Cascading compliance requirements impact your MSP business
In this video, Brian Blakely and Wes discuss the importance of compliance for MSPs and the challenges it presents. They delve into the growing demand for MSPs to adopt compliance frameworks like CIS controls and the potential risks of not aligning with these standards. The conversation highlights the critical role of compliance in maintaining client trust, reducing business risks, and staying competitive in a market increasingly focused on regulatory adherence.<ul><li>The importance of compliance for MSPs is growing, as clients' audit requirements increasingly involve MSPs. MSPs need to be proactive in adopting compliance measures to maintain competitiveness and avoid losing clients.</li><li>Compliance is not just an expense but an investment that can differentiate an MSP, improve customer retention, and increase the value of the business, especially during mergers and acquisitions.</li><li>MSPs should align with a control framework like CIS controls to simplify compliance across multiple frameworks and prepare for future regulations. Continuous monitoring and evidence of compliance are crucial for meeting audit requirements.</li></ul>
Guests
Video Transcript
Welcome, everybody. Happy Monday. And, uh, we have got a treat with Brian Blakely Black back in the house with us. We'll get to what we're gonna be talking about momentarily. Um, got an announcement or two. But Wes, you're at MSP Gee con. I am, um, talking behind stage a little bit about it, but, um, I, I'd love for you to give, uh, some of the, uh, I guess, facts and what's so unique about this. Uh, Yeah, for sure. Well shout out to the entire MSP geek community, right?
Like, um, they're all just way over here. I can't quite point to, I went to a find a nice quiet place, but John Strand is, um, currently speaking, which is the coolest, right? Um, and what's neat about it, Andrew, is not only do I love grassroots, like of the community of the MSP for the MSPs, it's a lot like ride a boom in that same ethos. What's cool is, I was talking to Kyle Spooner about this, and I didn't know this. 53% of the people that are here have never been to a conference before.
Wow. Tell me that's not the coolest thing ever. Um, I think what we're really going for is like really getting a lot of technical folks that like, just really want to learn and grow and, and get salted into the rest of the community. I think Spooner also said like, uh, somewhere around 20% are not even members of MS pge, so it's kind of, it's a really cool conference. Really, really love the grassroots approach to it. 300 people here, it's awesome. Big fan.
Wes, what's the, um, maybe just high level, what is the genre? Like, what are the, what is the goal of the event? The goal is sort of like, you know, first of all, it's a, it's the very first MSP geek, like, you know, large scale national meetup of sorts, international 'cause Kelvin's here, right? And others. Um, but also I think it's a lot of, like, a lot of the talks are driven around like how to go from help desk to leadership.
You know, what does it look like in your role and how do you grow into that? And modern MSPs, how do we give them a route and plan to grow? Like it's really, really good content across the board. I'm gonna be speaking here in a couple hours and I'm gonna be talking about like demystifying the snake oil in, in cybersecurity, and, you know, how do you go through that journey? It's gonna be really, really good. So there's none of that. It's just awesome. There's none of that.
There's no, There's never been A, you know, there, well, the thing is all these vendors with a hundred percent security, right? Yeah. So like, what need do we have? You just pick your one vendor and you're good to Go. Yeah. Hundred percent. Yeah. Very, very good. Um, all right. And, uh, okay, Eric, Eric, um, Monroe's got somebody there, so, uh, yeah. Awesome. Alright, quick announcement or two.
Um, I put it in the, uh, and I talked about it last week and I put it in the call to action below the green thing there. Tomorrow I'll be moderating a, um, uh, one of the first of three, uh, uh, webinars with, um, John Barrows. And, and in this one we'll also have Jim Lippy, CEO of SaaS alerts. And, um, Charlie Teo, the CRO of roost. And, um, I'm really, really, uh, I, I would say I'm not at all up to speed Brian and West where I should be on ai.
I'm trying to, you know, read and learn as much as I can. But, um, John Barrows is, has been on top of this from the beginning. Um, he is, I call it the sales trainer to the stars. You know, you're talking the biggest, the big SaaS companies on the planet. Um, and he is watching it dramatically, right? With the companies, the leading companies change, how they do business, how buyers buy, how sell or sell.
And, you know, I would highly encourage MSPs to attend this, because if you're ahead or, you know, I would say on the leading side of this, I think it can really help your business. I think if you're a laggard, I, I wouldn't want, I would not wanna be a laggard in the sales side of this sales and marketing piece of this. A lot of things you can be, you know, kind of the crossing the chasm you can kind of stay behind and let others jump over first.
Um, this is something I don't think you want to stay behind on. Um, that's just my perspective. But, so this will be the first of, uh, like I said, three. So I would highly encourage you all to attend. All right, so let's get on into it. Um, before I introduce Brian, if you haven't heard of him before, I'll just kind of set the stage. Brian, um, is no stranger to MSPs. He's interesting in that. And he'll tell you that, you know, it's not often you see a security person become an MSP.
So kind of a little reverse angle at it. Brian's been in this for a while, owned a number of MSPs, then, um, actually a, a company that, um, was, uh, led a team of virtual CISOs, and I'll let him tell the rest of the story, but he puts up a lot of, I would call muses and blogs in social media, LinkedIn particularly. And this one really grabbed my attention, and it was, um, basically, Hey, MSPs, um, compliance is here.
Compliance is going to come to is, is gonna get you basically the boogey man's here. And he's like, but now that I've got your attention, um, we're going to, uh, demystify or delve into what this was about. And, and it was a really fascinating article. I'll make sure at the end I post it. So I don't want to give it all away right now, because there's a lot to unpack here that, that Brian put out. So Brian, with that, awesome to have you back.
Um, as, as you always do, resting, just taking it easy. Um, you, you start a company and then you get acquired faster than you ever think possible. It's always happens to you. It's really interesting. So it's going on. Yeah. And I've screwed it up probably more than I've got. Got it. Right. You know, I think I've got it right the last few times, but, uh, wisdom, right? But, but, uh, Andrew, thanks for the introduction and, and, and again. Wow. Just thanks Andrew. Excited to be here again.
