Infinite IT CEO’s GRC Practice ‘Revolutionized Our Business’

'It’s a business consultation conversation,' Infinite IT CEO Joe Ussia says.

A customer that paid a senior director about $150,000 despite that director getting fired six months prior served as an inspiration for Joe Ussia, CEO of Vaughan, Ontario-based solution provider Infinite IT, to build a governance, risk management and compliance practice.

About six years after Infinite started the GRC route, the company is on track for $2 million in service revenue from the practice and more than 25 percent growth year over year.

“It’s revolutionized our business,” Ussia told a room of solution providers during CRN parent The Channel Company’s XChange NexGen 2024. “This is why it’s the ultimate stickiness. It’s a business consultation conversation. We always say we want to be the trusted adviser.”

Infinite IT GRC Practice

Scott Peterson, chief information security officer at Anderson, S.C.-based Cyber Solutions, told CRN in an interview that his solution provider already has the U.S. Department of Defense Cybersecurity Maturity Model Certification (CMMC) program and the National Institute of Standards and Technology (NIST) cybersecurity framework down.

Peterson said that Cyber Solutions is interested in achieving Service Organization Control (SOC) 2 compliance and that he liked Ussia’s advice around that standard.

“That was an affirmation of what we feel we need,” he said.

Infinite IT focuses more on International Organization for Standardization (ISO) frameworks, already achieving ISO 27001 for information security management systems (ISMS) and ISO 27701 for privacy information management systems (PIMS). The solution provider also has the Payment Card Industry Data Security Standard (PCI DSS).

The solution provider is in the audit phase for SOC2 Type 2 and ISO 20000-1 for service management systems (SMS). The company is looking at ISO 22301 for business continuity management systems (BCMS) and an artificial intelligence (AI) management system ISO framework, 42001, Ussia said.

Although achieving these standards is time consuming, Ussia saw the extra revenue and risk mitigation for his own business as worthwhile.

“As an MSP, we are the weakest link to our customers,” he said. “If we get compromised, it’s going to take out thousands of users and hundreds of companies. That’s a major risk.”

His advice to solution providers interested in GRC standards is to have simple policies users can follow and execute for business continuity, incident response, acceptable use and more practices.

Ussia said that filling cybersecurity insurance policy documents becomes faster after achieving GRC frameworks–so consider charging customers flat rates to avoid lost revenue on billable hours.

He said that solution providers might find that they are already performing a lot of information security and privacy work required by the standards, and so achievement isn’t as hard as they think.

“It’s actually not that far of a derivative of what we are already doing today,” Ussia said. “It just formalizes it. … I guarantee you, overall, as a business, you are not redefining yourself. We didn't. We just changed how we did some things.”