When it comes to security compliance, MSPs want to keep it simple. If you work in the industry, you know how complex the pursuit of robust cybersecurity can be.
Between security tools and procedures, staff training, cyber liability insurance, and offering Compliance as a Service (CaaS), the information can easily become overwhelming for both the MSP internally as well as the MSP’s clients.
For Marc Umstead, President of Plus 1 Technology, simplifying compliance was a top priority. The Pennsylvania-based MSP, which Umstead founded in 2005, has been working to improve its CaaS offering with a desire for a hands-off, systemized process that is easy for new and existing staff to adopt.
Plus 1 Technology targets small to medium-sized businesses (SMB), often with five to 50 employees, so being lean and affordable is a top priority.
Umstead needed an answer to a simple question: How can they make compliance a systemized process that can be handed to staff?
Enter: ControlMap
Industry chatter had Umstead almost convinced that he’d need to spend a lot of money to have a senior staff member manage the compliance suite. As it turns out, there’s another way forward. With the right tools, the answer is simple.
For Umstead, the answer is ControlMap. By having a centralized and automated compliance platform, ControlMap has helped them create and sustain a repeatable process.
At first, Plus 1 Technology’s compliance process was still partially manual. They began searching for a tool to simplify compliance and automate some processes.
When they added ControlMap to their toolset, Umstead saw the platform quickly impacting the process.
While other options they considered were too convoluted and expensive for the MSP and its clients, ControlMap was a fit operationally. Plus 1 Technology could address client compliance challenges through a single solution.
One of the features Umstead has begun using is ControlMap’s risk register. The risk register feature provides a centralized repository of the risk and vulnerability data. This lets the MSP view and manage that data alongside scores for likelihood and impact on information systems.
Plus 1 Technology can assess the likelihood of threats and their impact on clients. They can update inherent and residual risk scores and create a mitigation plan for risks with security controls.
They had previously used an offline solution but can now manage the risks to their clients in a centralized platform that is always up to date. This has simplified their Compliance as a Service process, which also leads it to being much faster as well.
They don’t need to spend time collecting information from several different places. All the relevant information is together and viewable in an accessible way. This is just one aspect of the platform that creates a centralized compliance hub.
With these tools, Plus 1 Technology has been able to scale their CaaS and turn it into a systemized process that can be delegated to staff. With an improved process, the MSP’s team can provide an even better service for their clients while also meeting higher internal metrics.
Offering Compliance as a Service
Umstead’s plan to offer Compliance as a Service to customers started with a plan based on the business's needs. They had to answer questions like where the price point needed to be, how simple the process was, and what functionality ControlMap needed to deliver.
They had to set it up so that understanding the compliance process was very simple, and clients were assigned exactly what they needed to do. Plus 1 Technology would complete everything they could for the clients while the clients themselves received clear instructions on their next steps.
Having a solution where they can say to clients, “We've answered these technology questions and procedures. Here's the stuff you need to do,” has streamlined the process for the MSP and clients very successfully.
Plus 1 Technology serves many businesses in the accounting industry. So when the new Federal Trade Commission (FTC) safeguards were implemented, they had to inform many of the accountants of the new changes.
He said the new FTC safeguards weren’t communicated well in the industry, so many of their accounting clients didn’t know they had new compliance requirements.
Pricing Tips For Compliance as a Service
Umstead said that when developing a pricing strategy, MSPs need to consider the internal time commitment their work will demand. They should ask how long the process will take to complete and examine whether it can be scaled into a continuous and sustainable process.
Umstead added other factors influence what the market will bear depending on your market and the competitive landscape.
They looked at all those things and derived what they believed was a good price point for an initial run. They offered a slight discount for the existing client base so that they could use them to develop the process.
Umstead said that with the reduced rate initial push, they could develop the process by testing it with real people. A real test helped them understand where the problems in the processes are and where delays will happen.
“Because a lot of this stuff you could sit down and do in a day or two if every email you sent gets answered, everybody does what you asked them to do in a timely manner. But it's just not reality, right?” Umstead said.
“Going through it a couple of times in real life and understanding what that lag time is, how long it typically takes people to review things, and getting employees to sign off on procedures and documents and all that kind of stuff. Gathering the evidence you need.”
Plus 1 Technology currently uses two pricing schemes, one for IT MSP clients and one for clients not receiving the managed IT service.
The process is much easier for clients who get IT MSP service because many of the technical questions can be answered more easily as they are already tracked in Plus 1 Technology’s platforms, such as ControlMap.
If a client already has an existing IT department, for example, that process can take longer, which necessitates a different pricing approach.
Cost-effective CaaS for SMBs
By reexamining its internal processes and upgrading its toolset, Plus 1 Technology has been able to improve its Compliance as a Service offering.
Those improvements have been seen both internally through process revamps thanks to ControlMap, as well as externally through more efficient workflows and pricing models.
They now offer a cost-effective solution that meets the needs of small to medium-sized businesses and produces better results.
Plus 1 Technology has built a scalable compliance service that meets the market's needs while maintaining high-security standards by keeping things simple, affordable, and systematic.
Comparison of Plus 1 Technology’s Compliance Process Before and After ControlMap
| Aspect | Before ControlMap | After ControlMap |
|---|---|---|
| Compliance Management | Partially manual and fragmented | Systemized and automated with centralized platform |
| Toolset | Offline tools and disparate systems | Unified platform (ControlMap) with centralized data and features |
| Staff Involvement | Senior staff heavily involved in manual review and documentation | Process can be delegated to junior staff/admins |
| Client Experience | Clients had limited visibility; data spread across platforms | Clients access a centralized hub with documents and task visibility |
| Risk Management | Managed via offline solutions | Managed with ControlMap’s risk register and scoring system |
| Process Complexity | Convoluted, time-consuming, inconsistent | Simplified, consistent, and repeatable |
| Onboarding New Clients/Staff | Complicated and time-intensive | Easier onboarding due to standardized and automated workflows |
| Client Communication | More effort needed to explain processes | Clear steps provided to clients, reducing confusion |
| Pricing Model Development | No structured testing or models | Tested real-time with discounted pilot runs for existing clients |
| Service Scalability | Limited by manual work and lack of standardization | Scalable due to automation and delegation |
| Industry-Specific Compliance | Generic approach to all industries | Custom solutions (e.g., simplified FTC safeguards for accountants) |
| Overall Value Proposition | Inconsistent and hard to scale | Cost-effective, easy to deliver, and value-aligned for SMB clients |
Interested in developing your MSP’s compliance capabilities?