Invited back again. So excited about that. And, and I get to share a topic that I'm passionate about, right? And I'll say it out loud, compliance, right? I, I know a lot of times when you, when people hear the word compliance or audit, their sphincter tightens a little bit, right? They get a little uncomfortable. Uh, but, uh, more importantly, and you, you just introduced this and set it up, Andrew, I wanted to talk about the impact of compliance on our MSP businesses, right?
And it's a bit of hyperbole at first, kind of get your attention and, and get woke, uh, right? But I, I think really understanding it and starting to put the right things in place and being an intentional about it is the smart, smart, smarter approach, right? Don't get daunted, don't get left behind like you just said, right? Is, is, uh, important to, to note. But before we dig in, I do wanna say thank you, uh, Andrew.
Uh, everything you do day in and day out for the MSP community, both of you, Andrew and Wes, you, you guys are both heroes in the, in the MSP community and, and amazing humans to boot, right? Big bonus there. So, again, uh, thank you. I'm always genuinely humbled and honored when, when Andrew reaches out and invites me to this call. So excited. I, I do wanna take a couple minutes and share a couple of nuggets, uh, from my journey. Definitely.
I'm not gonna bore you with a bunch of, you know, where I was born and all that kinda stuff, but maybe jump right to a couple of useful things. And I think what I've learned most from my journey over the years is to, to never stop learning, never stop reinventing yourself, right? I, the more I, I learn the dumber I feel, and it sounds kind of backwards, but it, it, it really is.
And I don't know if you know what I mean there, but something I've really discovered even more recently, really over the last several few years is about myself, is that I learn the most when I try to simplify complex topics for other people that aren't in the industry, or don't live and breathe this stuff, I try to simplify that in a way that they can understand. So when I'm leading, when I'm mentoring, when I'm teaching others, I begin to gain the most comprehensive understanding of the topic.
Uh, when you, when you go through that process, you're like, wow, I, I've taught it to somebody else. I've, I've opened somebody else's eyes 'cause I did it in a way that they could understand and relate to. And that's where I realized I've, I've mastered a, a specific topic. So hopefully that that makes sense. I encourage everybody out there listening today, if you really wanna understand a, a topic, simplify the topic and, and mentor others, take that time. It's, it's changed my life. Yeah.
I, I, I, I would say you and Wes do that very, very well. First of all, thanks for the compliment, Brian, humbled for you to say that. But it, it is an art to be able to take something very complex, especially security and synthesize it down that people can understand. Um, so thank you for doing that, Wes. You do it really well. So, um, Wes, let me let you take, take things, kick things off here. Um, I got a poll I'll put up momentarily as well.
Um, but this one really fascinates me, Wes, because compliance and regulation has, in essence, it's a supply chain, almost a reverse supply chain, isn't this, isn't it, Wes? It, yeah, it can be. And I'm, I'm eager to see the results of this poll question just to kind of see the cadence of, of where we're at. And you know, this is, is Bob Miller said a hundred percent involved in all of this, right? Like, this is the future for MSPs, a big component of it. So, uh, yeah, this is gonna be good.
Awesome. Awesome. Let let you, let's let you kick it off. Wes, I'm just gonna put, okay, yeah, please. Yeah, please do. So we'll, um, make sure you guys listen to or answer this poll. Don't be our, uh, 2020 answer poll results. Let's get as many people as we can here. So, um, Brian, if anyone doesn't follow you on LinkedIn, first of all, they need to, right? Because I love your posts.
Um, anytime they seem to come in, they're always really thought provoking, and just the way you write them is very readable as, as Andrew just mentioned. And, um, absolutely love that because, um, man, it's chock full of really good content. So in the spirit of Gary Pika, get us on the fairway of the, the why behind your article. Good. Gary's here in, in spirit. That's good. Yeah.
Uh, so in any event, you're, you're, you know, the why behind it, and I think it's always important, the why really Wes, uh, behind, uh, the why, the motivation really behind most of my posts, not just the one we're talking about today, is to try to try and help or share wisdom, right? We've all messed things up or failed or wish we could go back in time and do things differently or more effectively or more efficiently posting those types of insights.
Or in some instances, my screw ups uh, kind of allows others to, to share from, from my experience. And I think learning from learning from your own mistakes is expensive, right? It's time consuming. But, but reading and learning from others' mistakes and insights, well, I, I think that's quicker and, and cheaper. And you ask specifically around the why behind the compliance on, on MSPs. Quick story.
I was, I just writing that post, I had just gotten off the, off a call with a client's auditors, right? We do a significant amount of compliance readiness work and the areas where we're helping to scope our ISO 2 7 0 0 1 or SOC two type two, or fill in the blank state ramp FedRAMP audit journey with their audit firm. And clients, auditors are really good these days. They ask really probing questions about your role.
The MSP's role in our client's environments, the intensity and detail of the auditor's scoping questions are evolving to match the risk, right? That's what auditors are trying to evaluate and test the controls we have in place to mitigate or shrink risk. So it's intensifying. And, and over the years, I've, I've led hundreds of these audits, but in the last couple years, auditors scoping questions have really changed where MSPs are involved.
The questions used to be more peripheral or service level. Do you have an MSP? What do they do? That kind of thing. But the last few years, MSPs have come under, come under a lot more of the, uh, client audit scope and scrutiny and friends MSP friends, if you remember nothing else from this call today, please try to remember this. Your client's audit journey and scope involves you and will involve you more in the coming months and years.
You'll be under your client's audit firm's microscope, and the auditor's cross hairs are pointed firmly in your direction. This is not going away. In fact, from my viewpoint perspective, it's intensifying. So do you wanna be the reason, and this is rhetorical questions, but do you wanna be the reason your, your client fails an audit or has material findings or exceptions in their audit report not a cool place to be? Right?
How would you, how would your client feel about you if you caused them to, to fail an audience? My why behind the article, Wes, was to warn MSPs not to keep kicking the, can we all do this, right? Priorities, competing priorities, dollars, all that. We kick the can down the road for our own stuff, right? And compliance and audit journeys fall in that. So stop waiting for next year.
