Luke Dash, CEO of ISMS.online looks at the MSP opportunity sparked by growing regulatory requirements on businesses leading to significant administrative complexity that can increase costs and impede growth.
This growing burden has been on the minds of governments for some time. In the UK, for example, the Business Impact Target (BIT) was introduced in 2015 as part of the Small Business, Enterprise and Employment Act in an effort to reduce the cumulative costs of regulation on business.
At the start of each parliament, the Government sets a target for managing and ideally reducing the total regulatory burden on business of new regulation over the life of that parliament. However, figures show that regulatory costs haven’t fallen in recent years. In fact, they have grown substantially.
According to a September 2023 release from the Regulatory Policy Committee (RPC), regulatory costs rose by £7.8 billion during the 2017-2019 parliament, with costs then increasing again by an additional £14.3 billion in the first three years of the 2019-2024 parliament.
It’s a landscape that has continued to become increasingly complex, with a range of different sector-centric legislation and data protection laws placing increasing compliance demands on businesses. ISMS.online’s State of Information Security Report 2024 revealed that compliance with regulations and industry standards is now the second biggest information security challenge faced by businesses, with two-thirds of organisations agreeing that the pace of regulatory change is making it harder to comply.
Unfortunately, there’s little to suggest that compliance requirements will subside anytime soon. In recent times, we’ve seen frameworks such as NIS2, DORA and AI-related legislations including the EU AI Act introduced in response to growing concerns surrounding AI and cybersecurity, with Gartner estimating that 50% of governments globally will enforce the use of responsible AI through regulations and policies by 2026.
The opportunity for MSPs
The challenge is clear: Despite the growing compliance burden on businesses, many organisations simply don’t have the time, expertise or resources to respond quickly or effectively enough to a sea of ever-changing legislation.
According to the 2023 Thomson Reuters Risk & Compliance Survey, a lack of knowledgeable employees, inadequate resources and company culture are all hindering confidence in companies’ abilities to address compliance risks. Further, MetricStream’s State of Compliance Survey also revealed that 76% of compliance managers are resorting to manually scanning regulatory websites to try and keep on top of changes.
Clearly, businesses are finding themselves unequipped to effectively manage the compliance burden internally, with many now seeking support from external partners. Indeed, Gartner estimates that investment in governance, risk and compliance tools from legal and compliance departments is expected to increase by 50% between 2023 and 2026.
With the Compliance-as-a-Service (CaaS) industry therefore set to expand substantially in the coming years, Managed Service Providers (MSPs) are well placed to obtain a substantial piece of the pie.
As trusted third parties that are already managing significant aspects of their clients IT infrastructure and end-user systems, integrating CaaS into this existing offering is a logical step for MSPs to take. Not only does it provide them with the opportunity to diversify their services, but those that do will also be able to add significant value beyond the traditional offering and gain key competitive advantages.
Making a CaaS offering work for clients
Of course, diversifying in this manner is likely to require a change in strategy and approach. While many MSPs focus on the management and delivery of automated tools, these alone will not be sufficient in providing the CaaS solutions that customers need.
While technologies are important, successful compliance management practices are also underpinned by people and processes. To market and sell CaaS solutions effectively, MSPs must emphasise that compliance is not a case of “set and forget”. It requires a combination of continuous management, specialist support and reliable technology to achieve results.
It’s also important that the platforms on which those CaaS solutions are built should not only cover everything from risk assessments to regulatory audits, but also be capable of integrating seamlessly with existing tools and systems.
Companies seeking CaaS solutions will be doing so as their existing practices will be complex, time consuming and costly. However, if a CaaS solution demands major infrastructural and/or operational overhauls, those solutions will simply turn one headache into another. Therefore, it’s vital that any CaaS solution can work seamlessly with current IT setups.
Additionally, as well as any CaaS solution being comprehensive, effective, efficient and intuitive, it should also deliver transparency to potential clients. It’s only natural that clients would want regular updates on their compliance and key changes. Therefore, MSPs should use compliance platforms that can both automate workflows and allow for human oversight. Here, key features would include transparent dashboards and reporting features, allowing clients to monitor their compliance status in real-time.
Achieve all of this, and MSPs will be well placed to simplify compliance for their customers while delivering cost and efficiency benefits.
The opportunity is clear: By combining CaaS with their existing offerings, MSPs can capitalise on a promising new market while realising significant competitive advantages that will fundamentally make them more attractive to both new and existing customers.
