We’ve talked about what you are doing wrong when it comes to compliance and why you should care, so now it’s time to talk about how an MSP can benefit from this important piece of the engineering puzzle.
People process technology. Getting all the right people in place can be a struggle, but partnering with compliance experts will help to bring forward the compliance regulations that your clients need. These compliance organizations are able to walk you and your client through an evaluation process that will help the client to better understand where they stand. They’ll know where your client is doing well and where they’re struggling, which is beneficial to you as an MSP; you can build project work out of the areas where they need help.
Do you suffer from headaches caused by clients that don’t listen to your advice? Alleviate the pain by taking the time to explain your work to them. Saying something needs to be done because “it’s best practice” is only going to frustrate your client. When you explain the purpose of the control, however, it makes a significant difference. Similarly, rather than telling your client, “You need to do X, Y, and Z,” try saying “Per CMMC guidelines, you need to do X, Y, and Z, otherwise you’ll be out of compliance.” They’ll be intrigued to learn more and, ultimately, they’ll care.
Think about it this way: you don’t have to justify to a business why they need to lock their doors at night. It’s something that every business already knows to do in order to minimize risk. It’s the same situation with compliance. Just like locking your doors at night is best practice, so is compliance. As MSPs, we need to be teaching our clients to secure their technological perimeter. Remember: it’s not intuitive to them because they don’t understand the “why” behind it.
The problem with engineers explaining the “why” behind things like compliance, however, is that sometimes…we just aren’t great at it. That’s why there are a standard set of rules that have been established to ensure that at least the minimum is done. There are organizations out there that act as frameworks, guidance, tool sets, etc., and some of these organizations have fully-defined governing bodies just like a CPA or a law firm. These governing bodies are able to not just educate, but also enforce and attest to important compliance needs.
In my time as an engineer, if a client wanted to do business with me, they were well aware that I had a minimum set of standards to adhere to. This transparency ultimately built trust with those clients. However, if you only do check box compliance and that client experiences a breach, nothing is going to save you from the lawyers.
This is why we are pushing the compliance message in twofold: resilience and defensibility. Resilience is built by putting in that identification piece to show where stuff is happening. Defensibility requires documentation that proves what you do, demonstrates your business practices, and explains how it adheres to a framework or a set of controls.
Ultimately, compliance is all about making things easier for the clients. When you don’t focus on making meaningful changes in your client’s lives – you simply show up to put the PC, monitor, mouse, and keyboard where you are supposed to – you are not acting as an engineer. You are doing basic maintenance and controls. Installing PCs isn’t what we, as engineers, are intended to do. We are here to augment business strategy using pieces of technology. When you solve problems that the client actually cares about, you’ll see your revenue and success skyrocket.