Stop waiting until you have some sort of contractual obligation from a client that takes you kinda kicking and screaming into, into the, an audit, right? Be intentional and plan your compliance journey, your clients, you know, from my my perspective, again, your clients' auditors are asking your clients' questions about you. I mean, I, I'm a bit jaded, I see it every day. But auditors ask your clients about the specific services you provide and the nature of the data you handle.
Your client's auditors are, are asking them if you manage or, or do you impact systems that store or process or, or, or transmit data that you handle that's, that's in scope for the audit. And of course, do you, of course you do. And, and you know what, that's increasingly putting your MSP business in the boundary, in the scope of your client's audits. So you, do you ma do you manage clients', uh, servers? Do you provide cloud services? Do you manage your client's security controls?
Do you provide services that directly impact your client's security, confidentiality, availability, processing integrity, data privacy, right? Those are all TCS in the SOC too. So what consider yourself hopefully beginning if you haven't already, to wake up a bit because compliance is coming for you and your MSP business. So Wes, the why for the post was to create MSP compliance awareness, and hopefully to incite action in those that haven't already taken action.
So winter is coming and also compliance is coming, right? Uh, yeah. And so you're right.
And I love that analogy of you cannot continue to kick this can down the road because eventually you sort of like walk off a cliff, you reach a point of no return where the client comes back to you and says, as happy as I am with like your pricing and you know, how good attentive you've been to my help desk tickets and your VCIO process and all of these things, ultimately, you can't help us with the thing that's most critical to us, um, which is gonna get us in legal hot water.
It's gonna cause us to lose contracts. It may get us fined, you know, we're talking about systemic business level risk. So maybe just a quick follow up in 30 seconds if I'm an M MSP and I hear that and I'm like, okay, I'm not really that involved in like this compliance stuff and I need to get started in it. How do you, what's the first step there? Yeah, I think the first step was, is really determining what your client's audit requirements are.
What are you hearing or seeing within your, your client base? It's gonna be the top five or 10 clients usually that they sell. Usually the client, uh, the persona is your client isn't necessarily a gigantic company, but they sell into regulated or larger enterprises that are pushing down compliance requirements down to them.
So I would look at, and we could talk a little bit more about this too, but I would look into, you know, um, uh, for, especially for yourself and your MSP business, adopting a set of controls that are gonna be portable to multiple frameworks. I think if you get in bed with one like your all PCI all the time, then you're playing whack-a-mole with your client needs and requirements.
And I, and I, I do think in, in in ISO or depending upon the type of services in MSP, determining your own scope, more importantly, what, what are your clients today and your future clients, whatever industry you serve, what's important to them? Because you're gonna need to mirror or be able to show that your controls are operational effective to those or similar type of frameworks. Okay? So you need to start asking the questions.
If you're an MSP today listening, you gotta start asking the right questions. You gotta start gathering that data from your clients. You can't assume it, you've gotta start a control framework alignment journey, which should be comfortable for you. 'cause we've been talking about this for years now on cyber call. So those of you that have started down that journey, good for you. If you're newly listening to us in cyber call, you need to go pick that.
And I love what you said, because those a good, like a CIS one of those type, nist, whatever it is. But CIS as you guys know, our prevalence towards liking it, it cross maps crosswalks into so many others. So really, really well said.
So I happen to believe, Brian, that we're actually in the beginnings of this, not the ends of this and points that I would make to test that theory would be, I'm seeing a lot of, like these VCIO platforms kind of come out around like a lightweight, here's how we can help you in your compliance journey. I think that's great, right? Like I, yes, we're seeing a plethora of them. I don't think that's a negative.
I think that's a positive because it's showing that there's some market demand for MSPs to solve this. We all know that you can't just go and choose A-V-C-I-O platform and all of a sudden your compliance as a service journey is done for you, right? You gotta go eat your own tacos first, like you mentioned.
But do you also agree that we're kind of at the very beginnings of this whole world for MSPs, and we're starting to see a big shift towards MSPs really building and bundling compliance as a service into their service offerings for the first time. What do you think? Yeah, I I, I think we have to, right? If if, if you're missing that, then you're missing an opportunity at the, at the end of the day, Wes and, um, you had mentioned CIS controls and some others.
I, I think it's important too, to crawl, walk, run. There's platforms out there, um, to your point, Wes, that that can help. Um, part of the hyperbole don't buy into, when you're looking at platforms and the like that to help support your, your effort, if you're on this journey, you know, you'll see it, the SOC two in, in weeks, not months, and all this other junk out there, you know, it, it, it's, they're, they're tools at the end of the day.
Um, but something to consider, really to consider is we talk about CIS controls, which really help describe how to implement, right? That's something that's missing in a lot of these compliance frameworks is, yeah, is okay, I read the standard or the control, but how do I, how do I operationalize, how do I implement? So CIS especially if you're newer in your journey, helps the crawl, walk, run.
What I would recommend, if you have clients, if you're a more mature MSV and you have clients that are highly regulated for yourself, consider kind of the Mac daddy, I call it the Mac daddy of all. And that's an 853, because a lot of, even the 801 71 and CMMC and others, their, their, their deviations from that.
But boy, if you can hit NIST 853 moderate, build your own controls and how they map to, to that framework, uh, then that keeps you from playing whack-a-mole, uh, as your, your client's requirements come up. This is good. Um, so yet another thing to focus on, and I know if you, by the way, like Andrew said, go fill the poll out. We need more poll. We need the, we need this answered. I wanna get us into at least a hundred answers.
So if you're listening and walking, pause, stop, bring the app up, whatever, and give us some feedback on the poll results. 'cause this is a big one that we really do need. I wanna see it in there. So we're gonna get into, in a minute, we're gonna get into the, okay, I hear you, Brian, but this is expensive. I can't do it. Channel Gary, once again, let's table that for a second and let's just dive in a little bit more. You mentioned a minute ago, like cascading compliance requirements.
Also, cyber insurance is starting to kind of zoom into some of this because they have this aspect of like third party risk, you know? So like, when something happens, not of your fault, but you have to make a claim because something happened one direction or the other in the supply chain of all of this, right? So they're starting to ask, but just unpack what you mentioned before about com, the cascading compliance requirements.
