Introduction
Security providers are increasingly turning to compliance as a service — not only to meet a growing client need but also for its business growth potential. In a cutthroat environment where revenue, margins, and retention reign, continuous compliance presents an opportunity for providers to differentiate their services in an increasingly competitive and commoditized market.
According to the findings of our recent State of Continuous Compliance Report, only half of all security providers offer managed compliance as a service, despite nearly three quarters identifying compliance as a high-growth area. There’s tremendous upside for providers who can bridge this gap, and most are closer than they might think.
We recently sat down with Rahul Bakshi, Apptega’s own chief product officer, to discuss how security providers can bundle their cybersecurity and compliance services to capitalize on this growing opportunity. In this Q&A, he covers everything from the benefits of compliance bundles to specific services and pricing.
Key Takeaways
- Security providers are offering compliance as a formalized compliance offering, using frameworks such as NIST 800-171 or CMMC to drive security maturity, or both.
- Security providers are likely already addressing compliance requirements in some way through their security services. But without a formal compliance offering, they’re missing an opportunity.
- Providers shouldn’t assume their clients don’t have compliance requirements. Many do but need additional education and awareness. Compliance is a subset of cybersecurity and resilience, and it isn’t going away.
- Compliance tools can provide higher customer value, which means better revenue and customer retention for the provider.
- When bundling security and compliance, focus on these services: vulnerability/cloud security posture management, endpoint detection and response, log collection/analysis, network visibility, web application firewalls, and 24/7 monitoring.
- Pricing will depend on customer maturity level and what they’re looking to get out of it. A customer who is both security- and compliance-oriented is ideal, as they’ll spend the most.
1. How are security providers offering compliance services today?
There are a couple different ways to think about compliance. While I was working for big security providers, we had more formal compliance offerings. So, there’s the MDR, XDR, MSSP, or MSP that’s going to help you achieve compliance with PCI, HIPAA, or whatever acronym suits your needs.
Many providers use compliance frameworks such as NIST 800-171 or CMMC to drive security outcomes and communicate security maturity to their customers. They’re also using these best practices frameworks to validate their security offerings. The framework controls serve as proof points of the value and ROI their services provide. In other words, compliance is a way to show that their security services are doing what they should.
And many security providers are doing both: delivering compliance as a formalized offering and aligning their security services with framework best practices. They’re bundling compliance with security services such as network detection, vulnerability management, or Log/SIEM that address key framework controls. These services can help clients get to audit readiness better, faster, and cheaper. Or if there’s no formal audit, they can compare those services against compliance outcomes.
2. Why should providers bundle their bread-and-butter security services with compliance?
Security providers are likely already addressing compliance requirements in some way. Even if they aren’t formally targeting compliance outcomes, they’re meeting certain compliance controls by the sheer nature of their work.
I think some of these providers are missing an opportunity to go after a market they already solve for through their security offerings. They’re missing specific compliance-only buyers that may not have the people, time, or budget to manage compliance. Instead, these buyers are going through consultants for their audits, paying higher consulting fees.
A formal compliance offering improves a provider’s value prop, making it more relatable to the customer. It’s an opportunity to boost revenue and value through more holistic offerings, and they’re already providing some of those core services.
3. What if their clients don’t have compliance requirements?
I think that’s a bad assumption. A lot of them have compliance requirements but need additional education and awareness. I think the clients sometimes avoid compliance because it’s unknown. They aren’t comfortable with it, especially the smaller companies. But by asking questions, providers can help them understand it’s not as difficult as it seems.
Everyone is talking about cybersecurity and resilience, and they should keep talking about that. It’s been a big theme over the last few years. But compliance isn’t orthogonally different. Compliance is a subset. Yeah, it has some additional controls and procedures. But again, in most cases, security services are solving for most of those compliance controls. I think some providers are missing that.
Compliance isn’t going away. Look at some of the things the SEC has done lately and some of the regulatory filings. What typically happens is those bigger mandates get enforced and then flow down over time. PCI is probably the best example because it continues to get more and more mature. There’s less ambiguity in terms of what justifies if you’ll pass an audit.
So, providers shouldn’t walk past the market and the opportunity to expand their offerings. They should be bundling security and compliance services, possibly adjusting those services to meet the right price point, and then plugging in a platform like Apptega as the wrapper to bring it all together.
4. What’s the benefit of using tools or technology to manage compliance?
Compliance management is often tedious, painstaking, and filled with folders and spreadsheets that can impact efficiency and productivity, wasting valuable resources and putting audits at risk.
The right compliance tool creates a broader, differentiated offering with higher value for customers, which means more recurring revenue. Customers get stickier, churn goes down, and your net retention goes up because you’re selling them more things to help maintain compliance or improve their security postures.
A compliance platform is an add-on for managing the end-to-end compliance program. It's where assessments are done, evidence is collected, etc. Ultimately, your margins should get better if you’re using the right tools and technologies and have the right partners.
5. When bundling security and compliance, what specific services should providers focus on?
The specific services I think they should key in on are:
- Vulnerability management as a core service. Cloud security posture management (CSPM) is an extension of that.
- Endpoint detection and response (EDR) to protect the user.
- Log collection and analysis to demonstrate you're collecting and reviewing logs in near real time.
- Network visibility either on-prem or in the cloud.
- Web application firewalls depending on their compliance vertical — PCI is one where that may be a requirement.
All of these services require 24/7 security monitoring. It shouldn’t be a product-only view. It’s not just about putting the controls in place. There’s a whole managed services side of things that needs to be layered into the conversation.
6. How should providers be pricing their compliance bundles?
Pricing can be seen in a couple ways. Compared to customers with higher security maturity, compliance-only buyers tend to spend less. They’re looking to fortify security but may be a little more constrained.
A lot of it depends on where the customers are in their journey. Is it their first time? Have they been doing this for years? How dependent is their business on achieving compliance? Is it an ancillary part of the business, or is it core to who they are?
Try to find those customers where compliance is core to what they do — where it’s like oxygen. If they don’t have it, they can’t run their business. Those customers are more suited for an MDR or MSSP outcome because they put more value in compliance.
Providers often struggle with thinking that buyers don’t value compliance. But it depends on who you’re talking to. A shoe company may not value it as much as someone who operates in the financial services or health care areas where there are consequences to ongoing business capabilities if there’s a breach or failed audit.
So, pricing will depend on their maturity level and what they’re looking to get out of it. You’ve got to think about it as concentric circles where security and compliance overlap. A customer who is both security- and compliance-oriented is really the holy grail of what you want. They’re going to spend the most. Even though those services overlap, they’re going to maximize the scope and span of the control services.
Want to learn more about how to differentiate compliance services through pricing, packaging, and positioning in a competitive market? Check out our on-demand webinar.
