Here are three things worth knowing about regulatory compliance: it’s not synonymous with security, it’s not small potatoes from a revenue perspective, and it’s not going away any time soon.
If cybersecurity is about shielding end users from threats, detecting successful attacks, and mitigating the consequences of those breaches, compliance is more about ensuring and then documenting that businesses have met the often complex requirements associated with regulatory mandates.
And there are more such mandates arriving all the time. Indeed, familiar regulations like HIPAA and GDPR have been joined more recently by CMMC even as cyber insurance companies and other entities increasingly mandate compliance with respected cybersecurity standards like ISO 27001 and NIST 800-171.
As a result, global outlays on the more broadly defined market for governance, risk, and compliance (GRC) solutions will reach $15.2 billion in 2025, according to IDC.
Data from Kaseya’s 2022 Global MSP Benchmark Survey Report, meanwhile, helps explain what motivates all that spending. Some 75% of respondents to that study agreed that their clients struggle to meet compliance obligations, and 53% strongly agreed. Close to 75% of surveyed MSPs also said that they currently provide or are getting ready to provide compliance services to their customers.
“Compliance is already and will continue to be a huge thing,” said Amelia Paro, a channel development manager with Kaseya’s ID Agent unit, in a conversation with ChannelPro at last week’s SMB Forum event in Newark, N.J. Kaseya, in fact, introduced a new version of its Compliance Manager solution designed to help MSPs deliver GRC services that same day.
“Some MSPs have been a little hesitant to get into [GRC] because there’s so much involved in offering that kind of service,” Paro observes, adding that Compliance Manager allows channel pros to provide GRC help without making massive upfront investments in training and certification.
“An MSP doesn’t have to be the compliance expert,” she says. “The tool provides some of that expertise.”
Choice CyberSecurity is taking another approach toward the same goal. Founded in 2012 as an MSSP, the company increasingly makes its money providing outsourced GRC services to MSPs that can’t afford to educate themselves about a seemingly endless set of laws and regulations.
“They might have 50 clients and there’s two defense contractors, two in medical, two in financial, two accounting firms, and two law firms,” observes CEO Steve Rutkovitz, who also spoke with ChannelPro at last week’s SMB Forum conference. “To come up to speed on all their compliances is almost impossible.”
Choice on the other hand has deep knowledge of multiple regulations and extensive experience identifying and remediating risk. “We kind of have a turnkey solution,” Rutkovitz says. “We’re good at helping the MSP create these projects, and then we kind of quarterback and manage it.”
When that process is finished and required controls are in place, Choice helps the MSP turn maintaining compliance via re-assessments, updates, training, and other services into a source of recurring revenue. “We just basically say it’s continuous compliance,” Rutkovitz explains.
Choice currently provides that service for a little more than 100 MSPs. “We want to grow that to about 250,” Rutkovitz says.
Speakers at ChannelPro’s Cybersecurity Online Summit event next month will examine a number of other revenue generating opportunities in the realms of security and compliance.