MSPs Need To ‘Know Where You Want To Play’ On Compliance Standards: Consultant

MSPs can get into trouble when they ‘tell their clients they do all of this—and that’s just not true,’ says Point Solutions Group CEO Paige Goss.

MSPs can “get into trouble” when they don’t focus on a compliance standard to use as the foundation for their security program, according to Point Solutions Group CEO Paige Goss.

Speaking to an audience of MSP executives Tuesday, Goss, who is also the founder of the Denver-based consultancy, said the key for MSPs is to “know your strengths.”

[Related: 10 Major Cyberattacks And Data Breaches In 2024 (So Far)]

“Where do you want to play? What are you not going to play? You can’t do everything,” she said during XChange Security 2024, which is hosted by CRN parent The Channel Company and is taking place this week in Dallas. “Doing everything, in my opinion, is a recipe for disaster.”

Among key compliance standards—such as NIST, ISO, SOC, CMMC and HIPAA—there are different advantages with each. More important than the particular standard, however, is to pick an area to focus on, Goss said.

“The thing that I see most MSPs and MSSPs--where they get in trouble--is they tell their clients they do all of this. And that’s just not true,” she said.

“The ultimate value for you as an MSP and MSSP is to know where you want to play and do it really well. And then find a way to get folks like myself [and] other companies involved in that process and involved in the delivery of a really good security program,” Goss said.

Joe Ussia, CEO of Infinite IT Solutions, a Vaughan, Ontario-based MSP, said he thinks Goss offered some terrific advice when it comes to picking a standard.

“You can’t be a master of everything. So pick your place and know your strengths and what you can and cannot do,” Ussia said.

While Infinite IT is SOC 2 Type 2-certified, the MSP has also achieved ISO certifications in order to reach a global audience of customers, he said. “I can take those certifications to any country, anywhere, and everyone recognizes it.”

Goss also emphasized the opportunity for MSPs to use compliance certifications as a revenue driver.

“Whatever the standard is, this is a revenue-adjacent move—not only for your clients, but also for you,” she said. “Let’s stop looking at them as, ‘We’re managing risk.’ [Security is] supporting revenue generation.”

Ultimately, security teams should be making the case to management that “you’re helping them generate revenue,” Goss said. “It’s a much different conversation than, ‘I have an insurance policy and I’m going to check a box.’”