How Compliance as a Service Can Drive MSP Growth

This is a really interesting time. For MSPs, this year is all about diversifying. New MSPs are coming into the market, which creates more competition. Many MSPs are therefore considering how they can differentiate themselves and stand out from the crowd—for example, by offering new services. But it’s still a very buoyant market—at Kaseya, we’re seeing 16.5% organic growth on some very large revenue, reflecting growth in the MSP channel.

“You can no longer stand out by saying: ‘We’re a great company, we have been around for over 50 years.’ Customers want to know how you are going to make a difference to their operations.”

One of the challenges for MSPs is not knowing their position in the market. This affects how they package, price and position themselves, and how they communicate value-add to their customers. They need to not only focus on the technology, but more importantly emphasize the tangible business outcome they can achieve for their customer. Ultimately, that is what SMBs and SMEs want. As an MSP, you can no longer stand out by saying: “We’re a great company, we have been around for over 50 years”. Customers and prospects are not interested in your service level agreement– that’s a given today. Instead, they want to know how you are going to make a difference to their operations. Now is a great opportunity to diversify as an MSP—otherwise you will lose market share.

“Often, the main reason that an SMB or SME switches MSP is not because of poor service. It’s because their MSP doesn’t provide the tools, technology or service that they need to do business with clients who are heavily regulated.”

CaaS represents a significant opportunity for MSPs. On average, CaaS is running at about 70% profitability, which is huge. We still see some MSPs with 10%, 15%, 20% profit margins, so to be able to tap into something that offers so much more profitability is great. At a higher level, it’s also what their customers need: even smaller businesses now need to be able to demonstrate compliance.

In the enterprise space—particularly in tenders and RFPs—anybody who wants to win business today must show they take compliance, cybersecurity, and cyber resilience seriously. Enterprises need to have robust supply chain management, for example, and ensure that the businesses they are dealing with are aware of the risks and are managing frameworks—such as DORA, NIS2, GDPR, and HIPAA.

Often, the main reason that an SMB or SME switches MSP is not because of poor service. It’s because their MSP doesn’t provide the tools, the technology, or the service that they need to do business with clients who are heavily regulated. If, as an MSP, you start to pivot now, you can get ahead of the curve and minimize the risk of losing customers.

The main benefits are profitability and retaining customers. There’s also the upsell and cross-sell opportunity within your existing book of business: it’s always more cost efficient to sell to your existing customer base than go after new prospects. That said, promoting that you are offering CaaS is also a great way to attract new business.

In most cases, you will find areas where a business can improve against NIS2, DORA or other compliance frameworks. It’s a great way to say: ‘We’ve identified this issue; we can help manage and fix it or offer you a project to remediate the risks we’ve identified’. Like co-managed IT, CaaS is a great way to diversify and protect your revenue stream and retain clients.

“Do you have the skillset to deliver CaaS today? The answer is probably no, not right now. But there are ways to address that.”

You need to fully assess where you’re at as an MSP at the moment. Do you have the skillset to deliver this today? The answer is probably no, not right now. But there are ways to address that. Ask yourself: “How do I upskill my internal resources, or should I outsource elements of this?” For example, can you outsource the penetration testing elements of CaaS to a specialized team?

Overall, I think the benefits outweigh the negatives. This market will be worth $75 billion by 2028. At Kaseya, we want our partners not just to be aware of the opportunities, but to also tap into those revenue streams so that they can grow and scale their business.

There are a huge number of opportunities for MSPs to pivot and diversify. First, you need to assess where your business stands regarding CaaS. As an MSP, are you internally complying with regulations? Look at your internal skillset—do you have the capabilities, time, and resources to offer this as a service? Once you have a benchmark, you can decide.

There are hundreds of companies to consider partnering with. For example, if an MSP included Vonahi—Kaseya’s automated penetration testing—in their CaaS stack, that wouldn’t require any additional resources because it goes to a fully accredited pen-test team that is CREST-certified, and you get the report back. There’s an abundance of ways that you can tap into this market. You don’t have to hire expensive resources—instead you can outsource many of those services. MSPs are packaging, bundling and acting as the front-of-house for delivery of those services.

“It’s important not to get hung up on the frameworks themselves. It’s the processes and business procedures and security within those frameworks that are important.”

The flagship frameworks in EMEA are currently NIS2, DORA, and GDPR. However, depending on who your customers are, it’s important not to get hung up on the frameworks themselves. It’s the processes, business procedures and security within those frameworks that are important. It might be that you do a project and tick boxes in six frameworks just by doing one element. That could be anything from two-factor authentication to disabling USB or deploying policies across Office 365.

These frameworks encourage businesses to stop, review the issues they raise, and make an educated business risk analysis. Sometimes you don’t even need to apply a framework. You might say, “We’ve looked at this and we do not believe this is a significant enough risk to undergo the necessary procedures to mitigate it.”

“Don’t think you can do it overnight and certainly don’t think you can do it on your own.”

Don’t rush the process. You need to adapt, pivot, and change now; but don’t think you can do it overnight and certainly don’t think you can do it on your own. Leverage your relationships—whether that’s with other vendors or with other MSPs—because they might already be experts in that particular field. There are very niche skillsets within compliance, so it could be challenging for an MSP to cover them all by themselves. Therefore, assess your existing needs and leverage your relationships in the market.