6 Ways to Scale Your MSP with Compliance Services

December 5, 2023

The managed service provider (MSP) market is booming, with estimates it will grow from its current size of nearly $276 billion to more than $372 billion by 2028. But with growth comes more competition -- and consolidation -- and, increasingly, MSPs are looking for ways to differentiate themselves by offering more client value. One way they’re doing this is by expanding their offerings to include compliance-as-a-service (CaaS) solutions. 

That, in turn, is driving growth in the CaaS market, which is expected to reach nearly $75 billion by 2028, more than doubling the 2020 market size of $32 billion. This increasingly popular option for MSPs is driven in part by rapidly changing client demands and more expectations for comprehensive services from a single provider. Many MSP clients, especially small- and mid-sized businesses (SMBs), find it challenging to meet increasingly stringent cybersecurity and compliance requirements. Without the resources to manage this themselves, they’re handing the daunting task of compliance over to MSPs. 

It's a light bulb moment for MSPs looking for ways to evolve and scale their business. More than 60% of respondents in a recent CompTIA survey indicated they have a strong outlook about adding premium services like compliance and cybersecurity to their portfolios. And as the CaaS market continues to grow, expect to see even more MSPs shift to this business model. 

Why are MSPs Doing This? 

Beyond market opportunity and the drive to outperform competitors, there are a number of reasons why MSPs are moving into CaaS services. First, it just makes sense. Building on existing expertise and resources, MSPs are uniquely poised to offer CaaS. And by drawing from existing client relationships, it’s easier for MSPs to expand offerings in this direction to add more client value by reducing risk of compliance violations, improving security and compliance posture, increasing efficiency and productivity, and reducing costs. 

Other benefits include: 

  • Increased revenue opportunities: Compliance services are a growing market. MSPs that offer these services will be well-positioned to capitalize on this momentum and generate more recurring revenue.
  • Margin expansion: Cybersecurity and compliance services generally have higher margins than traditional IT-based MSP services. They're also, due to their nature, typically recurring.
  • Client retention: More service offerings lead to happy clients who are more likely to expand existing relationships with an MSP. 
  • Brand enhancement: As a trusted provider of compliance services, MSPs can enhance their reputation, increase brand awareness, and attract new clients. 

But Is it Worth It? 

But just because everyone else is doing it, doesn’t mean making the shift is right for your business model. How can you evaluate the opportunity? There are a few key metrics to help measure potential impact: 

  • Annual recurring revenue (ARR): After performing the initial compliance assessment, track how many ultimately convert to longer-term, continuous CaaS relationships.
  • Margin: Evaluate the margin on compliance services against your existing services. 
  • Client satisfaction and retention: Track your current client retention rate and compare that against the retention rate after adding CaaS.  
  • Ask your clients: Establish qualitative metrics and get feedback from your clients to gauge value-add for these new services.  

Some other key metrics to track and measure over time: 

  • Number of identified and mitigated compliance violations  
  • Number of successful compliance audits and certifications 
  • Total CaaS-generated revenue 

Making the CaaS Move 

After evaluating some of these key metrics, you may feel like shifting into compliance will create new growth opportunities for your business. But how do you get there? How do you continue to meet existing client needs by providing quality, effective services, attracting new clients, and expanding into the CaaS business? Here are 6 ways to evolve your MSP business model to include new compliance services.  

1. Assess your current capabilities. By assessing your current capabilities you can identify your strengths and discover gaps that need attention before offering compliance services, which will save you time and money in the long run.


  • What are you doing well now and why is it effective? 
  • Are there any niches or specific industries where your services offer the most value?
  • What are the capabilities of your existing team members?
  • Technical skills: Which compliance-related technologies do your team members work with? Do they have experience using automated cybersecurity tools, data loss prevention (DLP) solutions, and other compliance software?
  • Compliance experience: Do your team members have experience working with specific compliance frameworks, such as HIPAA, PCI DSS, or GDPR? What is their role in ensuring your business is compliant with all relevant requirements? Do they have a solid understanding of the latest compliance requirements in your target industries?
  • Which compliance services can your employees effectively manage?
  • Do you need to hire new team members, adopt new technologies, provide training, or partner with other organizations to add expertise to your business?
  • Which gaps do you need to address? 

2. Identify your target market. Identifying a target market will help focus marketing and sales on organizations most likely to need CaaS.


  • Which industries or organizations are most likely to need these services? 
  • Which industries are most highly regulated? 
  • Which industries are facing the biggest compliance challenges?
  • What size business do you want to serve: SMBs, large enterprises, or both?
  • Are you targeting local businesses, regional businesses, national businesses, or a combination?

3. Develop a service portfolio. Developing a service portfolio will help position your MSP as a trusted provider of compliance solutions. It will also help market new services to potential clients. Decide which compliance services you will offer and package them in a compelling format for your target market.


  • Risk assessments to help organizations identify and assess compliance risks. 
  • Gap analysis to uncover weaknesses between current compliance posture and target compliance posture. 
  • Compliance remediation to help organizations implement industry-recognized frameworks, controls, and processes to ensure compliance. 
  • Continuous monitoring of client compliance posture.  
  • Proactive identification and resolution of potential problems before they impact operations. 

