Compliance Scorecard’s recent acquisition of PrivacyMSP put a spotlight on the trend of offering compliance as a managed service, giving MSSPs and MSPs a way to address a growing concern for businesses in an increasingly active regulatory environment while giving themselves a new revenue stream.
“Compliance services are emerging as a significant and growing revenue stream for managed security service providers,” Tim Golden, founder and CEO of Dover, N.H.-based Compliance Scorecard, told MSSP Alert. “The increasing complexity of global regulatory landscapes and heightened cybersecurity threats drive this trend.”
Golden pointed to such data protection laws – such as SOC 2, HIPAA, and the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program – as examples of proliferating data protection laws. He also noted that many cyber insurance policies require that companies adhere to specific compliance standards for coverage and customer demands for integrated security and compliance services.
“By expanding expertise, enhancing service offerings, and leveraging advanced compliance tools, MSSPs are well-positioned to transform compliance from a regulatory necessity into a substantial revenue driver,” the CEO said. “As regulatory pressures intensify and cybersecurity threats evolve, MSSPs that embrace compliance-as-a-service can differentiate themselves in the marketplace, foster deeper client relationships, and achieve sustainable business growth.”
Interest is High
Service providers are quickly embracing the idea of CaaS, according to a survey earlier this year by Apptega, which makes cybersecurity compliance software. The survey found that 80% of respondents already offer some form of compliance services, with 15% offering them primarily as a managed service.
Such services dovetail not only with customer needs but also with those of MSSPs and MSPs. About 70% of service providers have at least double-digit revenue growth goals and 75% view compliance as a high-growth business. In addition, 86% want to shift from one-off projects to recurring revenue efforts through “continuous compliance” as a service.
And the need is there, with half of MSSPs and MSPs using spreadsheets to track customer compliance and 85% saying they face “significant challenges” maintaining compliance for customers.
“To overcome these challenges, MSPs and MSSPs are increasingly turning to continuous compliance services — first out of necessity but now as an opportunity,” Apptega wrote in a blog post, noting the percentage of providers who saw compliance as a high-growth opportunity. “But it currently represents a disproportionately small percentage of their overall business and revenue.”
The CaaS market is expected to grow fast, with Introspective Market Research analysts forecasting a jump from $7.55 billion last year to $26.75 billion by 2032.
Compliance Can Be Overwhelming
Regulatory compliance can be a challenge for companies that need to determine which regulations and frameworks they need to adhere to, find the right controls to use and documentation to collect, and run audits, according to SecureFrame, which offers AI-powered automated compliance tools.
“Compliance-as-a-service allows these companies to outsource their compliance needs to experts,” Emily Bonnie, senior content marketing manager with the San Francisco-based company, wrote in a blog post. “They can access the detailed knowledge of compliance service providers to help navigate the cybersecurity and compliance landscape, getting specific advice and best practices tailored to their business needs to streamline the entire process.”
MSSPs and MSPs Step Into the Fray
This is where MSSPs and MSPs can come in, Compliance Scorecard’s Golden said. They can build comprehensive suites that include services like risk assessments, policy development, audit preparation, and ongoing monitoring, and can partner with companies with platforms that can automate many compliance tasks and offer organizations to scale.
In addition, service providers can bring on compliance experts and offer certifications, partner with or acquire companies with the needed expertise and market penetration, provide education content, and market their efforts.
Compliance Scorecard Gets a Boost
For Compliance Scorecard, which already offered governance-as-a-service capabilities, the acquisition of PrivacyMSP bolsters its expertise and service offerings, Golden said. PrivacyMSP’s founder, Brian Blakley, and others from the companies are joining Compliance Scorecard, which will enhance its capabilities in compliance, privacy, and security. It also lets Golden’s company create a new Professional Services Division that will provide comprehensive compliance programming tailored for MSPs. Blakley is now Compliance Scorecard’s chief risk officer.
In addition, the company introduced three customized professional services packages – Comprehensive Managed Services, Empowered Self-Guided Solutions, and Collaborative Partnership Model – to give MSPs options for managing compliance. There also is a 12-week “kick start program” for introducing Compliance Scorecard’s offerings to service providers.
“The incorporation of PrivacyMSP’s methodologies enhances Compliance Scorecard’s platform features, task lists, reminders, enhanced assessments, additional policy templates, such as the risk register and write-once-deploy-many policy module, enabling MSPs to manage compliance more efficiently and at scale,” Golden said.
