IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

How MSPs can take advantage of mind-boggling compliance requirements

Regulations can be vague, complex and difficult to navigate for many smaller businesses

frustrated man with steam coming out of his ears

The majority of people view compliance as a tick-box exercise, which makes it one of the most boring topics in cyber security. In fact, it’s often met with a collective groan whenever you start talking about it.

The main issue with compliance is that the requirements are, for the most part, poorly written and extremely vague. Companies struggle to meet all the criteria, especially when they have to comply with different requirements at the same time, and I’m pretty sure this confusion around compliance comes from the writing.

Regulations are poorly written and vague

ISO 27001, for example, aims to improve a business’ information security management. Its process includes commands like “conduct a risk assessment”, “define a security policy” and “manage identified risks”. For each of these commands, the requirements are subjective and unclear.

Another example is The Sarbanes-Oxley Act (SOX). It covers all businesses in the United States - and isn’t much better. Section 404 vaguely states that all publicly-traded organisations have to demonstrate “due diligence” in the disclosure of financial information, but doesn’t explain or give any detail about what “due diligence” means.

The Gramm-Leach-Bliley Act (GLBA), meanwhile, demands that US financial institutions explain information-sharing practices to their clients. We can find that financial organisations have to "develop a written information security plan” but the regulation doesn’t offer any advice on how to do that.

Finally, even Lexcel in the United Kingdom, a compliance regulation written by lawyers for lawyers, isn’t clear: "Practices must have an information management policy with procedures for the protection and security of the information assets." For a profession that prides itself on maintaining absolute clarity, I’m quite surprised Lexcel allows this kind of subjectivity in its requirements.

Writing for such a wide audience isn’t easy

It’s true that drafting compliance documents can be tricky, and it isn't easy to write regulations that need to be applicable to all organisations within a particular field. Organisations, for instance, have differences in the way they do business, as well as variations between their IT infrastructures. Writers are also against the clock with compliance; regulations are changing so fast that requirements written today might be out of date tomorrow.

However, some regulations are perfectly clear. Those who write compliance requirements should take note of PCI DSS, to name an example. PCI DSS applies to all organisations that store cardholder data. It’s clear, regularly updated, and everything you need is in one place. Its structure, in terms of requirement, testing procedures and guidance, is a lot clearer than anything else I’ve seen, and there’s very little room for subjectivity.

Another example is the General Data Protection Regulation (GDPR), which is also well-written and detailed. The many articles referring to data protection are specific and implementable. For example, with regards to data access, this passage is totally clear: “Unauthorised access also includes accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data transmitted, stored or otherwise processed”. 

Compliance is truly universal

Trying to comply with multiple mandates can quickly become complex. This is why you need to have a good strategy in place. If I can give you one tip, it would be to find the overlaps and commonalities between different regulations before coming up with your strategy.

MSPs can easily step in at this point to assist small and medium-sized businesses (SMBs) struggling to make sense of the different regulations they’re subject to. Compliance that applies to the largest enterprises also apply to the smallest firms and will be trickier to navigate for smaller companies with limited resources. Only around half of MSPs currently manage their customer’s compliance obligations, so it’s a no-brainer for those looking to increase revenue, margins, client loyalty and to differentiate themselves a little more.

To take advantage of this trend, you have to understand that at the core of any compliance mandate is the desire to keep protected data secure, only allowing access to those who need it for business reasons. This is why all you need to do with compliance is to start with the basics: data storage, file auditing and access management. Get these right for your customers, and they’re on their way to demonstrating their willingness to comply.

François Amigorena is the founder and CEO of IS Decisions  

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Google unveils new Assured Open Source Software service
open source

Google unveils new Assured Open Source Software service

18 May 2022
Malwarebytes hires new channel chief to lead MSP and partner network
Managed service provider (MSP)

Malwarebytes hires new channel chief to lead MSP and partner network

18 May 2022
Palo Alto and Deloitte to deliver managed security services in the US
Managed service provider (MSP)

Palo Alto and Deloitte to deliver managed security services in the US

17 May 2022
US and EU thrash out plans to avert chip production “subsidy race”
Hardware

US and EU thrash out plans to avert chip production “subsidy race”

17 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022