What MSPs need to know about Compliance-as-a-Service
Article by Marina Brook, StorageCraft head of sales Asia-Pacific
Changes in the regulatory landscape have had a significant impact on data management and security.
In the process of providing better protection and privacy for consumers, these changes have created a mixed bag of challenges and opportunities for all parties involved.
Combined with existing mandates and changing requirements, the risks associated with failure to comply have made compliance management a daunting task for organisations of all sizes.
Interestingly, not all is lost and there is a group of problem solvers waiting on the sidelines, ready to jump in for help.
Verizon’s 2015 PCI DSS Compliance Report found that four out of five organisations were still not compliant.
A 2017 study from SecurityMetrics reported that in 2016 the largest single origin of compromise (39%) was through insecure remote access, while according to the Ponemon Institute, which tracks the costs of data breaches every year, the average total cost per data breach is $4 million - up 29% since 2013.
This statistic highlights the opportunity for third-party service providers to capitalise on the issue and assist struggling companies with their compliance needs.
Australia’s notifiable data breaches legislation, due to come into effect on February 22, 2018, may well result in a similar lack of preparedness.
Adding Compliance-as-a-Service (CaaS) to a menu of service offerings is a strategic way for Managed Service Providers (MSPs) to cater to the regulatory requirements of existing clients and to attract new business.
Compliance is a virtual goldmine for service providers with the management expertise to simplify and satisfy the complex requirements associated regulations.
At the same time, hopping on that bandwagon is akin to opening Pandora’s Box because of the requirements that come with the territory.
MSPs must walk a fine line in order to ensure that the convoluted legal component of compliance doesn’t land them in hot water.
Lingo and liability
Borrowing the ‘as-a-Service’ moniker popularised by cloud computing, CaaS is far more than a cleverly named fad - it’s recognised as a legitimate industry on the rise.
CaaS providers make their money by customising solutions around individual compliance requirements.
Their management efforts are designed to help organisations prioritise internal policies and processes per mandated regulation and rule.
In a perfect world, CaaS is a cost-effective solution that enables regulated businesses to minimise the risk, cost and complexity of meeting compliance.
CaaS is a rather vague term that could be interpreted in more ways than one.
Based on the name’s general nature, one might assume that the provided service involves direct handling or securing of confidential information.
On the other hand, a potential customer might assume that it refers to managing internal processes typically performed by employees or actually guaranteeing compliance for one legislation or another.
There’s ambiguity in the CaaS term that can lead to a lot of confusion.
Third-party providers are often needed to help with aspects such as auditing, storage management, and disaster recovery.
These services come in handy and allow organisations to free up valuable time and eliminate some of the challenges associated with meeting industry regulations
Technology and expertise
The move from MSP to CaaS requires a special set of tools and procedures.
While the targeted field and legislation will determine the specifics, every successful transition is built around three key elements:
- Providing rock-solid security that prioritizes data protection
- Training personnel on the finer details of the regulations in question
- Integrating new technology in a manner that is consistent with billing cycles and overall service offerings
Practitioners in emerging businesses are buckling under the pressures traditionally regulated industries have been dealing with for years.
When it comes to CaaS or compliance work in general, MSPs must be careful not to take on risks they cannot properly assess or manage - or the risk to their own business will quickly outsize the rewards.