There’s a lot at stake for MSPs in 2022. Customers are asking service providers to provide proof of compliance to safeguard their own data. The question is: what is the true cost of cybersecurity compliance? To answer this question, let’s unpack the details.
Let’s say you have decided to comply with cybersecurity best practices or one of HIPAA, SOC 2, CMMC, CIS, or other frameworks.
Congratulations on the first step!
As you probably understand by now, cybersecurity compliance is not a utility that can be bought for $99 a month. Becoming compliant and, above all, successfully maintaining compliance is a continuous effort requiring your people, processes, and technology to work seamlessly in sync with each other.
So how do you then estimate the cost of cybersecurity compliance?
There is not one answer, but it largely depends on how you answer these questions:
- What are your customers asking for? Companies more and more are requiring that their vendors and service providers show and maintain more robust security compliance. Depending on the industry of your customers and the risk they perceive in working with your company, customers may request responses to simple questionnaires or ask for detailed third-party audits such as SOC 2 (check out our free ebook to learn more about SOC 2), ISO-27001, or CMMC.
- What risks are you facing? If your products and offerings are servicing companies in highly regulated industries such as healthcare or financial services, the data you process could very well be considered PII Or PHI, requiring you to protect it with the highest cybersecurity standards, requiring additional audits such as PCI-DSS.
- What is your company size? Smaller companies face different risks than large company faces because of the number of information systems and people they work with, requiring a different level of investment in cybersecurity compliance.
- Where do you want to land? Driven by the importance you and your team place on cybersecurity, you may want to build a bare minimum program or best-in-class cybersecurity compliance program driving the expenses
Before we go further, we also want to differentiate between the cost of cybersecurity vs. cybersecurity compliance. The costs typically include,
Cybersecurity costs | Cybersecurity compliance Costs |
Hiring and maintaining a team/office of CISO | Compliance software / Management tools |
Security software such as intrusion detection, log monitoring systems, etc. | Gap assessments |
Security reviews / Test exercises etc. | Audit costs (External and Internal) |
Consulting and other SOC services | Compliance management / Internal / External resources |
In many small and medium businesses, the cost for compliance and security is generally merged into one bucket and falls under one team. So, let’s break it down and put some in a few high-level cost areas and buckets.
Here are some hard numbers for you to get a good estimate and rough order of magnitude. These numbers can hugely vary depending on your situation:
Readiness assessment:
This is an optional step, and you may choose to completely skip it and directly work on the gaps you already know. Readiness assessment could be done by an internal team or by an external auditor/consultant. Learn more about prepping for an audit here.
Readiness assessment for a framework such as SOC 2 or ISO 27001 starts at $2,500 but could go up to $7,500 based on the size and scope of your upcoming audits.
Preparation:
Based on the findings of the gap assessment, new software and personnel effort to implement new practices, policies and controls are almost always required.
- For small to medium-sized businesses, consultants’ costs could range upwards of $5000, but you could also do it internally at minimal costs. Most compliance management software could also help in readiness and gap assessments much faster, bringing down the cost drastically.
- If your products and offerings are hosted on a cloud such as AWS or Azure, most of the software needed, such as logging, monitoring, backups, and firewalls, can all be easily natively procured and deployed.
Auditor’s Fees:
Auditors for starting SOC 2 compliance can start at approximately $10,000, and the cost can go up to 50,000 depending on the brand of the auditing firm and the scope of an audit. For startups, the cost of a SOC 2 or a HIPAA audit is closer to $10,000 dollars.
Team / Hiring:
Startups generally do not have a dedicated compliance team, but as your company grows, you will have at least one compliance manager who works with the IT team and operations manager.
Putting together all costs, your cost of getting compliant and being ready for audit will anywhere be around $10,000, with audit costs starting at $10,000.
Are you ready to take the next step? Learn more about how you can get ahead of the competition, grow your bottom line, and win more business.