Yeah, I, I do use the, the characterization of cascading compliance requirements. I, I use it almost daily or several times a day when I'm talking to folks. I'd like to first take a second and, and define what I mean by cascading compliance requirements. By that I don't necessarily mean by statutory regulatory or even cyber risk or cyber liability insurance requirement of pressures.
I mean, today, across all verticals and industry, there's this market driven pressure, not rules and laws and all that other stuff, but market driven pressure for compliance that starts at larger organizations and enterprises, right? This contractual pressure and contingencies for compliance on ISO or SOC two FedRAMP, fill in the blank, that flow down, what direction does s**t roll again, where does it roll downhill?
So those same contractual contingencies roll down from your customer's clients to them. And then where to you as the MSP? So when I think of cascading compliance requirements, I think your clients have requirements to form their, to perform really their own vendor risk and supply chain risk management effort on their vendors and service providers, right? And that puts your MSP business under the, the compliance microscope, if you will.
So as an MSP, if you can demonstrate compliance to a standard, then you're, you know, if, if you can't demonstrate that, if you're, if you're unable, you don't have an attestation or a certification, your clients then will be forced to provide, to find a provider that does have these certifications or attestations, just like you said earlier, Wes, not because they don't like you, your clients love you, right?
Not because you're not doing amazing job as their MSP, but you add compliance friction for your clients because you put them at audit risk for their own compliance, their own stuff that they have to do to keep that revenue turned on, right? Andrew, that, that risk to revenue. So, so, you know, again, if your client fails their own compliance audit, or if they can't maintain compliance compliance or if you add friction or cost, right?
You sometimes add cost to their compliance effort because you don't have these attestations and certifications. So there's this added level of scrutiny and questionnaires and things that have to happen during their own compliance effort, right? You wanna make it easy for your clients to do business with you. They're being regulated, they're getting a ton of pressure, it's rolling downhill.
So, uh, you know, they'll be forced at the end of the day to find an MSP that already has certifications and attestations. Their hands are gonna be tied there. So that's what I mean by it rolling downhill and cascading compliance requirements and how it impacts the MSB, you know, your ability to stay competitive and not put your clients at at risk compliance risk. Wes, can I just ask a quick question to Eric? Eric's joining us. He's playing, he's playing both Phyllis and Gary today.
Um, but, uh, but Eric, you know, you've got a lot of MSPs now though, and MSPs that you do their legal work for. Are you seeing, you know, this more questions to you, Hey, this happened, Eric, how do we address this from a legal perspective or in our sows are, are, talk to us about that. Are you seeing it roll down? Yeah. Oh, there's no doubt that it's rolling down. Right?
And, you know, I, I used to ask all my MSPs when I, when I sort of go through my, my introductions and interviews with them, you know, are they dealing with customers or clients in any highly regulated industries, right? And I just don't bother asking anymore because everyone is right. And, and maybe you don't realize it, right?
Maybe you don't realize that the old folks home down the street that you're taking care of, you know, now you've gotta be concerned about HIPAA and, and, and other things like that. So I assume that, that my clients are, are going to, um, to have to deal with these regulated clients that there's no doubt. And, and, but by the time they ask me or if they ever ask me, you know, something happened and now what do I do, it's too late. Right?
We always have to address it in the, the statements of working and or the, uh, the MSAs. Well, it's not only just Eric and I, if I'm being iterative, I apologize to everybody, but it's not even just your clients, right? Your client. And I, like I said, I, I think I said this last week, but, uh, an MSP had advertising and agencies, they're not regulated, but their customers are. Yeah. And their customers said to them, here's the controls we need you to have in place. Mm-Hmm. Or you're fired.
Yeah. Basically you have this amount of time to put 'em in place. Yeah. Yeah. Those, those are contractual contingencies. And that's why Andrew being intentional about it, if we, that's the idea of the call, right? Right. Wake up, this is coming. Whether you serve gigantic companies or in unregulated markets, this compliance pressure, right? And, and this is how they're doing.
It's contractual contingencies on, and, And Brian wouldn't like the, some of those are, okay, MR advertising or Mrs advertising agencies, what about your service providers and what do they touch? Right? And that's what you're saying is that it's rolling downhill, right? You might think, oh, well, I just need, now they just have to do this, the advertising. I just have to help them put in these controls and, and these policies. And Andrew, they, they don't care either.
If I, I've been on client representing clients to say, Hey, this is a testing platform. I, I'm making an example here. We have a client that does a test typing test platform, right? And we're like talking to their clients and saying, Hey, our client doesn't store process transmit. They're not in your data flows. It's this thing, you, you can lie to us on the personal information. It doesn't need, they're checking boxes on the other end, right?
They've got their own, their, their own CYA and other contractual obligations. So even what used to be where you could make an argument and say, we're not an important, we, we don't have your data, we're not any data flows, don't give us anything. We don't want it Well, to do business, this is a, you know, a contractual requirement. And if you don't have these attestation certifications or agree to the terms of the agreement, they'll go find a, a supplier that, that does. Yeah.
You, you, you, you become a victim to your customer's ability, ability to negotiate their contracts. Well, Well put, Well put. I like that effort. Yeah. Yep. So here's, here's an off the script question then, but I think it's pertinent to this. I'm a newer MSB, I'm younger, maybe I'm sub 3 million in revenue. Uh, I don't have A-V-C-I-O-I don't have anyone with security compliance experience. I'm an owner operator that's busy putting out fires. Um, and just keeping clients happy.
And almost any revenue is good revenue. Have we now, has compliance created a dichotomy? And if it has, is this okay between MSPs that are capable of compliance as a service and true deeply aligned mapping? And those that don't so do first. So the question's twofold. Do we have a dichotomy? And is that okay? I can't speak whether it's okay or not. I think that's individual to the MSP itself and the clients you serve.
I will say this, um, even if I'm a newer SMSP or a smaller one, believe it or not, the the compliance journey is a little bit more simple and straightforward, even if you're a smaller MSP. And just because you can't go straight from zero to very mature and have all these attestations and, and certification, you can start putting things in place today, right? They're called controls, right?
