The changes in the regulatory landscape have had a significant impact on the area of data management and security. In the process of providing better protection and privacy for consumers, these changes have created a mixed bag of challenges and opportunities for all parties involved. Combined with existing mandates and changing requirements, the risks associated with failure to comply have made compliance management a daunting task for organizations of all sizes. Interestingly, not all is lost and there is a group of problem solvers waiting on the sidelines, ready to jump in for help.
Verizon’s 2015 PCI DSS Compliance Report found that four out of five organizations are still not compliant. This shocking statistic does more than uncover the glaring problem in the payment card industry. It also highlights the opportunity for third-party service providers to capitalize on the issue and assist struggling companies with their compliance needs. Adding Compliance-as-a-Service (CaaS) to your menu of service offerings is a strategic way for MSPs to not only attract new business, but cater to the regulatory requirements of existing clients as well.
Compliance is a virtual goldmine for service providers with the management expertise to simplify and satisfy the complex requirements associated with regulations such as HIPAA, PCI-DSS, and GDPR. At the same time, hopping on that bandwagon is akin to opening Pandora’s Box because of the requirements that come with the territory. MSPs must walk a fine line in order to ensure that the convoluted legal component of compliance doesn’t land them in hot water.
Lingo and Liability
Borrowing the “as-a-Service” moniker popularized by cloud computing, CaaS is far more than a cleverly named fad. It’s recognized as a legitimate industry on the rise. CaaS providers make their money by customizing solutions around individual compliance requirements. Their management efforts are designed to help organizations prioritize internal policies and processes per mandated regulation and rule. In a perfect world, CaaS is a cost-effective solution that enables regulated businesses to minimize the risk, cost and complexity of meeting compliance.
Trendy name aside, CaaS is a rather vague term that could be interpreted in more ways than one. Based on the name’s general nature, one might assume that the provided service involves direct handling or securing of confidential information. On the other hand, a potential customer may assume that it refers to managing internal processes typically performed by employees or actually guaranteeing compliance for one legislation or another. There’s ambiguity in the CaaS term that can lead to a lot of confusion.
Third-party providers are often needed to help with aspects such as auditing, storage management, and disaster recovery. These services come in handy and allow organizations to free up valuable time and eliminate some of the challenges associated with meeting industry regulations. However, the burden of achieving and maintaining compliance falls on the customer’s shoulders. Therefore, MSPs’ contracts should accurately describe service offerings and make it clear that those services alone can’t ensure compliance. MSPs should also consider avoiding the term CaaS altogether and invest in liability insurance for added protection.
Technology and Expertise
The same regulations and rules that have companies scrambling for compliance solutions can be equally perplexing for MSPs. Take the healthcare field, for example. HIPAA requires organizations to assess their level of data security risks, implement policies and technology to mitigate those risks, regularly report their assessments to industry regulators, and in worst case scenarios, notify regulating bodies within 72 hours should a breach occur. These and other responsibilities demand that MSPs acquire the security expertise to help healthcare organizations meet HIPAA compliance.
The move from MSP to CaaS requires a special set of tools and procedures. While the targeted field and legislation will determine the specifics, every successful transition is built around three key elements:
- Providing rock-solid security that prioritizes data protection
- Training personnel on the finer details of the regulations in question
- Integrating new technology in a manner that is consistent with billing cycles and overall service offerings
If there were ever a time to call on your vendor partners for assistance, this would be it. IT networking powerhouses like Cisco offer solutions that are a custom fit for MSPs and designed to support regulatory standards in numerous industries. These vendors can provide valuable insight into delivering compliance-friendly services, so there is a lot to gain from tapping into their expertise.
Practitioners in emerging businesses such as medical marijuana are buckling under the pressures traditionally regulated industries have been dealing with for years. When it comes to CaaS or compliance work in general, MSPs must be careful not to take on risks they cannot properly asses or manage—or the risk to their own business will quickly outsize the rewards.