A survey of 300 IT security professionals published this week by Telos Corp., a provider of IT services, finds organizations on average comply with 13 different IT security and/or privacy regulations and spend $3.5M annually on compliance activities.
Over the last 24 months, the survey finds organizations have been found non-compliant an average of six times by both internal and third-party auditors, resulting in an average of eight fines with a median cost of $460,000.
The survey also finds compliance audits consume 58 working days each quarter, with IT security professionals receiving an average of more than 17 audit evidence requests each quarter. Further, IT security professionals will spend an average of three working days responding to a single request, the survey finds.
A total of 94 percent of respondents also reported they would face challenges when it comes to IT security compliance and/or privacy regulations in the cloud.
Nearly all survey respondents (99 percent) also indicated their organization would benefit from automating IT security and/or privacy compliance activities. Expected benefits include increased accuracy of evidence (54 percent), reduced time spent being audits (51 percent) and the ability to respond to audit evidence requests more quickly (50 percent).
Put it all together and it quickly becomes apparent there is a need to automate compliance processes that neither drive revenue nor improve the organization’s bottom line. Compliance requirements are at best a “necessary good” that most organizations are looking to ruthlessly automate to contain costs.
The challenge most organizations face is they lack the necessary tools and expertise required to automate the processes required to comply with, among other regulations, The U.S. Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, and the General Data Protection Regulation (GDPR).
MSPs are in a unique position to monetize compliance
Unlike an internal IT organization, an MSP can effectively spread the cost of compliance across a base of customers. The end goal is to perform these tasks at a cost lower than the internal IT organization could achieve while still maintaining a healthy profit for the MSP.
Unfortunately, MSPs often overlook the compliance opportunity. In many cases, compliance isn’t considered a technical service. Most automated compliance processes are instances of either simpler workflow automation or, in some instances, more advanced forms of robotic process automation (RPA). Regardless of the approach, it’s pretty clear compliance is pain point most organizations would, for the right price, happily outsource.
Of course, the stakes can be high when it comes to compliance. IT services providers need to assume a level of responsibility for helping organizations achieve compliance, that should things go awry could lead to penalties being levied against them. However, most compliance processes are essentially routine workflows that are often poorly managed by internal staffs because each organization defines its own workflow.
Naturally, MSPs that pursue this opportunity have to also attain any number of certifications. However, it will also quickly become apparent that many of the controls required by various regulations are redundant with one another. Master one certification and the return on investment for the next one becomes significantly higher.
Compliance services may not be the sexiest of all IT services. However, it is a service that most certainly will, year after year, put money in the bank for MSPs that master it.
Photo: Watchara Ritjan / Shutterstock