Every Business Needs Compliance Help. Why Isn’t Every MSP Providing It?
Compliance isn’t exactly a new topic in the channel, but many MSPs are barely pursuing what remains a “huge untapped market.”
Is there any managed service out there with a bigger gap between partner enthusiasm and end user need than compliance?
Hard to imagine there is. Sure, 39% of managed service providers globally plan to offer compliance services, if they don’t already, according to Kaseya’s 2023 Global MSP Benchmark Survey Report. Yet just 27% of them list compliance requirements among the IT challenges faced by their clients, and a mere 4% call compliance services a high-growth area in the last year. This despite the fact that the total addressable market for compliance is…big.
“Every single business in the United States and most businesses around the world have to comply with some sort of privacy or cybersecurity regulation,” says Mike Semel (pictured), a former MSP who’s now president of compliance advisory firm Semel Consulting. “It’s a huge untapped market.”
Indeed, global spending on governance, risk, and compliance professional services will grow at an 11.2% CAGR from $9.1 billion this year to $13.9 billion in 2027, according to IDC. And no wonder. In the U.S. alone, all 50 states have some form of breach notification law, eight enforce comprehensive data privacy legislation, and another six have more limited statutes. Businesses worldwide, moreover, will be shelling out over $1 billion a year by 2026 just on fines for violating the “subject rights” requirements in many privacy regulations, according to a Gartner forecast yesterday.
Regulations are just one dimension of the compliance nightmare too, Semel notes. “Businesses are putting cybersecurity requirements into their contracts.”
So, needless to say, are cyberinsurance carriers, which routinely deny claims from businesses with a gap in their mandated security stack. “You’re almost doing a disservice to your customer if you’re not helping them get those controls in place to make sure that backstop is going to be there if they have a problem,” says Val King, president and CEO of security and compliance vendor Ascent Portal.
Providing that help is more than just a one-term revenue hit. “The documentation on an ongoing basis is huge,” Semel observes. “This is where MSPs are missing the opportunity, because they can charge extra for that, and it’s really easy and cheap to do, so it can be very, very profitable.”
Don’t forget the project work a thorough compliance service generates either, King notes. “If you’re doing it right, the risk assessments and the baseline assessments that you ended up completing are going to point to holes in the organization that need to be filled,” he says. “They’re going to need multifactor, they’re going to need phishing training.”
So why doesn’t every MSP offer a compliance service? For starters, many IT providers still think only doctors, banks, and retailers need a compliance partner, notes Semel, who often asks MSPs when presenting at conferences to raise their hand if they support customers with regulated data. Few typically do. Then he asks them if their clients have employee social security numbers on file.
“Everybody raises their hand,” Semel says. “One of the challenges here is getting everyone from an MSP down to an SMB to understand that every single business has data that’s regulated.”
Keeping track of relevant laws is hard as well, and understanding those regulations is even harder. “It’s a foreign language,” Semel says. That leaves many IT providers worried about making promises they can’t keep, he adds, and rightly so. Most regulations include rules spanning way beyond security controls.
“If you want to learn all that stuff you can, but it takes a lot of time,” Semel warns. Better to bill yourself—very clearly—as a provider of cybersecurity compliance assistance only.
“Stay in your lane is my recommendation,” he says.
Make sure your master services agreement spells out exactly what’s in that lane, Semel counsels, and set strict limits to your liability if something goes wrong. His MSA, back when he was a managed service provider, specified that the most clients could collect in the event of a breach was two months’ worth of whatever they were paying for standard device and network management.
All that said, getting a security-focused compliance practice off the ground needn’t be that complicated. Kaseya, FutureFeed, Apptega (a company we’ve written about here before), and others all have MSP-friendly compliance management solutions, as does Ascent.
“At its bare essentials, what we will do is go through their cyber carrier policy and look at what are the requirements that they’re agreeing to as part of that policy. Then we will create a custom framework of controls just for their cyber policy,” King says. The system checks for ongoing adherence to that framework from that point forward and collects documentation for auditors and insurers. According to King, automated functionality like that is a must in any compliance product meant for MSPs.
“It needs to be very cost-effective, it needs to be very simple and intuitive, and it needs to take not one second longer than necessary,” he says. “At the end of the day, who wants to do compliance?”
Meet the new EDR/MDR remedy for security headaches from Malwarebytes
It’s been a busier than usual week for Malwarebytes, which announced the acquisition of online privacy vendor Cyrus yesterday and the introduction of a new endpoint security solution three days before that.
