A Baltimore-area MSP for over 20 years was so impressed by the potential of the compliance market that he sold his company, and set up a new one to offer services, including compliance-as-a-service, through a channel of MSPs.
LAS VEGAS – Compliance is an offering where demand is growing steadily , but which few MSPs have the expertise or resources to offer themselves. The potential of security services integrated with compliance so intrigued Steve Rutkovitz that it led him to sell his long-established MSP in suburban Baltimore, and set up a new company, Choice CyberSecurity, in partnership with his daughter, which was designed to provide these complex services to customers through an MSP channel. Rutkovitz was here at CompTIA ChannelCon this week to impart his message to MSPs.
Rutkovitz was CEO of MSP Choice Technologies for over two decades, where he developed his perspective on the issues and opportunities around compliance.
“I realized companies were winging it when it came to security compliance,” he said. “I had medical health clients, and with managed services, they needed to be really organized and really have a repeatable process. Instead, it was all over the board and very unstructured. So we put together a plan at the old company to put together a price and a structure. The assessment is really the key. Once you get the results, you can see what good things are in place and what gaps are missing. You can then put together a plan in assessing them – assess, address and maintain. That became a repeatable process that we teach.”
Rutkovitz noticed that while once regulatory requirements revolved around a limited set of medical and financial laws, it broadened out considerably, and also came to encompass a mix of best practices and guidelines as well.
“I realized that security and compliance understanding had to go hand and hand to deal with this, and that this business would be bigger than my managed services business,” he said. “To be really good at this, I had to let go of the managed services. So when my biggest competitor came to me out of the blue and asked to buy that business, I agreed – providing I could carve out the security compliance business scott-free. That was no problem, because they didn’t see its potential at the time, although they do now. I also wanted to keep the Choice name in some format. So we agreed on all of this, and I sold the managed services company, and stayed there part-time for a period to make sure that the employees and customers seamlessly went over.”
With carte blanche to set up the security and compliance business, Rutkovitz did that with the rest of his time – going into partnership with his daughter Alex, who became the COO of Choice CyberSecurity.
“Risk security and assessment require a lot of writing,” he said. “She was good at that, and I wasn’t. So that’s how the business evolved.”
Rutkovitz said that while other companies, including some large ones, offer compliance solutions for MSPs, they don’t pose a true threat to the type of service that Choice CyberSecurity provides MSPs.
“Most MSPs don’t have one type of client – they have a mix,” he said. “To be in this space, you have to be able to handle whatever comes next. A single MSP might call us for GDPR one day, medical the next, and financial the next, and we can help them with whatever they have. Solving their problems can’t be done with a pinpoint solution. You have to come into a company at a much higher level above products and people.”
Solving customer problems here requires navigating a web of security, compliance and privacy laws, best practices and guidelines.
“We can help MSPs figure out what framework to put in place and know what controls to measure against,” Rutkovitz said.
Choice CyberSecurity offers three buckets of customizable services
“The first is risk and compliance assessment services, and we think we have the best out there,” Rutkovitz said. “The second is security-as-a-service. Most MSPs have Security 1.0 with firewalls, AV and patch management. We provide Security 2.0 with a SOC, SIEM and advanced vulnerability scanning, and we help them build that suite of products out.”
The third set of services, which is the fastest growing, involves what Rutkovitz calls compliance-as-a-service.
“Few MSPs are able to offer these on their own,” Rutkovitz said. “Either the MSP has to train up security people – and keep them. And then they have to be experts not in one area of compliance but fifteen. We have built a team of five skillsets, and deliver it as a single service – in the same way that an MSP delivers PCs, servers and help desk as one service. I took the model of what I learned as an MSP, and moved it over to security and compliance, so MSPs can provide these services in a few days.”
Choice offers multiple ways for MSPs to use their services.
“We can white label under the MSP brand,” Rutkovitz said. “Or the MSP may want to present an expert third party, so we can come in as an independent and get paid on that. What they don’t want is someone from outside coming in and throwing them under the bus, and we don’t do that. We protect both the MSP and the client. If, for example, we see a password problem, we tell the MSP to get it fixed, and then we rescan.”
Given the focused nature of their compliance offerings, Choice likes to work closely with their partners.
“We aren’t looking for thousands of partners,” Rutkovitz indicated. “We have about 100 in the U.S. and Canada today, and we work closely with them.”
Their partners include a broad range of partner types.
“At one end of the spectrum there are larger MSPs and at the other, there are one to three-man shops,” Rutkovitz said. “The little ones love us because they can offer really big services to their customers. We also have sophisticated high-level MSSPs, but who don’t have compliance, and we have others in between.”
Rutkovitz drew on another analogy from his MSP days to explain how Choice’s offerings fit into an MSP’s quiver of arrows.
“The future for MSPs is clear to me,” he said. “We used to try and keep everything in-house, but would outsource things like cabling that weren’t predictable. It’s difficult to outsource a relationship, however. The MSP needs to focus on customer relationships, focus on that core wheelhouse, and bring in power partners as they need them. Security and compliance aren’t going away. We look at something very few companies look at. We have some tools no one else has, including the ability to scan for things both at rest and in motion, so we can see things like if data is leaving the company.”
Rutkovitz stressed that while compliance is a critical area, it’s not one where customers are clamouring to spend money.
“If a client sees a big risk, they will buy services, but if they don’t, they push back,” he said. “That’s why the risk assessment is so powerful. We have close to a 100 per cent conversion rate between risk assessments, and projects and recurring revenue. Compliance isn’t something that customers are necessarily asking for. The MSP has to do a deeper needs analysis and be proactive. It’s no longer a world where the customer buys stuff every four years because it’s obsolete. That’s a major shift, and that’s part of what we teach.”