For Managed Service Providers (MSPs), offering GRC as a Service (GRCaaS) may be an overlooked revenue opportunity in today’s regulated market. While many MSPs have avoided governance, risk, and compliance (GRC) in the past, market pressures and client demands are making this avenue harder to ignore. And yet, for many MSP leaders, GRC still feels like something being offered from the inside of a sketchy trench coat.
Imagine a mysterious figure leans in and whispers, “Pssst… Lemme’ show ya’ something!” A man in a dark trench coat and a fedora gestures to you, beckoning that you come look at his merchandise. As you get closer to him, you can’t help but think to yourself, whatever he has, it’s probably fake, stolen, or probably not something you’d be interested in. Then, however, you get close enough to see what he’s concealing. It’s wonderful, it’s beautiful, it’s surprising, and, more than anything, it’s totally legit! In his trench coat, the mysterious man shows you a MSP that not only is amazing when it comes to managing their customers’ IT systems, but also provides world-class, ongoing services to support their customers’ compliance needs. And the best part is, it’s incredibly beneficial for them and their customers.
Even to this day, we at IntelliGRC regularly run into people from MSPs who tell us similar things: “We’ve been avoiding GRC like the plague”, “We’ve been steering clear of GRC like it’s radioactive”, and “GRC has cooties.” Ok, maybe we’ve not heard a cooties comparison in the wild. Nonetheless, the point is the same. For many we’ve encountered, there’s been a real apprehension about supporting GRC in a formal and active way, and sometimes, for very legitimate reasons. If you’re reading this, you might work with an MSP or similar type of services organization, and you can relate. You’ve said or heard “We don’t want to have to change our toolset,” or “We don’t want everyone to have to become experts in every single compliance framework our customers are obligated to align with,” or “It’s a hassle we’re just not ready to take on right now”. All understandable, but not always well-informed. In today’s blog, I want to put on paper what we’ve been preaching for a while now: that we need more MSPs to step up their game and become GRC champions, and the path towards doing so might not be as tedious as you might think. First, I’ll provide some perspective on the common concerns MSPs have in taking on customers in regulated industries and the opportunities that are often left on the table. We’ll wrap up by discussing some practical steps you can take to move towards realizing those opportunities for your company sooner than later.
Aristotle is calling!
I really empathize with the people who’ve expressed their concerns about supporting regulated industries as a MSP. It is definitely a journey with some hurdles to get over if an MSP decides to take on such industries. There are often policies and procedures that the MSP needs to develop that it never had to consider before. There are adjustments to the way things are configured and the tools used that might be suitable for the job. There are contractual obligations and additional involvement in customer audits and assessments that a MSP may never have had to support before. And, not least, there are methodologies and workflows that may need to be reformed or changed to meet the compliance needs of regulated customers. It’s understandable why it seems daunting, but let’s nip some things right in the bud and look at these concerns from a different angle.
First, one thing to think about is that it CAN be done and it can be done well, with practice and effort, of course! It’s kind of like what Aristotle says in Book 2 of Nicomachean Ethics, “But the virtues we acquire by doing the acts, as is the case with the arts too. We learn an art by doing that which we wish to do when we have learned it; we become builders by building, and harpers by harping. And so by doing just acts we become just, and by doing acts of temperance and courage we become temperate and courageous.” In talking about excellence in virtue, Aristotle summarizes that, for things that we don’t just inherently know by nature, we become excellent at them by doing them, once we’ve learned how to do them. In my opinion, GRC services are no different. Many MSPs are already providing a lot of awesome and incredibly necessary services for their clients, but they had to start somewhere, didn’t they? They became excellent by ‘doing the thing’ over and over again. For an MSP to enhance their services to support regulated industries with GRC-relevant services, they may have to make some adjustments, learn a few things, and start doing things they’ve not had to before. But, just like anything else that isn’t natural to us, as the MSP implements GRC-focused technical solutions and services, sits in on customer audits and assessments, and maintains a continuous monitoring compliance program, it will become second nature like the core IT services have been. Learn what you need to do, do it a bunch, and become the best at it. Aristotle would be proud!