Called EDR Extra Strength (the allusion to over-the-counter pain relievers is intentional), the new system is less a product than an integrated bundle combining the vendor’s EDR, vulnerability assessment, and patch management tools with an automated, entry-level managed threat hunting service.
“We’ll go through all of those alerts and scans, we’re going to prioritize them, and we’re going to deliver them back with some guidance on how to go back and attack those threats,” says Brian Kane (pictured), the company’s global director of MSP programs.
The system is designed to provide a new intermediate option, Kane continues, to businesses that want something more robust than stand-alone endpoint protection but aren’t ready to invest in an MDR service.
“We saw a gap between endpoint and EDR over here and then full-on SOC managed security,” he says. “There’s a huge space in the middle.”
All of the system’s functions share a single 16 MB agent controlled by a consolidated, intuitive interface. According to Kane, that’s not the only way it aims to make life simpler for MSPs and end users. By combining multiple services in one package, he notes, EDR Extra Strength spares companies the hassle of researching, procuring, and connecting products from multiple vendors.
“A lot of them are a bit flustered with the overwhelming amount of solutions that are out there,” Kane says. “Sometimes they’re kind of like, ‘man, can someone just make this a little easier for us?’ And so that’s what we’re trying to do.”
Malwarebytes is not the only vendor to embrace that strategy. Acronis, Sophos, and Trend Micro are three among others that have offered tightly intertwined, multifaceted portfolios for years. Barracuda just rounded out its growing XDR solution with optional cyber warranty coverage, as regular Channelholic readers know, and SonicWall will be rolling out new SASE, XDR, MDR, and SD-WAN services soon. Though some buyers worry about betting everything on any one vendor, Kane observes, more and more of them are recognizing the benefits that a Swiss Army Knife approach to security can deliver.
“It's just simpler,” he says.
As long as we’re talking about Malwarebytes…
That new security scorecard solution we told you about here in June is available for sampling now.
“We’re kind of soft beta launching it,” Kane says.
Named Security Advisor and available for Windows and Mac, the system assesses a user’s current posture, suggests ways to improve it both immediately and over time, and helps them report on it to others. Screen shot below. Details here.
Zift Solutions is investing in customer success
It’s been something of an open secret among those who know her for weeks, but only became official today. Kris Blackmon, who formerly ran the MSP 501 program for Channel Futures and was more recently chief channel officer at consultancy JS Group, is now head of channel communities for Zift Solutions, a maker of partner relationship management and marketing automation software.
The key word in that title (a brand new one for the company) is “communities.” Zift’s customers are vendors but its customers’ customers are MSPs. Blackmon’s duties will include being active wherever both groups gather in a bid to help the vendors it supports understand the MSPs they sell to better.
Many of them have a lot to learn, Blackmon (pictured) says. “Vendors want to market their solution. They want to put out product slicks and speeds and feeds and marketing collateral that just deals specifically with their product or service,” she says. MSPs are more interested in growth strategies, operational best practices, and service delivery.
“It’s a challenge for vendors to switch to that mindset,” Blackmon notes.
She’ll also, of course, be showcasing Zift to vendors and ensuring that vendor voices are heard regularly by peers in leadership via advisory boards and user groups. It’s all part of a broader customer success initiative that includes the appointment four months ago of Cosmo Mariano as the company’s first-ever chief customer officer.
“We have high interest and a good size customer base of new entrants into the channel, people who don’t really understand what it takes to build out a channel,” Blackmon observes. Zift’s now staffing up to teach them.
AI giveth and AI taketh away
Is artificial intelligence protecting businesses from security risk or exposing them to it? Yes, suggest two studies published this week.
Or rather, both. On the one hand, Barracuda says that AI-based threat detection helped it successfully classify 99.9% of the nearly 1 trillion IT events it tracked in the first half of this year as benign. On the other, 75% of U.S. security pros recently surveyed by Sapio Research on behalf of Deep Instinct saw an increase in attacks over the last 12 months, and 85% of them blamed bad actors using generative AI for the uptick.
Kane, of Malwarebytes, figures AI is doing more good than harm in the final accounting at present. “It doesn’t solve everything,” he says, but “it helps us to be better at some of the things that we were doing before. It gives us a little, slight edge.”
Also worth noting
SonicWall’s Capture Client EDR solution now integrates with Liongard’s Configuration Change Detection and Response platform.
Trend Micro has a new partner program for MSSPs.
Auvik’s network management and SaaS monitoring software is now available through Jenne.
TD SYNNEX is doing data migration, with help from MinIO and Western Digital.
Syncro’s on sale! Through the end of the month anyway.
GoTo has a new CMO.