Terror, anxiety, bewilderment, and even boredom. These are the range of emotions many executives feel when they sit down to discuss their organization's cybersecurity and compliance strategies. Then the realities of their budget and competing priorities kick in, and often the result, even after a significant industry breach, is they give faint attention to meaningful cybersecurity improvements.
But now, a new trend is emerging: the client's power to demand that their vendors achieve minimum compliance and cybersecurity standards. The hidden hand of the need to win vs. the fear of loss creates a new and powerful and will drive a lot of investment. ROI has finally arrived in Cybersecurity and Compliance-driven by the pressure of revenue growth.
Compliance and its various certifications such as SOC 2, CMMC, and others used to be the domain of larger companies whose overall financial audit required them to complete a certification as a part of assuring that the proper controls, tools, and oversight were in place. But Supply Chain risk has radically increased the numbers of companies who need to meet a compliance certification.
The lever used to enforce compliance is a host of accessible-to-use, pre-configured, Third-party risk management (TPRM) platforms. That, in turn, is causing a massive uptick in the need for more cost-effective compliance certifications across a range of companies that up until a few months ago would not have been even remotely considered obtaining a certification and as a knock-on effect, a significant increase in cybersecurity improvements.
Five clear trends are driving change in the cybersecurity and compliance market that present opportunity for early adopters and risks for cheerful followers.
Trend 1: Technology, as well as Cybersecurity op-ex, is skyrocketing:
CXOs have historically managed to keep technology spending down to 2-5% of operational costs (although spending in the banking and healthcare industries has been higher). The rapid adoption of cloud services and other technology outsourcing trends may have reduced or flattened capital budgets for IT, but it has had the opposite effect on op-ex. At the same time, the need to improve the underlying technology platforms and infrastructure on which compliance and Cybersecurity depend has led to vast increases in spending and continuous, ongoing evaluations of organizations' compliance and cybersecurity health. The net result of these changes will be that the total IT budget, including gray spending inside business units, will increase total Technology costs ahead of inflation.
Companies/Sub-Markets to watch:
- Enterprise Platform services to manage Oracle, Salesforce, and SAP enablement and cloud migration.
- CASB and Architecture management managed services
- Cloud Enablement to AWS, Azure, and other platform integrators with managed services emphasis
- SD/LAN and service providers that can control all end-points
- Managed Services Provider Consolidation and morphing to Cloud Enablement Providers
Don't be surprised if the continued move to cloud ramps up your tech operating budget to 5-12% of total op-ex, with cloud, compliance, and security making up a large proportion of the increase.
Trend 2: Taking third party vendor risk management to the next level:
For years, clients have sought to manage their vendors more effectively across various requirements, including cybersecurity supply chain risk. As the risk of supply chain threats has grown, a massive amount of VC investment has been going into building out next-generation Third-Party Vendor Risk Management and GRC software platforms. These platforms mostly come pre-configured and continuously monitor tier 1 and tier 2 vendors' compliance and control frameworks and certifications.
Unlike the old school platforms that are complex to install and maintain, the new platforms come out of the box with feeds and APIs that allow almost continuous compliance management and double-checking that your vendors have appropriate controls and meet compliance standards such as SOC 2. Now that these platforms enable clients, a broad group of vendors can be required to certify that they also maintain a comprehensive series of controls and processes. This subtle change in the market is the hidden hand driving the rise of compliance and certification platforms and cybersecurity services to demonstrate controls.
Companies/Sub-Markets to watch:
- IT Vendor Risk Management – ProcessUnity, SAI360, OneTrust, MetricStream, ServiceNow, Venminder, Prevalent, and others
- Governance Risk Management – Galvanize, ServiceNow, Riskonnect, LogicManager
This is mostly net new budget spend that will be justified by reduced 3rd party risk, particularly in Cybersecurity.
Trend 3: The rise of the compliance and certification platform:
Driven by the rise of the TPRM platforms and the need to secure their enterprises, there is an increasing need by companies of all sizes to obtain and maintain compliance across a range of frameworks and standards. Because more of their clients are beginning to manage risk through their TPRM platforms, an ever-increasing volume of small and medium businesses need to obtain a SOC 2 at lightning speed on a tight budget. The need for a platform with prebuilt frameworks and security controls has developed. The range of certifications includes compliance standards such as SOC, FedRAMP, PCI, HIPPA, GDPR, ISO, HITRUST, and the new player CMMC rolling out in 2021.
Innovative enterprises—from the small and panicking through to the large with complex compliance certification maintenance needs (and, by extension, monitoring their vendor ecosystem's cybersecurity environment)—are rapidly adopting these platforms. Once the platform is implemented, they pay a monthly subscription on a 1-3 year contract, and most of their controls update automatically, providing continuous compliance. If you are a really small company, you can get a SOC 2 done pretty quickly as the platform will fill out most of the forms, provide you with control documentation, and essentially do the SOC 2 preparation for you. Using these platforms is better for almost every business but gets more challenging if you are a mid-size company with many offices handling sensitive client data. There seems to be a land grab in this space right now, which will be interesting to watch.
Companies/Sub-Markets to watch:
- Sub/Markets: SOC 2 and CMMC, plus a range of other certifications, made it easy for clients to demand 3rd Party risk management and GRC platforms
- Companies: Tugboat Logic, Drata, Secureframe, Vanta, and a host of others with a robust reoccurring revenue model.
