IT providers with a strong understanding of compliance have a major competitive advantage in the marketplace. We quizzed industry experts Mike Semel of Semel Consulting and Leia Shilobod of CompliancyIT about it at ChannelPro DEFEND: East in Iselin, NJ. They shared some of the best ways to incorporate compliance consulting into a winning MSP portfolio.
Below advice, edited for brevity.
Capitalizing on Compliance: The First $30,000
“When I first got into regulatory compliance, my passion was driven by money. In 2003, I learned about HIPAA. It was the first time an entire industry was going to be regulated for cybersecurity. And that realization blew my mind. I immediately invested in training, spending about $3,000 on a class, airfare, and accommodations. When I returned, we marketed ourselves as HIPAA specialists. We didn’t change what we sold as an MSP, but we adapted our language to align with the regulations, calling our services HIPAA-compliant.
Mike Semel
“The results were incredible. The first deal I closed was a $30,000 assessment for a county. This approach put us on the map. Since then, we’ve made a ton of money through compliance — not just with HIPAA but also with other regulations in financial services and beyond.
No Excuses! Become Compliant Yourself
“Now, I’m a CMMC assessor at the highest level, and the money continues to flow. But I always caution MSPs: Before you dive into offering compliance services, make sure your core services are truly compliant. I’ve seen too many MSPs who fail to deliver even basic services correctly, leading to clients failing their assessments. For example, I’ve had clients where all their systems were running unsupported operating systems, despite their MSP assuring them everything was patched and up to date. It’s not just about doing the work; you need to have the documentation and evidence to back it up. You can do everything right, but if you can’t prove it through consistent reporting and documentation, you’re going to fail.”
It Doesn’t Matter If It Isn’t Compliant
“One of the biggest challenges is that compliance isn’t just a set of rules; it’s a way of doing business. It’s your responsibility as an MSP to understand your clients’ compliance requirements and ensure that your services meet those standards. For instance, when it comes to PCI compliance, there’s a requirement to segment the network for systems handling cardholder data. If you’re not aware of this and don’t implement it, your client isn’t compliant, even if everything else is secure. Compliance is more than just delivering IT services; it’s about ensuring those services align with the specific regulatory requirements your clients are subject to.
“The FTC Safeguards Rule, which is only about 3 years old, is a perfect example of how regulations are expanding to cover more industries than ever before. Businesses that were never regulated before — like real estate appraisers and financial aid offices — now have compliance obligations. As MSPs, it’s our job to stay informed and make sure our clients are aware of their responsibilities.”
Far More Regulations are Coming
“Compliance [is] coming for our entire industry. We’re on the brink of being the first federally regulated MSPs. That’s historic. The federal government has finally realized the critical role we play in national infrastructure, and they’re moving to ensure we’re properly regulated. This is why you need to get serious about compliance. It’s becoming a mandatory part of doing business.
“One final point: The stakes for noncompliance are high. Under the False Claims Act, if you defraud the government and get caught, you have to pay back three times what you took.
“[There is] potential for massive financial damage if you or your clients aren’t compliant. This applies to defense contractors under CMMC [as well as] any organization doing business with the federal government, including doctors and dentists who accept Medicare. Noncompliance in these cases can be considered fraud. And that’s a serious legal risk.
“Before you think about offering compliance services, make sure you’re delivering compliant services. Understand the regulations, document everything, and make sure your clients know the importance of compliance. It’s about protecting your business and your clients in a rapidly changing regulatory landscape.”
From MSP Startup to Compliance Powerhouse: My Unexpected Journey
“I started my MSP back in 2006, and as time went on, I found myself increasingly focused on compliance. Many of my clients were in manufacturing and needed to meet various regulatory requirements. I quickly realized these weren’t just arbitrary demands but essential controls that had to be implemented. This led me to develop managed cybersecurity compliance programs, which have since become the most rewarding part of my business.
Leia Shilobod
“Today, in addition to running my MSP, I sell monthly recurring revenue by managing cybersecurity compliance programs for companies across the United States. It’s central to our business. I also coach other MSPs on how to build and deliver these services.”
Billing Trick That Will Skyrocket Your Profits
“One key piece of advice I always give is to treat compliance management as a separate line item on your agreements, rather than bundling it into your existing offerings. This highlights its value and ensures that you’re properly compensated for the work.
“I’ve seen the power of this approach. One of the MSPs I coached had large accounts requiring HIPAA compliance but no formal program in place. After aligning his services to meet compliance requirements, he quickly saw financial benefits. He was surprised after selling $20,000 worth of compliance management services and realizing the challenge of delivering on those promises. But, as I told him, that’s a great problem to have.”
Compliance Isn’t Just Profitable — It’s Survival
“We need to fully understand the regulations and ensure our services align with them. Compliance is coming to every one of our businesses by the federal government, recognizing the risk we pose to critical infrastructure. Soon, MSPs will be federally regulated, and we must be prepared. Ignoring this responsibility puts both our clients and our businesses at significant risk.
“We must also remember that we are custodians of our clients’ data. The information we manage doesn’t belong to us; it belongs to them. This mindset is crucial for understanding the importance of compliance. Like doctors who handle patients’ data, we need to take our role seriously. Compliance management is a separate, valuable service — not something bundled into a general seat price. This approach is more transparent and more profitable, with services ranging from $1,200 to $5,600 per month depending on the scope.”
READ MORE
- Mike Semel shares critical insights into to NIST and CMMC that your MSP needs to know about.
- Leia Kupris Shilobod explores compliance sales techniques that can transform an IT services businesses.