Another thing to ponder is that some of uneasiness around adding GRC services to your repertoire as an MSP, while understandable, is often actually over-emphasized. For example, many MSPs assume (maybe because of misunderstanding, misinformation, or both) that they will be required to acquire a bunch of new and expensive tools and solutions because their current tools aren’t compliant. You can see why there’d be a bit of apprehension, right? It would be really inconvenient to swap out tools that your team is familiar with and is already quite efficient at using to provide the services your customers are paying for. But is that assumption true? Well, as I like to say when posed with a simple question that sometimes has a more complex answer, “That’s a big, fat, ‘it depends’!” Depending on the types of regulated customers an MSP might have, the tools the MSP uses could matter, especially if they handle customer data in some way. For example, DoD contractors are required to ensure that Controlled Unclassified Information (CUI) is processed only using FedRAMP Moderate Equivalent or Authorized solutions if Cloud Service Providers and Offerings are utilized. This comes from the DFARS 252.204-7012 requirements and from the 32 CFR Part 170.19. So, if the MSP is offering a Business Continuity and Disaster Recovery (BCDR) backup solution as part of their services, there’s a good chance that the MSP will need to evaluate the solution they are using to store and process those backups, especially if CUI will be handled by it. However, to then go on to assume that all the MSPs’ cloud-based tools need to align with these FedRAMP requirements, even if they wouldn’t handle CUI on behalf of the customer is a common, yet false assumption. For tools and solutions that will never store, process, and/or transmit CUI, FedRAMP requirements do NOT apply, and most of the time, MSPs that choose to embark on this journey with regulated customers can often utilize the same tools they use for everyone else. Sure, there may be some different configurations they need to adjust and apply, and there will probably be some adjustments to their procedures and other related documentation, but these adjustments are all doable and would enable the MSP in most situations to continue to use the tools and solutions they are already familiar with and efficient at using. The reason why I wanted to provide this pushback is because assumptions like this are so common. We hear these concerns all the time, and we want to encourage MSPs to pursue clarity on the requirements before making assumptions because the opportunity is just too great to pass up!
An Offer He Can’t Refuse
Hopefully, there’s at least a tad more clarity around the actual expectations and less unnecessary worry. With some of those things out of the way, what about the incentives to get involved? I would argue that the beneficial reasons for MSPs getting involved in supporting regulated clients, not only as outsourced IT and Security resources, but also as their GRC enablement partner, often far outweigh the reasons for not touching GRC services and regulated customers with a 10-foot pole. Not to say that this is true for all organizations, adding GRC as a Service (GRCaaS) to one’s repertoire does come with adjustments and preparation that some organizations might not deem to be worth the investment. However, the sheer number of organizations, especially Small and Medium Sized Businesses (SMBs) that struggle to do any of this GRC-stuff on their own is pretty incredible. In the Defense Industrial Base (DIB) alone, there are an estimated 163,00+ small organizations that will have contract-enforced CMMC Requirements of some kind (CMMC Level 1-3). These are those organizations that are most likely to depend on external organizations for help in figuring out how they are going to implement and maintain a GRC program that satisfies their contractual obligations. The level of effort for organizations to engineer, implement, document, and maintain a successful GRC program is heavy and expensive, and often requires time and knowledge that these small businesses just don’t have. We’ve seen this firsthand. Without outside help, some of these organizations end up hiring to solve the gap so they have someone internally supporting this effort in a dedicated way. When an organization considers the cost of bringing on someone compared to utilizing their MSP, we’re often talking about a difference of several thousands of dollars each month in savings just going with the MSP instead of hiring a full-time employee. When looking at adding these services from a strictly monthly recurring revenue (MRR) perspective, we’ve found it to be a no-brainer. Many customers are happy to pay more to their MSP for GRC services, and many MSPs who’ve pursued this path have discovered that adding GRC to their toolbelt has been well worth it!
One more quick note in talking about incentives here. Cybersecurity and compliance are getting more stringent, and 3rd-party assessments are taking more of a seat at the head of the table, while the honor system or less stringent approaches to security and compliance are viewed less seriously. At least from a federal contracting or healthcare perspective, we feel the winds of change and already have seen situations where customers are leaving their MSP specifically because their MSP isn’t able to support their GRC needs and puts their ability to work within their regulated industries at risk. Unless an MSP is willing to lose customers and the revenue opportunities for these highly lucrative industries, in the words of Don Corleone, “This seems to be an offer he can’t refuse.” That being said, I hope MSPs will not look at this as a daunting effort that must be done to avoid the risk of losing customers (though losing revenue from lack of action is a risk), rather, I hope the opportunities to bring customers immense value while significantly increasing their monthly revenue from these types of clients are encouragement enough to be persuasive.
Curious how MSPs are packaging GRC into monthly services? We’ll walk you through a real-world delivery model (scope, cadence, artifacts, and reporting) and how to position it with regulated clients. Grab 20 minutes with IntelliGRC on this link.
Conclusion
Whether you’re thinking about the benefits or trying to avoid the risks, I hope that those reading this will be encouraged to know that this is all doable. GRC as a Service is already being delivered by several MSPs who’ve taken up the mantle. But there aren’t enough. Organizations in regulated industries are in desperate need of providers who will be courageous and diligent enough to do what it takes to meet their needs. If you would like to talk more about how your organization could move in this direction or if you’re looking for a GRC solution to make life in this space a bit easier, IntelliGRC is always up for the challenge! We’ve helped a multitude of service providers get their house in order and achieve great things in these industries, and we love adding more partners to the list of providers we know are doing the right thing. We hope more MSPs will consider the needs of these industries and throw their hats in the ring. Aristotle and the Don would be proud. If you’re ready to see what this looks like in practice, schedule a time to talk.
Until next time, Happy Implementing!
