliance as part of an all-inclusive MSP package or bill on a per hour/project basis (34%).
Most clients are typically not including compliance in their IT budgeting, according to 63% of MSPs.
“It’s really a business discussion more than it is an IT discussion,” says Cole. “So what’s that company’s risk appetite and things like that are going to play a heavy role as to how much they’re willing to spend and what kind of priority they’re going to make it. Having a tiered approach is a better option for us.”
Automates offers compliance as part of its MSP package, which does have different tiers, while Adept Networks includes compliance service in its security package. And Aurora InfoTech takes a hybrid approach, billing as a project for getting a client to a baseline of compliance and then keeping them in compliance becomes MRR.
Related: 3 Surefire Strategies To Sell High-Profit IT Compliance Services
Expansion Ahead
As organizations of all sizes are coming to realize they can’t turn a blind eye to their compliance requirements, MSPs are ramping up to capitalize on the opportunity. Among our survey respondents, 55% plan to expand their offerings significantly in the next 12 months, and 38% plan to expand somewhat.
Automates plans to add CMMC expertise. “Being in San Diego, there’s 14 military bases,” says Thornton. “DoD is everywhere here. Then you have the ship building yards, the Port of San Diego. It would be disservice to ourselves if we didn’t enter into the CMMC space.” He says Automates has already registered for a CAGE number (a unique identifier given to each government contractor) and he plans to hire a CMMC documentation expert to help them get started.
“I would say definitely over the next 12 to 18 months we plan on expanding our compliance offerings once again,” says Richardson. “We enjoy the space we’re working in, and we enjoy the results that we’re getting and the impact it’s having for our customers.”
Cole is in the process of getting a Certified Information Security Manager (CISM) certification from ISACA. “I’ve been in the industry a long time, but if you’re going up against other MSPs for a particular client, having some of those certifications will add some credibility to your position,” he says.
Wilkoff agrees, noting he has staff with CISSP (Certified Information Systems Security Professional) certification from ISC2.
What to Know Before You Head Down the Compliance Path
In addition to credentials, MSPs recommend getting your own house in order with good security hygiene and controls. “I would start with making sure that you’re not low-hanging fruit and that you’re doing the basics,” Wilkoff says.
Stewart agrees. “Drink your own Kool-Aid. Put yourself into compliance, whether it’s PCI or CMMC, so you know the level of effort it takes.”
Thornton recommends having initial customer conversations focused on state and local requirements first, before getting into federal or industry-specific regulations.
He also suggested choosing tools that will help you deliver compliance services. “Instead of just going out and buying every shiny vendor tool, we start looking at it in terms of compliancy,” Thornton explains. “Does it fit a compliance requirement for our client base? Does this tool get us to where we eventually want to be in our next-level compliance stack? If not, then why are we even having this conversation?”
For his part, Richardson says MSPs should consider a coach and/or tapping into their peer groups to gain compliance knowledge. He warns that it’s a deep dive, however. “If you’re going to go down this path, you have to be fully committed to it. Compliance is not an on/off switch. If you’re selling compliance services, make sure that you know the insurance [requirements] and ins and outs of the regulations that you’re aligning your customers to.”
Time Is Money
Since compliance services are more specialized and strategic, “there’s a higher value to that overall [client] relationship,” Richardson says, “so the potential to earn much higher revenue is far greater.” He likens it to being a heart surgeon vs. a general practitioner.
Thornton agrees. “I will say the margins are better. You can up your seat cost and it doesn’t necessarily mean that you’re going to be putting in more man-hours, as it’s tool based.”
“Move fast is my advice,” says Wilkoff. “You’re in business to make a profit and that’s where the profit is now.”
Want access to all the data from our compliance survey and see how you stack up against other MSPs? Download the full report here.