And we've talked about CIS controls and others, but if you align to a framework and you start really pointing some of the tools and technologies at yourself, that's where we, MSPs do have a distinct advantage when it comes to these compliance frameworks. And what is that access to the tools and people to implement the technology if it's one gigantic barrier.
We work with, with non MSP clients that are on a compliance journey, they have this big cost floating out there that they don't know, and it's usually the MSP cost to implement all these tools and things, continuous monitoring, all these other things that they need to have that they don't. And so, MSPs, I think, are uniquely positioned, Wes, it's really just focusing on pointing the tools at yourself, right? Drinking your own champagne.
And nothing tells that story better to a client than you being on your own compliance journey. Hey, here's what I learned. Here's what I wish I would've done differently. Hey, we've been down this path. Let me share my wisdom and bruises and scrape knees with you, and we'll go. It demonstrates a, uh, uh, a competency that is a, uh, I think a differentiator, at least right now. I do think it'll become table stakes in the future just to compete.
Um, but right now, a dichotomy is probably whether it's okay or not, it's gonna happen. There's gonna be a, a, a separation between the ones that do and can compete at a different level, and the ones that don't. And, and I hate to say it, bottom feed to a certain extent. Um, so it all depends on what the MSP's focus and what their, their goals and objectives are for their, their business.
Um, I know also having built, grown and sold, exited many MSPs over the, in, in the past, having a compliance or attestation not only makes you different, brings up the value of your company, right? You show that you've demonstrated to a third party auditor that you have controls in place that are operational effective, and you can evidence that the controls are working.
I mean, it, it raises the bar in terms of maturity, your quality of earnings, uh, the value at the end of the day of, of your business. And, and if I can interject. So sometimes it just raises the value for the purposes of the box checkers. Who are your customers, right? Is there an attestation? Yes or no? Right? Doesn't matter what the attestation is that sometimes they don't even ask several layers deep just to make sure. They just wanna make sure that there's an attestation.
Um, and that, that's good enough for a lot. But, but Isn't it, Eric? I, and, and you know, Brian, you, you are one of these people that's voracious reader, voracious learner. Talk to us about what it's done for you and from a sales perspective, like confidence perspective and being able, like, 'cause we always talk about, you know, reading books, right? You know, if you think about the greats of the greats, they, they, I mean, they all read the voracious readers, right?
And they carry conversations. What, like, I'm just curious what it's done for you. Yeah. For, for me personally, I, I think, you know, being able to have and see from many different angles and perspectives, right? Eric's talking about some real important stuff, contractually legal. Uh, and, and Eric just brought up a really solid point about lowering friction for your clients. We wanna make it easy to do business with, right?
And if we don't have a certain attestation or fill in the blank certification of third party audit, we make it more difficult for our clients to do business with us, right? We introduce, uh, a level of friction. And from a sales perspective, that's bad, right? The last thing we want to do is make it difficult for our customers to do business with us. More than that, we're impacting their, their revenue.
We are putting their revenue at risk by choosing us if we don't have the right stuff in place to Help them. Brian, can I just say one last thing, Wes? I just wanna say this and, and, 'cause we, you know, we're talking about this like webinar tomorrow on automation and AI and how buyers buy.
Well, we know, and, and the part of what we're gonna reference a Gartner study and, and challenger sales talks about this, et cetera, every single year, the amount of due diligence a buyer does before they speak to somebody keeps rising, right? Because the internet's allowed us to do that. Um, so I, I mentioned that Brian also as a competitive advantage. Oh my gosh, that's where I was going. Yeah. Talk to us about like, so be take me, take us there. Yeah, go. Yeah.
So, so right now, MSPs that gain experience and expertise and compliance, especially their own journey, huge competitive advantage, I think in a couple of different ways, right? Trust and confidence, right? You just said this, Andrew, it's, it's people are checking you out online and stuff. I mean, to have a trust center on your website is gonna become table stakes.
You've got to have that to say, Hey, we believe security's important and we've made investments there, and we're gonna flex our muscle and talk about it. Not enough for bad guys to get reconnaissance. You know, you don't give that level of detail, but you do wanna flex your muscles a little bit and say, Hey, your security is important.
So that trust and confidence, when you demonstrate a strong compliance posture, you are showing your clients that you understand and meet compliance requirements, gives them, gives them confidence, it gives you credibility and their, and, and the ability to, to manage and secure, uh, their data in a responsible way, right? Also, I'll say client retention, right?
Keeping the revenue and the clients you have today, if you offer like a wide range of compliance oriented services and prove your own confidence in this area, clients are much less likely to switch to another provider, uh, for these services. Or they might have, again, cascading compliance requirements. Guess what? They love you. You're doing a great job and you check the boxes, right?
So right now, yeah, and I'll just finish the thought here though, but right now, compliance gives you a level of differentiation, right? Right. Now again, I feel like, like MSP compliance will be table stakes in the future, but right now, compliance gives you a, a level of differentiation among your competitors. Compliance sets you apart, um, from them, particularly if you specialize in industries with stringent compliance requirements.
Eric brought up a couple, like HIPAA and healthcare, right? Or, or finance or government agency type of suppliers, right? I think access to new markets is another area of advantage too. If you have, if you can demonstrate, if you have a track record of compliance, you can make, you know, you can more easily enter in markets or engage clients that require these strict adherence to these certain regulations that opens up business opportunities that you otherwise wouldn't, wouldn't get to.
Um, and also the other thing that comes to mind as we're talking about this is just plain simple risk reduction, a strong compliance posture. It reduces risks associated with things like Eric mentioned, breaches and legal issues and reputational damage. So this, at the end of the day, makes you more attractive to a growing number of what I think risk conscious clients and box checkers on the other end. Wes, I'm back to you, but Brian, I love what you started off.
I just wanted to kind of throw this back to Wes now even so, cyber fox, Wes, Brian said first, you know, trust centers are gonna be table stakes. I mean, as an MSP, are you not interested in the security of the vendors you're evaluating these days? Like, I mean, not to be sarcastic, right? So if you don't think that your buyers aren't doing it to you or going to be doing it, I think we're all kind of fooling ourselves, right?
