How MSPs can take advantage of mind-boggling compliance requirements

frustrated man with steam coming out of his ears

The majority of people view compliance as a tick-box exercise, which makes it one of the most boring topics in cyber security. In fact, it’s often met with a collective groan whenever you start talking about it.

The main issue with compliance is that the requirements are, for the most part, poorly written and extremely vague. Companies struggle to meet all the criteria, especially when they have to comply with different requirements at the same time, and I’m pretty sure this confusion around compliance comes from the writing.

Regulations are poorly written and vague

ISO 27001, for example, aims to improve a business’ information security management. Its process includes commands like “conduct a risk assessment”, “define a security policy” and “manage identified risks”. For each of these commands, the requirements are subjective and unclear.

Another example is The Sarbanes-Oxley Act (SOX). It covers all businesses in the United States - and isn’t much better. Section 404 vaguely states that all publicly-traded organisations have to demonstrate “due diligence” in the disclosure of financial information, but doesn’t explain or give any detail about what “due diligence” means.

The Gramm-Leach-Bliley Act (GLBA), meanwhile, demands that US financial institutions explain information-sharing practices to their clients. We can find that financial organisations have to "develop a written information security plan” but the regulation doesn’t offer any advice on how to do that.

Finally, even Lexcel in the United Kingdom, a compliance regulation written by lawyers for lawyers, isn’t clear: "Practices must have an information management policy with procedures for the protection and security of the information assets." For a profession that prides itself on maintaining absolute clarity, I’m quite surprised Lexcel allows this kind of subjectivity in its requirements.

Writing for such a wide audience isn’t easy

It’s true that drafting compliance documents can be tricky, and it isn't easy to write regulations that need to be applicable to all organisations within a particular field. Organisations, for instance, have differences in the way they do business, as well as variations between their IT infrastructures. Writers are also against the clock with compliance; regulations are changing so fast that requirements written today might be out of date tomorrow.

However, some regulations are perfectly clear. Those who write compliance requirements should take note of PCI DSS, to name an example. PCI DSS applies to all organisations that store cardholder data. It’s clear, regularly updated, and everything you need is in one place. Its structure, in terms of requirement, testing procedures and guidance, is a lot clearer than anything else I’ve seen, and there’s very little room for subjectivity.

Another example is the General Data Protection Regulation (GDPR), which is also well-written and detailed. The many articles referring to data protection are specific and implementable. For example, with regards to data access, this passage is totally clear: “Unauthorised access also includes accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data transmitted, stored or otherwise processed”.

Compliance is truly universal

Trying to comply with multiple mandates can quickly become complex. This is why you need to have a good strategy in place. If I can give you one tip, it would be to find the overlaps and commonalities between different regulations before coming up with your strategy.

MSPs can easily step in at this point to assist small and medium-sized businesses (SMBs) struggling to make sense of the different regulations they’re subject to. Compliance that applies to the largest enterprises also apply to the smallest firms and will be trickier to navigate for smaller companies with limited resources. Only around half of MSPs currently manage their customer’s compliance obligations, so it’s a no-brainer for those looking to increase revenue, margins, client loyalty and to differentiate themselves a little more.

To take advantage of this trend, you have to understand that at the core of any compliance mandate is the desire to keep protected data secure, only allowing access to those who need it for business reasons. This is why all you need to do with compliance is to start with the basics: data storage, file auditing and access management. Get these right for your customers, and they’re on their way to demonstrating their willingness to comply.

François Amigorena is the founder and CEO of IS Decisions