Guest Column | October 18, 2019

10 Tips for Adding Security And Compliance To Your Services Stack

By Alex Rutkovitz, Choice CyberSecurity

Establishing A Security Policy

The managed services market is expected to grow to $282 billion by 2023, and one of the main drivers is security and compliance. Managing data privacy and protection, storage and transfer — as well as compliance with state, federal and international laws and guidelines — is too complex for clients of all sizes to manage internally. It's natural that they look to their IT partners to help them solve this issue. It's your opportunity to be ready with a plan when they do. Even better, bring the solution to them before they even start searching. Here’s how.

  1. Create Your Repeatable Process

Cybersecurity and compliance are a critical addition to your services stack, but before you launch a new offering you need to have a solid game plan for success. After all, repeatable services are the bread-and-butter of the MSP industry. Identify which compliance and security offerings you will focus on, how you will assess risks and maintain compliance, and what additional services you will offer as part of the program. Once you have a packaged offering of services laid out, you can move to acquiring your first clients.

  1. Start With Your Existing Client List

This is true with any new offering. Existing clients are easy wins; your existing relationship removes many of the barriers to purchase. While security and compliance affect all businesses, clients in key industries — like financial services or accounting, healthcare and insurance, legal, government contractors, nonprofit, and software companies — are a great place to start.

Your target list should be small, no more than three clients, so you can invest in the success of the pilot and show real value to the clients. These can be your future evangelists. The clients themselves should also be small to midsize businesses. Sixty-one percent of security breach targets are small businesses. They're easy pickings for hackers, as they often don't have the security in place to defend against an attack, and many transmit or store the sensitive and/or private information of their customers.

  1. Start With Assessment

Before you sell a robust security and compliance package to a new or existing client, you need to show them why they need it. An assessment should be part of your repeatable process. To perform an assessment, first select which of the most common frameworks you will use to set the controls in your assessment. These include regulatory and compliance frameworks, such as:

  • NIST
  • HIPAA
  • PCI
  • ISO 27001
  • GDPR

The framework you choose will help you identify the set of controls you will audit in your assessment. The next step is to leverage risk assessment tools to determine a comprehensive list of your clients’ compliance and security gaps and where data is most at risk. Simulate a penetration test to identify key vulnerabilities in their data workflow.

Once the assessment is complete, provide the client with an executive summary. State the framework used, the controls of the audit, your findings, the risks these gaps pose to their company, and your recommendations to address them. Risk assessments are a win-win for you and your client. You get paid to show your client why they need an additional service, and your client gets valuable information regarding the current state of their data security.

  1. Show Clients What's At Stake

Make it clear. When identifying risks, quantify them by providing a sense of the potential cost to clients, for example. Help them realize what’s at stake. Put the risk in plain, black-and-white language they understand. If you can show a client that a few hundred credit card numbers and birth dates could cost them several million dollars in fines or lawsuits, your $30,000 engagement seems like a worthy investment.

Hammer the point home with a probability summary. Cyberattacks are on the rise, with a 50 percent increase in 2018. Does your client leverage IoT? Attacks on connected devices increased 600 percent last year. How many mobile devices enter their network each day? How many cloud applications do they use? Each one of these increases their risk for an attack.

  1. Offer Awareness Training

The biggest cause of outages and data loss is human error. Most clients inherently know this but don't necessarily want to believe it. Employees are the #1 risk to data security, and the best cure is an ounce of prevention. Leverage your position as an expert to offer training sessions that teach data security best practices.

  1. Offer A Continuous Cybersecurity And Compliance Strategy

The era of passive vendor relationships is long gone. You are now an active member of your clients' security cabinet. You need to present them with a strategy that not only shores up their compliance and security but maintains it. Your services should include end-to-end solutions that protect data throughout the workflow, continuous security monitoring, routine pen tests and vulnerability assessments, and a schedule for compliance audits.

  1. Offer Policy Development

A big part of compliance is having established policies regarding data collection, transfer, usage, and storage. You can take this burden from your clients by partnering with a legal firm to draft policies that specifically address the frameworks identified in the beginning of your engagement.

  1. Leverage Referral Partners

If you don't have the infrastructure or resources in your MSP company to launch a full-scale security and compliance service offering, consider partnering with a cybersecurity firm. At Choice Cybersecurity, we offer turn-key solutions and processes that make it easy to deliver the security your clients need. A cybersecurity partner also can refer you to clients for traditional IT services, giving your revenue pipeline an extra boost.

  1. Open Up Multiple Department Budgets

Clients will inherently think of their IT budgets when you broach the subject of compliance and cybersecurity. Your job is to show them that compliance affects multiple departments — marketing, HR, Finance, and IT — so the investment can come from whichever budget can afford it, or from all of them.

  1. Show Your Own Level Of Compliance

Finally, when it comes to selling compliance and security, you need to eat your own dog food. Show your own levels of compliance. Include it in your sales materials, add a page to your website specifically around compliance. This has an advantage beyond your compliance and security offering, as it gives traditional clients peace of mind that their data is safe with you as their service provider.

Ready to get started? Learn more by watching this webinar.