What's a compliance requirement on in every framework, you've got to check out and do your own due diligence on the vendors you choose. And, and I've got some ideas there, but vendor risk management, supply chain, that's gonna be your own compliance requirements. And in MSPs hotter than ever, SolarWinds and other things have kind of brought this up. And even log four j got the government's attention on open source software and software, bill of materials and all these.
But I, I, you know, we're all gonna have to step up our, our game on an ongoing basis. But the idea with this call today, get started. You're already behind if you haven't started down a compliance journey. Yes, indeed. This is man, such good discussion here. Um, a couple things my brain goes to one, one is, yeah, I think you are right, Andrew, to answer that question.
Um, this is becoming critical in the gov you look at like the National White House security strategy, even though that doesn't set into any like required, um, regulation, it, it, it lets us tap into the thought stream of the federal government, right? Of kind of how they're starting to see things or like pushing down this idea of we're gonna make the larger vendors push down more requirements on you. How do they do that? It remains to be seen, right?
But, but you can, you can tap into that thought stream and see some of this flowing through. And I guess yet another off the topic question, and maybe Eric, I'm gonna flip this one to you. If I may, I cannot just go into the state of Florida and step into a courtroom and practice law. I I haven't passed the bar exam, right? I'm not an attorney. We have a lot of industries that have self-regulating organizations.
Is this pushing MSPs closer and closer to some self-regulating body that states would recognize that would again, set the limits that require training, that require education, that require formalization and proof, that require testing and attestation? Are we getting closer to that? And if we are, in your view, Nostradamus, how far away are we from something like that happening? Yeah, and it, it's a great question. If I had an answer, I'm probably in the wrong line of business.
But, um, I I I, I think that it's gonna be a race. It's gonna be a race to either the, the, the, the self attestation portion of it or the government's just gonna push it down on us and they're gonna require it. Um, or, or maybe some hybrid of both. I, I'm not sure, I don't know if it's going to be a state by state requirement or a federal requirement.
Um, if I had to guess, while, while a lot of the privacy regulations we see are, are certainly state by state, I if, if you really dig into 'em, they're all pretty much the same, right? Whether it's California or Virginia or any of those really privacy centric, uh, states. Um, it's all the same stuff, right? Just said a little bit differently. So it, it's a great question, Wes, and, and, and, and I don't know the answer, but something is coming.
I don't know what it is that's coming, but something is, is is coming, um, and it's really gonna impact us as, as MSPs, it, it, it has to, and for those MSPs to, to Brian's point, who, you know, are kind of scraping the bottom and, and it, it's, it's really gonna hinder their business, right? People who aren't taking compliance seriously right now, it's going to to make them. Now, is it gonna go from zero to 104 seconds? Probably not right there.
There's going to be a, a progression 'cause that's what the government does. Um, but does that mean that, that, that, you know, state bar like organizations aren't going to crop up for MSPs? I think it'd be great if they could, right? Because if MSPs show that they can regulate themselves, then I'm not so certain that the government needs to regulate them. Um, you know, again, how we get there, I don't know. Um, and, and who's going to, to take the lead? I'm also not sure.
Um, but, but it's, something is coming. Just don't know what, don't know when, but, but, but, but a lot and soon are the, are the two vague answers. Yeah, I think Eric made a couple great points there.
I think these contractual contingencies is what I've really seen step up the last couple of years and those flowing down, um, the data security requirements are robust in a lot of these, uh, you know, not just data privacy, but data security requirements are really, you know, fairly robust and they, they trickle down. And something else Eric said as well, he's right, most of these frameworks, right? Or, or control frameworks or standards or whatever, there's a lot of commonality in here.
That's why if you have even a small MSP or you have, you're just getting started in your compliance journey, like CIS controls or, or something like that, if you put together your own control catalog, right? This is the way we do things and align them to a good like CIS control set and, and the, like, the idea here is that you're portable to whatever comes down from federal law or some of this other stuff, get a control framework in, in place, start to get that behavior and that discipline.
That's usually the long pull in the tent. When we're on compliance journeys, it's changing behaviors. It's the humans, right? And, and getting them to follow process and then being able to put smiles on auditor's faces means that, that you can have evidence, right? Auditors don't just take the self attestation or they don't just say, yes Wes, we do that on a routine basis or a regular basis. We do this quarterly.
They're gonna ask, they're gonna sample and they're gonna want evidence, screenshots, logs, something, tickets, you know, to show that those controls that you have in place are operational effective and you have evidence to prove it. My last question, and I know Eric, you probably got a a bunch as well, this is expensive, said the MSP, this erodes my margins, said the MSP, there is a cost of overhead here that I'm not sure that I can do, said the MSP, what do we do about that?
Obviously the, the obvious answer is you charge more, right? But give us some guidance here to, once again, cha channel Gary Pika here, because I don't, you can't do this free and you certainly can't do this cheaply and you certainly can't do this at the same cost you did this three years ago. It's expensive. I'm not gonna, I'm not gonna candy coat it, right? It is expensive and has ramifications to margins. It really does. But let me put it, let me look at this a different way if that's okay.
Lemme put it this way. What I know about most of the MSP businesses I've had over the years anyway, is that there's a certain customer concentration we have, right? We try not to do a customer concentration and, and we try to, you know, have a good percentage, but, but it, it's almost impossible, right? Most of our revenue as MSPs, we have a top five or top 10 client list drive in probably 80% of our, of our revenue. So I'll ask this question, right?
My favorite thing to do is ask a answer, respond to a question with a question. But how expensive is it for your MSP business to lose or churn a third or half of your top five or 10 clients over the next two years? What sort of impact would that have on, on your MSP business? Or you lose some of your best opportunities because you don't have a, a cert or an at attestation, right? How expensive is that to your MSP? How does that, that pain impact your, your margins?
Um, I'll also add compliance not only lowers friction for your clients and prospects, but it makes you a better company. It makes your MSP different right now and it makes your MSP business more, more valuable. We talked about that from a buyer perspective. So compliance, Wes, I hate to say this 'cause people use it on me all the time, but compliance, it's an investment, right? It's not an expense. And I think you need to change the mindset a little bit.
