You probably don’t remember landlines….and even if you do, I’m sure you can’t really recall a landline with a cord. To use the phone, you literally had to stand within a foot or two of it.
Things become outdated. Technology progresses, and we move forward.
I remember a couple of years ago when we celebrated HIPAA’s 25th birthday. I spoke at a Health Information Management meeting in New Orleans on how this quarter century program was as outdated as a landline.
The crowd all laughed.
However, deep down the thought of a 25-year-old rule governing technology terrified me.
Some compliance laws are slow to change, while others are constantly updating. That makes things very complicated for your MSP as you strive to meet your clients’ needs. Every time I talk to our partners at an Office Hours, there is always a question that pops up about one compliance framework or another.
One of the recent hot topics has been the FTC Safeguard requirements. Many MSPs remain hyper-focused on the CMMC framework for DoD contracts. Both of these compliances, along with the typical ones like HIPAA, PCI, SOC, NCUA, and SOX are big areas of focus for many MSPs.
As you are navigating the complex world of compliance, you may be asking this big question:
Should outsource your program or grow experts from within?
If you’re asking this question, I can tell you that you’re not alone. This has been a serious question many MSP owners and operators have been asking me.
Much like compliance, the answer to this question is a bit complicated. So, before you answer the big question, let’s think about three significant underlying questions:
- Do you have the talent?
- What compliances are you supporting?
- What about the data?
Let’s think about them in more depth.
Do you have the talent?
If you live in a market where you can find the talent to support compliance needs AND have clients who are willing to pay for those services, it might be a no-brainer to invest in rearing an in-house expert.
A word of warning: The more specialized someone becomes, the quicker they might leave if they can find a sweet opportunity upstream within a niche industry.
If you decide to grow a compliance program in-house, don’t depend on one person. I would encourage you to grow a team of people with competence in compliance. I’d select some promising folks from your help desk team and empower them to live compliance and own the responsibility.
Another word of warning: Don’t simply hire a guru off of a job ad. I’ve tried this and it has never ended desirably.
What compliances are you supporting?
Before deciding that you want to take on compliance as an in-house service offering, you need to understand the following:
- What specific compliances are you currently supporting?
- What industries are your clients in?
- Which of your clients are concerned about compliance programs? (If they don’t care enough about compliance to want or have a program—or pay for it, you’ll just lose money if you invest in forming a program yourself.)
You also may want to evaluate whether those compliances have become commoditized. For instance, there are currently large compliance as a service companies that have reduced the cost of some compliances to less than 30 bucks per workstation (ALL-IN).
If I look in my crystal ball, I can pretty much guarantee that if you are competing within an industry that offers cheap compliance services specialized to your client base, you will be hard pressed to get a lot of bites.
What about the data?
Last, you need to understand where your clients’ critical data assets are stored. If you are already using compliant solutions and their risks are low given how their environments are set up, compliance pressures may be easier to manage than if they have complicated networks with processes that have critical or sensitive data all over the place.
Now, let’s go back to the BIG question:
Should you outsource or develop your own expertise in compliance?
It really depends on a ton of factors—many of which I don’t have time to go through here. But what I can do for you here is remind you that with any compliance solution, you’ll benefit from having a third party audit your security.
I’ve raised a lot of questions here for you, but let me leave you with one more that you don’t dare overlook: How will you test the security controls defined within your security policies?
You can’t proofread your own work.
Consider a free cyber stack assessment to see how you might audit your client networks.