Growth and compliance. They go together like chocolate and mayonnaise. Coke and Pop Rocks. Yoko and The Beatles.
The two concepts are, at best, traditional frenemies – one a restrictor plate to the other’s race engine.
But where many organizations view compliance as a cost of doing business, the managed service and security providers increasingly tasked with helping fulfill those obligations see an opportunity to flip the construct on its head: to deliver compliance in a way that not only enables growth for their clients but also amplifies their own.
Over the last several years, as the regulatory landscape has grown more complex and the cyber threat landscape more treacherous, service providers have increasingly dipped their toes into the business of compliance – first out of necessity, because their clients either inquired about or demanded it, but now more so out of opportunity.
I define compliance broadly as the ongoing assessment, remediation and management of the processes, policies and tools that go toward fulfilling the controls of regulatory, privacy and security frameworks. For businesses, of course, the work, without proper tools, usually proves painstaking and tedious: carried out in formula-heavy spreadsheets, folders littered with redlined documents, and in any number of evidence repositories, be they HR systems, ticketing systems or collaboration hubs like Slack.
But while compliance is often, yes, an imposed obligation, there are also clear business advantages to aligning with “best practices” frameworks – for instance, an edge in a competitive deal, accelerated sales cycles, investor confidence, better insurance rates and a higher likelihood of coverage in the event of a breach.
Service providers increasingly recognize these opportunities and are positioning themselves to capitalize on them, not just in a one-time advisory capacity to their clients, but as partners that own continuous monitoring, testing and management year-in and year-out.
This move to bolt on another prospective managed service– let’s call it “continuous compliance” –coincides perhaps not coincidentally, with a spate of industry M&A, an influx of private capital and, relatedly, consolidation that will only accelerate as legacy IT providers faced with eroding margins look to sell or go out of business, and the larger, more well-rounded players seek acquisition or exit.
In this environment, where growth is at a premium, those who control the spice control the universe. And in this case, the spice is recurring revenue, margins and retention.
In continuous compliance, service providers who invest in the appropriate technology have a new productized recurring offering with which to go to market – for instance, a CMMC bundle that navigates a client toward alignment with the Department of Defense’s emerging cybersecurity regulations – but also, crucially, a completely unbiased way of showing the value and ROI of the high-margin security services they offer, both to prospective clients and throughout the lifetime of the relationship.
It is, after all, security products and services that go toward satisfying many of the controls associated with compliance and security frameworks. With the appropriate technology, such as continuous compliance platforms that automatically map products and services with the controls they fulfill to show real-time health and scoring, service providers can tap into another powerful vehicle by which to deliver their bread-and-butter services.
The upside is enormous. Bundled with security, a productized continuous compliance offering yields:
-
Higher margins by increasing consumption of security services and eliminating many of the manual tasks associated with compliance, such as task tracking and report building.
-
Higher recurring revenue from ongoing services and product delivery that go toward achieving and maintaining the compliance outcome.
-
Lower client churn because it is much easier to keep a client when they have an annual audit to pass or otherwise need to maintain compliance over time – not to mention when your technology systems are heavily intertwined and you have access to sensitive data that can be used to surface new opportunities.
And, crucially, continuous compliance provides a platform for ongoing value conversations based on real, measurable business outcomes. It moves the conversation from “You need our managed detection and response services. Trust me.” to “You need our MDR services – as you see, they fulfill 27% of the controls associated with ISO 27001.”
Beyond that, working with clients to achieve compliance outcomes and security posture health returns service providers an important ancillary benefit: CYA.
Lawsuits against MSPs and security firms arising from client data breaches, as the ongoing dispute between a Maine-based IT consultancy and the Berry Dunn law firm attests, increasingly put the onus on providers to show they took appropriate steps to advise and help safeguard their clients. Mandating that clients align with a best practices framework like CIS, an increasingly common practice, certainly helps.
Compliance, to be sure, is one of many potential avenues to the business goals all managed service providers seek to achieve: higher quality revenue, profitability, go-to-market efficiency, more protection from existential risks. But those aims have arguably never been harder to achieve, nor the stakes of achieving them higher.
A recent Apptega survey of 115 service providers, from 20-person IT shops doing $5 million a year to some of the largest XDR providers in the world, found that nearly 70% face expectations of at least double digit annual recurring revenue growth. About half also said they were “unlikely” to hit those goals.
Then there’s this: The same report showed that three in four providers view continuous compliance as a high growth area, and 9 of 10 said they had a strong desire to convert one-time advisory work associated with compliance into recurring revenue.
Clearly the appetite on the provider side, and the demand from clients, only grows – and will presumably continue to as regulatory, privacy and security regimes evolve and intersect. According to Grand View Research, the global enterprise, risk and compliance market (a slice of the overall compliance and security posture management pie) hovers around $55 billion and is projected to grow 14% annually through the end of the decade.
What remains to be seen is whether managed service and security providers can fully capitalize on the opportunity. The Apptega report, on the flip side, found that 85% of providers face “significant challenges” delivering continuous compliance.
For those that overcome the technology, resource and expertise constraints, the spoils are many – and there for the taking.