Yes, it's expensive, but it's an investment, but, and there's always, always a, but compliance add adds controls to how your MSP operates controls. I'm not gonna Katie code this either controls add friction and controls require one of the most difficult things on the planet. I just mentioned behavior change.
So from an overhead perspective, controls and compliance do involve some cadence driven things like log reviews, checklists, uh, continuous monitoring, meeting, meeting minutes, lots of documentation. But again, I think MSPs are unique and that we do a lot of this for our clients anyway, right? We just need to be more intentional with our own stuff. Um, and I also talked a little bit about MSPs having an advantage.
They're already having the tools, which greatly brings down a lot of these compliance calculators and other things you see online for FedRAMP and some of these other things. They're way off for MSPs. They're way on the high side because as an M Ms P, we already have a lot of these tools at our fingertips. Again, we just need to aim the gun at, at ourselves here. And, um, a lot of times, Wes, the, the first year of compliance is the heavy lift, the most, the biggest part of the expense.
Um, and oftentimes in that first year, MSPs just need a little bit of compliance readiness, help get some of that heavy lifting done. And then most of the controls after that can be ticket driven or, or automated. And just to end this thought around compliance and expensive, yes. Controls had overhead and friction. I talked about that. Sure they do, yes.
But the cost and risk with a capital R of your MSP business not being able to demonstrate compliance, I think far outweighs the compliance costs and their associated friction and, and overhead. Again, MSP compliance will become table stakes, I think to be able to even compete, make that investment As we turn it over to Eric. Eric, I, you know, I think, uh, what Brian said is so salient about losing your top customers. How about from the m and a side? You, you're involved in that, right?
From a legal perspective, and I would imagine, you know, let's just say you're the MSP getting, you know, on the acquiring versus getting acquired side. There's the tale of two MSPs here. One's, you know, got their proverbial stuff in order, one doesn't, who wins? Yeah. No, and it's a great point. And, and, and let me answer that in just a second, Andrew. But, but I want to touch on one other thing that, that, that, that Brian said that, that I think maybe was kind of glossed over.
And that is, you know, not only what is the cost of, of not doing it, but you know, if it's gonna cost you 50, $60,000 to get your SOC two cert, right? Between the, the audit and the preparation field and all that stuff, you know, if you don't do it, is are you gonna lose that, that next $5,000 a month opportunity, right? And if you're gonna get that 5,000 a month opportunity because you are showing that you're serious about compliance, then guess what? You just paid for it, right?
And then to Brian's point, year two, it's not a 50 or 60,000 expense, it's a 20,000 expense and every year after that. But you're gonna keep adding and keep adding and keep adding those clients. So to your point about m and a i, I think compliance for those companies that are getting top dollar in the m and a transactions, I think it's table stakes today, right? Yeah.
If you are not showing that you're serious about compliance, you are not going to get even the averages in, in multiples in, in m and a. I don't know if you're seeing that too, Brian, but, but that Oh my gosh, yeah. Eric, we do a bunch of acquisitions over the years and, and think about this, if your MSP business has invested in, in compliance and you can show an attestation or a certification, is that worth a half to one x multiple? Yeah. It starts to get very interesting, right?
Or the difference between a deal or no deal, right? But Brian, what I'm saying, and Eric, what I'm saying is your customer is getting acquired now. The acquiring company has an MSP and your customer. That's what I'm saying. Understood. Yeah. Yeah. Understood. So that's, and in that situation then, then you're almost necessarily dealing with a larger and more sophisticated organization who's going expect more from their Ms P. And if you don't have it, then, then guess what?
You're not gonna keep support the organization. They Yep. And I've seen both already. I've seen where the, the MSP's customer who's getting acquired that had a stellar MSP, they're the one that took over everything. Yeah. And I've seen it goes both ways, there's no doubt. Yep. Yeah, absolutely. So, so Brian, we've touched on a lot of the, the, the, the questions that I had for you, but, but there are a couple things that, that I would like you to, to say louder for the people on the back.
And, you know, one of them is around the, the complexity of dealing with customers who have, whose, whose customers are in or who they are in more than one regulated industry, right? So you're dealing with customers who are in healthcare, you're dealing with customers who are in defense, you're dealing with customers who are in banking or finance, right? So now you've got a bunch of different frameworks that that, that you might be expected to adhere to.
And for those MSPs who, who are really in the early stages of, of the journey, can you talk about the complexity and, and, and where do you start? Where do you start standardizing if you've got customers in more than one area?
Yeah, I, I think as, as I think through that, that question, I think that anytime you're dealing with, uh, you know, multiple frameworks, um, I think that you have an opportunity to again, try to try to simplify if you have a way that you deliver your services and your own control catalog, your own control library, your own set of competencies, right?
I think that you can make, make your, you know, as, as you look at these multiple frameworks easier, there's a multitude of platforms out in the market right now too. So there's GRC platforms. Um, auditors tend to have their own platforms these days too, that create efficiencies for the, the audit process. Mm-Hmm.
But I think again, instead of trying to play Whack-a-Mole with regular regulatory requirements, and there's gonna be a new, a new CMMC version too, or fill in the blank, and there's all these things, again, I, I think the idea is have your own set of control controls that map to several different frameworks, and then you're usually flexible enough that you attack deltas in the nuances of these other frameworks as they come out, or as, as the frameworks them themselves mature.
So, so you touched on GRC, which is, which is interesting. And, and if I'm an MSP and I am going to, or I want to implement a GRC platform, um, which I think is a great idea, can you speak to what it takes, what does it take from a, from a resources standpoint, you know, because if I'm a, a 3, 4, 5 person, m MSS p, um, am I gonna, you know, have shut everything down for three months, so implement this platform? Or if I'm a hundred person Ms. P, you know, what does it implement such a platform?
Yeah, so great question and, and my favorite answer to everything like this is, it depends, right? I think, I think Everything, I think GRC tools are, are one way to go. But multi-tenant solutions are just now being developed. That's what we as MSPs always want. We want that PSA automation and all that kind of stuff, but multi-tenant GRC tools, uh, are just kind of getting out there on the market now as opposed to being kind of a one-to-one with each one.
