Most organizations have compliance guidelines to meet, from HIPAA to PCI DSS to NIST 800-171, and so on. Some of these frameworks are mandatory while others are optional, but they all have these goals in common: to reduce cybersecurity risk and protect sensitive data from exposure. Organizations that fail to heed compliance mandates face negative publicity, regulatory fines, and employee and customer turnover. To overcome these risks, over 60% of IT managers expect compliance budgets to increase, according to a recent survey by Thomson Reuters.
Managed Service Providers (MSPs) that offer compliance products and services capitalize on a growing portion of IT spend, along with:
- Increased revenue
- Enhanced client loyalty
- Improved margins
- Clearer differentiation
Compliance support through a Security Information and Event Management (SIEM) solution provides visibility and monitoring that can lead to greater IT and infrastructure efficiency and effectiveness. This cements your role as a problem solver and can demonstrate a return on investment (ROI). A decision to add compliance to your portfolio is a strategic one that requires careful consideration. Here are some best practices for leveraging compliance services to grow revenue and enhance your organization’s role as a trusted advisor.
Be Their Trusted Advisor: Organizations Seek Third-Party Compliance Expertise
Government entities, financial institutions, healthcare organizations, retailers, as well as schools and universities are all examples of industry sectors with compliance mandates. While compliance mandates are not new, they have expanded in recent years to shore up defenses in the face of intensified cyber threats. Fines and bad publicity for compliance gaps have also increased as regulators grapple with how to motivate organizations to comply. Given the current security staff and skills gap, many organizations are unsure of current compliance guidelines or how to address them. They are looking for third-party experts that can assist with the regulations and offset some of the inherent risks. Organizations may be looking for expertise for a single project or longer-term continuous compliance assistance.
Leverage Existing Capabilities to Bundle in Compliance
Expanding your portfolio to add compliance need not require “heavy lifting” or a significant investment in time or money. Many of your offerings can be repackaged into compliance-centric solutions to get started: patch management, vulnerability scanning, and data backup for instance. Log management or a SIEM solution can be added to augment your portfolio with a security solution that also addresses compliance mandates. MSPs with the right staff and skill set can also offer a compliance audit that works with clients to assess their readiness and coverage for mandates such as the Payment Card Industry Data Security Standards (PCI DSS). Start small and build successes incrementally.
Set a Compliance Baseline to Surpass
Compliance regulations such as the PCI DSS help organizations build a baseline of security functions to protect cardholder data, but these standards are just the foundation. These compliance standards are often seen as the minimum set of criteria rather than the most comprehensive rules. Some organizations may perceive that checking off the compliance requirements equals being secure, but compliance is just the starting point. An organization’s end goal is comprehensive protection and security that evolves just as threat actors evolve and adapt to new technologies, plus identified security gaps. MSPs can embrace security solutions like Continuum Fortify to expand their compliance portfolio with quick time-to-value.
Get Your "House" in Order as a Role Model
There are several steps you can take to build your role as a compliance expert and trusted advisor. First, you must ensure that your “house” is in order and that your security and IT practices are a role model in protecting not only your network and back office data, but that of your clients’ data. The SANS Top 20 and NIST Cybersecurity Framework (CSF) are two frameworks that serve as a foundation for your assessment and security implementation. You may also need additional training and certification to gain the depth of knowledge necessary for success. Here are some resources to get you started:
- HIPAA - https://www.hhs.gov/hipaa/index.html
- PCI DSS (Payment Card Industry Data Security Standards) - https://www.pcisecuritystandards.org/program_training_and_qualification/requirements_awareness
- NIST 800-171 - https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
Teaming up with a Managed Security Service Provider (MSSP) that has compliance expertise or adding proven compliance solutions to your existing portfolio are other ways to demonstrate credibility.
Be a Value-Add Versus Break-Fix
Seize the market opportunity and enhance client loyalty to move beyond “break/fix” services to more value-added security and compliance solutions. Compliance solutions can complement your existing portfolio and provide a new stream of revenue and clients. Assess your strategic capabilities and look at ways to modify your approach while being realistic regarding commitment and implementation. You will need to demonstrate credibility and security maturity to gain the trust of risk and compliance decision makers. These are likely the same people in IT that you deal with today as an MSP. Third-party solutions such as Continuum Fortify can accelerate your ability to learn and add compliance support quickly.
Want to take a deeper dive into global compliance regulations and how a SIEM provides visibility and reporting that can simplify audits? Check out our compliance library here.
By Lily Teplow
By Brian Downey
By Dave LeClair