IT and Business Insights for SMB Solution Providers

How to Sell a Compliance Program

InTech Solutions offers cybersecurity compliance as a program, keeping clients aligned with an evolving world of regulations and growing its own recurring revenue. By Leia Kupris Shilobod

COMPLIANCE IS A JOURNEY, not a destination. While our first instinct may be to approach compliance as a checklist, the real value comes when we offer clients a Cybersecurity Compliance Program.

InTech Solutions began exploring compliance services around 2016 when several of our manufacturing clients needed help with the NIST SP 800-171 recommendations for protecting the confidentiality of controlled unclassified information (CUI). Soon after, our local Manufacturing Extension Partnership (MEP) asked us to present on the NIST SP 800-171 requirements.

We were faced with not only figuring out how to implement the 800-171 controls, but to do so effectively across many clients.

Initially, I viewed the NIST requirements as a checklist of security controls our clients needed to implement, but over time I realized that compliance is not an IT project or set of security tools we implement; it’s an ongoing process. It requires more than just assessing the client’s current security posture, determining what is out of alignment, and launching projects to fill the gaps.

This is where compliance as a service (CaaS) needs to become a program, because it’s a moving target.  Staying compliant involves meeting with clients regularly, reviewing documentation, confirming IT security policies are in place, testing the incident response plan, implementing an IT asset management plan, and ensuring that security awareness training is ongoing. These regular meetings are like a QBR or TBR on steroids, with a cadence of every 30 to 90 days.

Following this cadence over the course of a year brings massive value to a customer and keeps them engaged. They are more than happy to write that check every month, and we’re happy we’re keeping them in alignment.

Clients did push back initially with NIST 800-171, questioning if any entity was going to check that they had implemented the security controls they had pledged to do in their contracts. Then along came the Cybersecurity Maturity Model Certification (CMMC), where there is built-in accountability, and now yes, someone is checking.

InTech Solutions was well positioned to leverage the deep compliance knowledge we had already developed to move into CMMC.

Because we have a risk-based and value-focused conversation, clients now understand that a compliance program is going to involve more money, time, and effort, but reap a value of 10x over just checking a box. They’re already spending a lot on support, equipment, and cybersecurity products and services. A compliance program assures the best use of their time, money, and efforts.

Tips for Getting Started

To get started with compliance services, you must have a strategy: Either focus on being an awesome MSP and partner with a compliance provider or ramp up your own compliance expertise. If you want to get certified as a CMMC assessor or auditor, you’ll need to start an entirely new division of your company that will do the official assessments. In my experience, being an assessor is not the best fit for an MSP, however.

Once you decide on your strategy:

  • Learn, learn, learn. Whether it’s HIPAA, FINRA, CMMC, etc., read all the source documentation to assure you’re clear on requirements. They will reference other documents; read those too. Make sure you understand the “why” and how to implement those security controls in real life.
  • Get plugged into a community that's talking about compliance. This will allow you to reach out to people who have information that can help you.
  • Always approach compliance with a beginner's mind. The deeper you dive, the more you realize what you don't know.
  • Don’t be afraid to tell your client you don’t know something; let them know you will leverage your network to find the answer. This actually breeds confidence and stickiness because they know you have resources.
  • Bring your own MSP business into compliance with recommended security controls. If you’re going to do it for clients, you sure as hell better implement them in your own MSP.
  • Provide guidance but allow the client to make the decisions to minimize your liability. In the end, this is THEIR business risk and you cannot take on that risk for them.
ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.