So in my opinion, as an MSP compliance automation platforms, which are different from GRC tools, but compliance automation platforms with connectors into the environment allow you to kind of grab that technical evidence and, and collection and, and automate that. And most compliance, um, automation platforms, they map across all the different standards and framework, uh, too, which help you kind of comply once, uh, across many standards and, and frameworks. Uh, just be careful.
A lot of those compliance, uh, tools, and this is words of wisdom from screw it up a couple years ago, is you're working with a client, let's say you're on your own. And a lot of these compliance platforms, they love to do it. So let's say you're on a SOC two journey and you're doing the SOC two, and then they show these analog gauges on the dashboard that say, Hey, you got your SOC two and you're 78% of the way to hipaa, and you're, you know, 50% on the way to ISO and all this other stuff.
It's largely bs. Um, you've got further to go in each of those because just because you have a implementation to a control that satisfies a SOC two requirement, and that might map over here to iso, it doesn't mean it's, it, it passes the level of scrutiny. It just means that, hey, I needed a network diagram for one, Hey, I satisfied that question of requirement and it goes over here and kind of checks the percentage.
But sometimes there's automation platforms, um, you know, uh, again, it's just a tool. Take time to research the right tool for, for you and define what's mo most important. The, the gotta haves from the, the nice to haves. Yeah. So, so as, as this audience knows, one of my favorite topics is cyber liability insurance. I know one of what's his favorite too. And you know, in, in with cyber liability insurance, we're starting to see a lot more in the, the requirement for continuous monitoring.
Um, can you, can you speak to, to how, or if at all, um, compliance has similar requirements of continuous monitoring and, and how that might play into cyber insurance and the applications for that and eligibility for that, For that. Yeah, all great points.
And I think when you think, and I'll just abbreviate as conman, that's how I know it is conman for continuous monitoring, but it's a critical component of maintaining compliance with almost every regulation and standard as well as just ongoing pragmatic security, integrity of systems, et cetera, that the MSPs manage. But, but why, why is it a common requirement for compliance? You have to be able to show that you could detect and respond to threats, right? That's a lot of why the MSPs exist.
So if you're continuous monolith conman in real time, uh, if you're not doing that, how can you detect threats and vulnerabilities and more importantly, respond or mitigate the, the risk you need to be able to monitor that system and network activity so you know what's weird, anomalous or, or suspicious. So you can, so you can dive in and, and, and check it out all the regulatory requirements. Uh, Wes, something near and dear to your heart. I know P-C-I-D-S-S, right?
Obviously continuous monitoring for all network resources and you gotta be able to detect and respond to security incident ramp, state ramp, FedRAMP, ISOs, O all of 'em. Conman is is part of that. Uh, lastly, um, I'll play the compliance card a bit on conman. Continuous monitoring provides a, a record again of security related activities. This is the evidence, this is the artifacts that you need to show that your controls work.
Uh, it provides the auditors evidence that puts against smiles on, on auditors faces. So, so we've only got a couple minutes left, so, so let's let, let's, let's take this back up to a, a 30,000 foot view, right? So I'm an MSP, I don't have much by way of a compliance program. Gimme the top three, the top five things I should really be thinking about, um, as I start to go down this road. Perfect. Yeah. Perfect way to, to wrap it all in a bow too. So remember this, my MS free co.
SP colleagues and, and friends. Your client's audit journey and scope will involve you. You'll be under a client's auditor, audit firm's microscope, right? We've talked about that. The cross hairs are pointed at your direction. It's not going away, it's intensifying. So my top couple of recommendations here to close out, build a compliance program. Meet yourself where you're at today, right? Create a structured compliance program that addresses relevant regulation standards.
But this program should include, remember defined roles, responsibilities, policies, which I've talked about a lot, but policies, procedures, processes for ongoing monitoring and auditing. Get a, implement a, um, security management s uh, system. Consider implementing like a, a security management system based on some recognized compliance framework or even CIS controls really helps you understand how to implement it.
Um, 'cause this could help you manage your, um, security controls in a more structured and consistent way. It also provides a way to demonstrate compliance to auditors and plan today, plan for audits. I guarantee an audit is coming to you soon if it hasn't already. Regular audits are gonna be a key part of any compliance routine. Be prepared to demonstrate your compliance, be prepared to do that. Compliance to auditors, right?
That's evidence that the security controls, policies, procedures are operational effective. Last certainly not least, look for helpers, right? There's people out there to help you, especially if you're in year one of your journey that can meet where you're at today. Engage with the experts. If you're dealing, especially with complex or unfamiliar, uh, regulations. Consider engaging with a, a compliance consultants.
Uh, they can really help you kind of boil down and understand the requirements, not beat you over the head with what the standard says, but help you implement practical things to to, to meet the control requirement and, uh, do that in the most effective, and I'll say, say cost effective, uh, way to deal with compliance. So I'll end MSP compliance.
It's coming to get you, it's a bit of hyperbole and boogeyman there, but, uh, hopefully, uh, if you're not awake, you're awake now and start planning. It was great Brian. And um, I put your LinkedIn profile in there for people that might want any help. Brian? Um, I think you really summed it up and, and the, I think the MSPs that are really have taken the journey of them being, we call it patient zero, customer zero, whatever, what you just said, framed up that in above.
So you gotta be client number one in your eyes. Um, if you do that, you're gonna be in great shape. So start patient zero If you're not. Um, Eric, thanks so much for, for popping in. Of course. You played a great of Phyllis and, and, and Gary. Brian, thanks as always for coming on back. Wes, say hello and thanks as always to say hello to everybody there. Um, for sure all our favorites and uh, we'll look forward to seeing everybody next. Oh, we'll skip next week, right?
With Memorial Day, I'm assuming. Yeah, we should skip, so we'll skip next Monday and we'll see you back in two Mondays. Thanks everyone. Awesome Everyone. Thank you. Thanks Andrew. Thanks Everyone. Alright, bye.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois