85% of managed service and security providers face significant challenges maintaining compliance for customers, with lack of resources, expertise, or technology cited as the most common roadblocks to offering managed compliance, according to Apptega.
That being said, the survey also found that 87% of respondents are open to delivering compliance services through a compliance automation platform, but only about half of these providers are currently doing so. When considering that 70% of managed service and security providers are targeting at least double-digit recurring revenue growth, it’s clear they are leaving money on the table when it comes to leveraging their compliance offerings to help meet aggressive business growth goals.
“A golden era of seemingly unfettered growth in managed services is slowly coming to an end in 2024 as we now appear to be entering a phase of consolidation, M&A, and private equity-backed rollup where only the strong balance sheets will survive and only the differentiated will thrive — or successfully exit,” said Dave Colesante, CEO at Apptega.
Security providers still rely on spreadsheets to track compliance
While 80% of the surveyed providers provide some form of compliance offering, many only offer compliance in an advisory capacity and only 15% offer compliance primarily as a managed service.
While providers recognize the benefits of continuous compliance and are interested in offering the service, nearly half receive less than 10% of their revenue from compliance services and only 26% generate more than a quarter of their revenue from compliance services.
3 out of 4 respondents view compliance as a “high growth” business and 86% are interested in continuous compliance as a service offering for their clients.
Although using spreadsheets to manage cybersecurity compliance is an outdated approach, more than half of providers are still using spreadsheets to track, measure, and report on cybersecurity compliance for their clients.
Clearly, managed compliance represents a lucrative opportunity for the relative few services and security providers equipped to offer it,” said Christopher Yula, VP of Sales & Strategy at CyberSecOp. “Unfortunately, most lack the technology, resources and know-how to deliver an impactful assessment and follow-on program.”
Smaller providers are more likely to offer compliance services
Those with fewer than 100 employees offer compliance at a rate 8% higher than those with more than 100 employees. They outnumber the larger providers by 26% for managed compliance services.
Cybersecurity frameworks are a crucial tool for helping organizations evaluate their security postures and meet compliance standards, but nearly 40% of respondents said they don’t offer framework-based services. Of the ones who do, 90% are providing consulting and analysis, 81% provide risk scoring and remediation, and 70% are providing framework mapping, consolidation, and crosswalking.
ISO 42001 — the new artificial intelligence management system standard — is currently managed by only 19% of security providers offering framework services (12% of all providers). The most common frameworks among the 61% of security providers offering these services include CMMC, HIPAA, and NIST 800-171.
The State of Continuous Compliance Report is based on a survey from March to May of 2024 of practice leaders and senior operators at 115 providers that offer security services.