From MSSP to MCCP: How Compliance as a Service Can Help You Win New Business and Better Serve Existing Clients
The lines between cybersecurity, privacy, risk management, and compliance are no longer straight and delineated. Long gone are the days where IT teams could tackle all things security-related while privacy and compliance officers stayed in their siloed departments to handle theirs.
Today, the lines between these once disparate workflows are blurred, and for true operational resilience, organizations must figure out how to successfully navigate this new, intertwined reality.
Managing this new convergence is a challenge for organizations of all sizes. Small teams may struggle to access the resources, finances, and skilled professionals they need to do it all. Larger teams may have access to the people and the money they need, but may struggle to know how to manage it all effectively and in a timely manner, especially when the threat landscape continues to evolve and compliance and regulatory standards change with it.
That’s why a growing number of organizations are now turning to either managed services providers (MSPs) or managed security service providers (MSSPs) to help them get their arms around the bulk of their security program management.
But, it’s not a unique problem for MSP and MSSP clients. Just like their clients, MSSP and MSP internal teams are learning firsthand how the lines between security and compliance are blurred. That’s because, for most, core work in service or security is now crossing over into compliance and vice versa. And this raises an interesting conundrum… if you’re handling one service for your client and the client or another MSP is handling another, how much may be lost in translation? How much does risk increase for compliance oversight if one side doesn’t have clear visibility into what the other is doing?
As a result, a new area of expertise and need is emerging—compliance as a service (CaaS). Together with existing security offerings, it’s creating a push into a new service category for the most innovative MSPs and MSSPs—managed cybersecurity and compliance providers (MCCP).
The New MCCP
In the heart of the pandemic, back in 2020, CyberTheory released a marketing research report detailing this new normal of managed security and compliance services. The report highlights two emerging pandemic trends reflected in the rapid adoption of and increased complexity in technologies used to manage modern businesses—a growth in managed security services and more demand across industries for complex compliance.
As we’ve seen in recent years, as the threat landscape expands and attackers hone their skills with more frequent and more sophisticated attack methods, many organizations just don’t have the resources to keep up with emerging threats. Oversight groups and regulators are taking note and as a result, they’re pushing out demand for more compliance and other mandates to protect sensitive data.
This situation is even further complicated because it’s difficult for many organizations to find skilled cybersecurity and compliance professionals to help. As that gap expands, and breaches and record exposures increase, more organizations face more industry or other pressures and regulations. It’s getting increasingly hard for on-site teams to keep up.
For example, back in 2018, only one state, California, had a state privacy law on the books. Soon, Virginia and Colorado did the same. Today, another six states have privacy-related legislation in committee and several others are in the process of discussing state-based laws. Will more state cybersecurity legislation be next?
This is just one example of the burgeoning compliance complexities organizations face today. Many organizations, especially small-and-mid-sized businesses (SMBs) just don’t have the resources, skills—or the want—to manage it all. This is opening doors for new opportunities for MSPs and MSSPs who are willing to step up and manage both security and compliance needs for their clients.
What is CaaS and What Does it Look Like for MSSPs?
Similar to security as a service, compliance as a service is a way MSSPs can help clients manage all of their compliance and regulatory requirements. This is often a cloud-based offering; however, some MSSPs or MCCPs may have the capabilities and relationships to offer a hybrid on-premises/cloud model.
Generally, in CaaS, the MSSP may offer, for example, software, oversight, and consulting services to help manage compliance and regulatory mandates. This might include developing governance strategies, policies, and procedures, or developing controls and other processes that help meet compliance and regulatory requirements. There may also be additional services available, for example, audits and/or internal and external testing to ensure all compliance controls function as expected.
While an MSSP may work closely with a client’s compliance officer, in most cases, the MSSP also has access to the client’s systems and processes to help manage and evaluate program performance on an ongoing basis.
It would also become the responsibility of the MSSP/MCCP offering CaaS to stay up-to-date on all new and changing regulatory and compliance changes for their clients and work closely with the client to ensure all systems and processes are updated in accordance with those changes.
This alone takes a great burden away from clients who may not have the time, resources, or skills to stay ahead of the changing compliance landscape while actively trying to meet current requirements.
A Case Study in CaaS
One of Apptega’s partners, Abacode, is pioneering what it looks like to offer CaaS, and it’s embracing this MCCP approach to security and compliance convergence.
Abacode is an industry-leading MCCP based in Tampa, Florida, and Apptega serves as the core of its compliance portal and its offerings for security, risk assessments, and compliance management.
Interestingly, Abacode first used Apptega for internal processes and programs, but quickly realized it could put Apptega to work for its clients, too, strengthening its service offerings by ensuring cohesiveness between their clients’ cybersecurity and compliance needs. Abacode credits the partnership with Apptega as a significant role in its ability to retain existing clients, expand offerings, and continually win new client relationships.
The Role of CaaS in MSSP Success and Scaling
The reality for today’s MSSPs is that in environments where security and compliance are managed separately, doing so is complex. It’s time-consuming. It’s expensive and it uses a lot of resources. The key to success—today and going forward—is to figure out how to deliver these services in a more effective offering.
By managing CaaS and security as a service under one umbrella, MSSPs or MCCPs, like the Abacode success, can offer clients substantial financial and cost-savings by doing cross-services work more efficiently, with less complexity, and operational burdens. And with Apptega, the roadmap for the new convergence doesn’t have to be complex from an MSSP standpoint.
First, Apptega’s multi-tenant platform was built for MSSPs by professionals who have decades of experience managing the complexities of security and compliance. The Apptega team has built a solution that enables MSSPs to manage each and every client’s cybersecurity and compliance programs—down to the control level.
Today, there are more than 25 mappable industry frameworks (and growing!) within the solution, that are instantly ready for use. There is also real-time compliance scoring so as soon as you’re set up and going, you can get instant insight into how well each client meets compliance and other requirements, identify gaps, and even get recommendations on how to remediate those gaps.
For more difficult our specialized needs, the CyberXchange Marketplace can directly connect you or your clients to a range of resources and tools to help fill compliance or other services gaps.
But the real benefit of offering CaaS as an extension of your existing MSSP services isn’t how simplified the Apptega solution can make compliance and security management, for example with its customizable reports and program management automation, it’s what it can do for your business.
With the power of Apptega, your MSSP can offer your clients expanded services with CaaS. Think of this as a great resource to upsell your existing clients into services that actually have value to them. For example, you can quickly identify gaps in your client’s security and compliance programs and then offer them solutions, like CaaS, to close those gaps for them, all at more cost-savings, with less time and resources—and more expertise—than they can do on their own.
Think of CaaS as an opportunity to increase revenue with your existing clients. Instead of just offering a one-and-done consultative service that finds those compliance gaps, you can also offer a solution, on an ongoing basis, to close those gaps and keep moving forward to ensure all compliance and regulatory objectives are met, no matter how the business or those mandates evolve over time.
It’s also a great way to attract new clients. As we saw in that CyberThreat report, a growing number of organizations are looking for a solution to handle their cybersecurity and compliance needs. Evolving from an MSSP to an MCCP with a CaaS offering—and using the skills and resources of your existing skilled team members—gives you new opportunities to attract new business.
With a CaaS offering, your MSSP can close the gap that’s traditionally been created by that siloed approach to security and compliance. Help usher in this new era of convergence with a single solution that can do it all—for you and your clients.