Trend 4: Vendor selection criteria has changed:
As more and more organizations adopt third-party risk management systems and implement their own managed compliance and cybersecurity services, they will demand compliance and supporting certifications from a wider group of suppliers. With the adoption of easy-to-use systems, clients can now automate compliance requirements to be an approved vendor. As clients increasingly include compliance in their vendor selection, fast-moving vendors who have proactively obtained appropriate certifications and active cybersecurity management will crowd out the smaller vendors who are stuck in the past.
For example, I watched a hot, newly funded healthcare company lose a string of mega RFPs over the last 12 months, each of which could have provided them with a game-changing 1000% growth scenario. They kept missing out because they lacked sufficient compliance maturity to be taken seriously by the customer.
To get ahead of this rapidly growing demand for compliance and Cybersecurity, companies should proactively obtain basic certifications like SOC 2, a Cybersecurity maturity rating and generally strengthen their Cybersecurity posture before the 2022 sales season. If they don't, they risk losing out in the vendor selection process to competitors who have taken such steps.
Companies/Sub-Markets to watch:
- Sub/Market: Next Generation Unified Cybersecurity and Compliance Providers
- Companies: Abacode, Accenture, and emerging MDR firms have realized the evolving linkages between compliance and cyber.
Trend 5: Managed Cybersecurity and compliance platforms will be the winners: Cybersecurity risks to the Enterprise and the four trends noted above have already begun to change the value of defending the enterprise business. IT budgets have started to shift and increase, and the age of easy-to-use and ever-reaching Third-Party Risk Management is upon us. The automated compliance platforms that make it cheap and quick to get a compliance certification are in the market now. As a result, significant changes in procurement will demand vendors change to remain viable – this may include your company.
The net result of all these technological and cyber lifecycle changes will be the rise of the integrated Cybersecurity and compliance managed services provider who starts with a security framework in mind, drives to the standard, and is there to stand beside you during your certifications. The old school controls checklist used by procurement departments is enabled by becoming a live link to continuous compliance, controls, and cybersecurity management. The flow-on impact will be that clients will terminate providers who fail to provide an adequate attestation of compliance and Cybersecurity – which will benefit early adopters.
The challenges ahead for clients and providers:
Complexity will increase: The mix of wildly different compliance frameworks and cybersecurity software, services, and business processes required to protect the Enterprise and maintain Cybersecurity and compliance is immense. At last count, there were over 4,000 vendors in the Cybersecurity and compliance vendor universe to choose from and over 500 frameworks and compliance standards.
Speed will be paramount: As a vendor, unless you adapt to this new reality of maintaining continuous Cybersecurity and compliance for more than one standard, the fact is you are going to lose your next must-win RFP because you cannot prove compliance. As a result, you will be prevented from entering markets such as government (CMMC and FedRAMP) or healthcare (HITRUST) because you cannot manually simultaneously track multiple standards.
The Land Grab market: For the suppliers of Cybersecurity and Compliance, there is a land grab going on for customers measured in customers and end-points. While there will be almost always will be a number of small local managed services providers in each market, I believe we will develop a series of regional and national providers. Each of the larger market players with have around 2 million end points which will drive around $100m plus in base revenue plus ancillary services that could be substantially more. Once they have that concentration, they will be able to deliver superior service quality, raise unit price and provide investors with a market leading return.
Vendors risk relegation: And to make matters worse, you will face near-permanent relegation to being a tier 2 or tier 3 choice because a wise and insightful outsourcing consultant will advise your client not to buy from your company when there are less risky choices of vendors offering a more integrated solution. In short, unless you take action to meet upcoming market demands, in the not-too-distant future, you will find your competitors have adopted automated compliance techniques that have pushed them ahead of you.
Leadership remains critical: We need a way forward to help link the real-time need for Cybersecurity to the broader market of risk management and compliance, as so many of the standards of each provide the right management processes for cyber to be effective. As enterprises continue to evolve their operations to grow, control costs, and protect their businesses, effective compliance and Cybersecurity are increasingly essential components for supporting those aspirations. The question for SMBs and enterprises is: as we look to the next 12 months, who will lead, who will follow, and who will rapidly adopt the new normal of compliance and Cybersecurity? And if you fail to lead, will your company be put at risk and shrink because you could not adapt to these changes?
What does this mean for the Enterprise? First, think holistically about your cybersecurity and compliance needs. Try and find a provider who can solve the short-term issues of defending your Enterprise now at a level of maturity that matches your risk and compliance needs. And as your business matures, think about how you can begin to improve your cyber defense by requiring that your key vendors also maintain their Cybersecurity and compliance in such a way as to make you more secure. As you grow, think about how you are in turn managing your third-party risk within your supply chain.
What does this mean for the investor? There is a land grab going on for the end-point, and there is a new calculus of how to think about when deciding where to invest. While standard formulas presently used to value a business remain valid but potentially unremarkable. A more comprehensive view of lateral trends impacting an investment is required to achieve breakthrough growth and margins.
About the Author: Ben Trowbridge is an accomplished Outsourcing Consultant with extensive experience in outsourcing and managed services. As a former EY Partner and CEO of Alsbridge, he built successful practices in Transformational Outsourcing, BPO, IT Outsourcing, and Cybersecurity Managed Services. Throughout his career, Ben has advised a broad range of clients on outsourcing and global business services strategy and transactions. As the current CEO of the Outsourcing Center, he provides valuable insights and guidance to buyers and managed services executives. Contact him at [email protected].