Article | July 12, 2017

How Offering Compliance-as-a-Service Can Help MSPs Shine

By Ed Shanker, President, Meeting Tree Computer

Regulatory Compliance Elevated Standards

Businesses turning to MSPs have no shortage of options in the marketplace, making the solution provider’s ability to distinguish itself crucial to its long-term viability. In my opinion, perhaps the surest path to differentiating a managed service is providing expertise that goes beyond simply delivering technology, and gets to really helping clients navigate the real-world complexities that govern how technology must be applied. Data security certainly stands as one area where the burdens that businesses face call for expertise across not just the technological solutions provided, but also in regulatory compliance. Most businesses must now comply with (ever-stricter) data security laws particular to their industries, be that healthcare, finance, payment services, etc.

MSPs can, in many cases, uniquely position themselves against competitors by developing what might be called “Compliance-as-a-Service” (CaaS) offerings for their clients. By doing so, an MSP – in addition to their more traditional role of technology provider – becomes an active advocate that can put its creativity and deep industry expertise toward guiding each client through the challenging nuances of compliance laws. Given the choice between conventional data security solution providers and one that will ensure an issue-free experience with regulators, a CaaS mindset equips MSPs with the means to stand out.

Regulatory compliance concerns are continuing to increase, driven by near constant news coverage of data breaches and the devastating effects they have on businesses, in the form of both crippling regulatory fines and reputational damage. The situation – particularly for small businesses – is now at a point where leaving the definition of what constitutes adequate data security up to the interpretation of non-experts is dangerous. The specificity that only true experts can provide is necessary for a few reasons: data security regulations can be vague to the degree that it isn’t clear how they apply, ambiguous rules are easy to ignore, and there exists a natural but harmful short-term incentive for businesses to stick their heads in the sand and believe regulations don’t apply to them.

Assisting businesses by providing clear and specific compliance expertise remains a huge opportunity for most MSPs – but only for those willing to really embrace it. Solution providers may feel frustration at the prospect of needing to learn another set of complicated rules and understand new knowledge areas across industries. However, this is the same challenge clients face. Overcoming this attitude and taking up the burden on your clients’ behalf may take time and effort – you can’t fake it. But, it will ultimately result in a more engaged and profitable MSP-client relationship, in which the expertise you develop and consultative guidance you deliver is perhaps as valued as the technological solutions you provide. In fact, the former may often become the reason you’re selected as a provider. A Compliance-as-a-Service offering also yields the additional benefit of retaining clients that might otherwise be wrested away by low-cost providers, but will remain simply because your expertise is that vital to operations.

For example, in our own state of New York, new cybersecurity regulations have now taken effect that place extremely strict requirements on how financial services institutions handle sensitive data. As with similar industry-specific regulations like HIPAA, FINRA, or PCI-DSS, businesses and MSPs alike may be intimidated by the demanding complexity of these new rules. However, by their nature these new regulations require businesses to take a responsible, eyes-wide-open stance toward data security. Requirements include assessing cybersecurity risks, directly addressing those risks by introducing technology and policy solutions, and assigning a designated official to oversee information security and submit annual reports to regulators. A business must also report any data breach to regulators within 72 hours, meaning they must possess the technology apparatus to do so. In the face of these demands, a great number of businesses are naturally on the lookout for expert assistance. In this environment, MSPs that put in the work to position themselves as experts in security compliance and the appropriate technology platforms should have no trouble expanding their client bases.

To get there, MSPs should adopt tools and platforms that easily support a CaaS proposition. The technology should provide functional data security, and facilitate the personnel training required. It should also be delivered in a manner congruent with the MSP’s overall service offerings, as far as how billing cycles and other such factors are handled. MSPs would be wise to leverage the expertise of their vendors as well, since they often have very clear insights into how their products address certain regulations and enable compliance. Vendors that MSPs may investigate to that end include Breach Secure Now and Beachhead Solutions. The capabilities provided by these platforms are a fit for the requirements found in most data security regulations, and the services are well tailored for MSPs’ needs.

By going beyond mere data security to fully offer Compliance-as-a-Service, MSPs can deliver the precise safety from data breaches and regulatory actions that clients desire – both strengthening and differentiating their own businesses as a result.

About The Author

Ed Shanker is President of Meeting Tree Computer, an IT support and managed services provider serving New York State’s Hudson Valley region.

Breach Secure Now! provides a cybersecurity program framework including training, security policies, and a security risk assessment addressing specific compliance needs.

Beachhead Solutions provides web-managed PC and device encryption alongside the ability to remotely revoke access and delete sensitive data from compromised devices.