4. Build a competitive pricing model.Pricing compliance services is challenging. You need to be sure you’re setting a fair and competitive price, but are also able to make a profit.


  • How much does it actually cost (labor, technology, and resources) to provide each new service?  
  • How much value (reduced compliance penalties, decreased risk, improved posture, more efficiencies) does it provide for your clients?  
  • How much do your competitors charge for these services? 

5. Invest in training and certifications. By investing in training and certifications, you can ensure your team has the necessary skills and knowledge to deliver CaaS.


6. Market and sell compliance services. Marketing and selling compliance services will help you generate revenue from the new offering. 


  • Developing a marketing plan for compliance services that targets your markets and the organizations most likely to use them.  
  • Developing a sales process to close compliance deals. 
  • Working with your sales team to help them with upselling strategies for existing clients. 
  • Partnering with other businesses (for example, law and accounting firms) that can help spread the word about your services to their clients.
  • Developing a client education strategy about compliance violation risks and compliance benefits.
  • Pinpointing what makes your MSPs different from other CaaS providers. 
  • Using omnichannel marketing strategies (social media, blogs, email, downloadable guides and eBooks, partner or channel marketing)
  • Establishing metrics for marketing qualified leads 

You can use these six steps as a foundation to build your CaaS strategy. Other helpful tips: 

  • Focus on your expertise. 
  • Focus on value. 
  • Offer free consultations about tangible service benefits. 
  • Make it easy for new clients to buy your services (for example, concise sales processes and simple online sign-ups).


It’s Not Over… 

Once your program is up and running and your sales team is closing new deals, it’s not the time to step back and start counting all the revenue rolling in. Your compliance program success will hinge on client service, both for existing clients and new ones. 


  • Offer comprehensive client onboarding and technical support. 
  • Provide training and education as needed. 
  • Offer omnichannel, always-available client engagement methods. 

Lead by Example 

As an MSP, you’ll be responsible for managing client IT infrastructure, and user access. These clients expect you to keep their networks, systems, and data safe and ensure they’re meeting all compliance requirements. What better way to demonstrate you can do what you say you can than leading by example and building a compliance culture in your own business? 

  • Adopting industry-recognized frameworks, controls, and best practices can improve your cybersecurity and compliance programs. 
  • Clients are more likely to trust a compliant MSP over those that aren’t.  
  • Demonstrating compliance and meeting industry standards can build your business as reputable and trustworthy.  
  • By acing your own audits and earning relevant compliance certifications, you can build confidence that your team knows what to do to help clients prepare for — and ace — all of their compliance audits. 
  • By reducing your own risk of breaches or data loss, you can demonstrate to your clients you take cybersecurity and compliance seriously for yourself and for others. This can also reduce the likelihood of your own compliance fines or penalties, as well as the chance you’ll be held accountable if a client has a breach or other security incident. 
  • Using compliance technologies, for example, those that automate framework implementation and control management, can streamline processes, and reduce overhead, resource usage, and time spent on manual, tedious, repetitive tasks. This increases efficiency and productivity without overextending your already busy staff. 

Ensuring Your Own Compliance 

To set your lead-by-example foundation, you’ll need to ensure you’re meeting all relevant compliance standards and regulatory requirements. Here are a few ways to do that:  

  • Identify relevant standards. 
  • Assess your current compliance posture, identify gaps between your current posture and compliance requirements, and make an action plan to mitigate them within an appropriate timeframe. 
  • Develop a compliance plan for your business that outlines steps to achieve compliance. 
  • Implement your plan including developing, updating, and documenting policies and procedures, implementing new cybersecurity and compliance technologies, and educating your staff. 
  • Monitor and maintain compliance with regular policies and procedure reviews, security controls testing (both internal and via third parties), and ongoing, training about compliance requirements and procedures. 

Are You Ready for the Next Evolution of Your MSP? 

With the right planning and forethought, you can successfully evolve your business model to offer new compliance services and reap the benefits that come with it. If you’re just getting started on this journey, consider partnering with an MSP cybersecurity and compliance consultant like Apptega to evaluate your existing services, identify growth opportunities, and help implement and manage your new CaaS strategies.  

Apptega’s compliance platform has the tools and resources you need to assess your compliance posture and the posture for all of your clients, develop compliance plans, implement and manage compliance frameworks and controls, and monitor and maintain compliance.  

With the power of Apptega, your MSP will be able to: 

  • Conduct risk assessments to identify compliance risks. 
  • Conduct gap analyses to identify any gaps between current compliance posture and target posture. 
  • Develop, implement, document, and store compliance policies and procedures. 
  • Implement and manage technical controls, such as firewalls, intrusion detection systems, and data loss prevention systems. 
  • Conduct compliance training. 
  • Continuously monitor compliance for all your clients — within a single platform. 
  • Reduce risk of non-compliance and the associated fines and penalties. 
  • Increase client trust by demonstrating your commitment to compliance. 
  • Become a trusted provider of compliance services. 
  • Attract new business. 
  • Increase revenue by selling compliance services to existing and new clients.