Compliance as a service (CaaS) has become an important topic for MSPs today and affects both small and medium-sized businesses. We all know compliance is a huge task, there are many controls to follow, maintenance, lots of friction, forms and paperwork, and many tools to use for it. It can also be extremely difficult to find an expert to assist you with this task. In some cases, there will be a gap between what a business can do for security solutions and the compliance framework, which may need some translating (so to speak) because it’s written in confusing, ambiguous language.
However, achieving compliance is absolutely possible and can be a source of revenue with the right strategy and execution. It is important to understand the narrative. In a nutshell, why does your client need to be compliant? Typically, there are two simple reasons: First, there are mandates regarding their data or for their specific industry, and second, enforcement from your clients’ customers themselves.
Here are five tips we have learned from our partners that can help you generate a significant revenue stream from compliance solutions today:
1: Start With the Why
MSPs need to ask themselves why small and medium-sized businesses (SMBs) are starting to do compliance? Why do they want to comply? In order to answer these questions, you must be familiar with SMB challenges as well as the potential consequences of non-compliance, including financial penalties, reputational damage and legal consequences. How will the company protect its client information as it grows? For example, healthcare contractors should comply with HIPAA, and DoD contractors should comply with Cybersecurity Mature Model Certification (CMMC) 2.0.
2: Educate Customers on Benefits, Frameworks
By discussing best practice frameworks for cybersecurity, we provide case studies or success stories of SMBs that have benefited from compliance services. In terms of cybersecurity, there are two comprehensive frameworks commonly recognized and cited as examples of best practices that can be used by many small and medium-sized businesses: ISO 27001 and National Institute of Standards and Technology (NIST).
3: Explain the Potential Risks
When it comes to convincing your clients to enable multi factor authentication (MFA), you will find that you will have a very difficult time as all you are going to be doing is adding friction to their lives. Explaining the risks that they could face by not enabling MFA is a completely different issue. You may want to use tools that show them the risks or a small risk management report or maybe even a workflow diagram to explain the exposure process.
4: Offer Value Rather than a Solution
Do not try to sell compliance solutions at the beginning right away as it will be difficult, since most businesses do not understand the importance of compliance. You must explain why doing it with you will be more beneficial to them. To make that happen, you must understand their needs and use a tool that automates the process without intruding too much on them and makes the process repeat itself easily.
5: Promote Other Solutions During Compliance
Many MSPs have found success using compliance controls to increase sales of other products they offer. As a result, compliance controls are now required for products such as endpoint detection and response (EDR), security operations center (SOC) and security information/event management (SIEM). While you are not required to market them to your customers, using a proven framework can help do the work for you.
The Secret Sauce
The first thing you need to do is to understand the why, then to educate your clients about compliance, which should make them more willing to listen and comprehend what you are saying. Explain to them the risks they are facing by using treatment modulation and a risk assessment on their devices or processes, and then demonstrate the value and benefits they can get through your solution to make them compliant. If you already manage their IT environment, it will be much easier for you to handle their compliance too, and you can then start upselling and making more money!
Explore the many variables that must be considered in balancing the cybersecurity equation
Shay Cohen is CEO and co-founder of Kamanja and a member of CompTIA’s North America Community.