Dave Sobel engages in a thought-provoking conversation with Tim Golden, CEO of Compliance Scorecard. They discuss the evolving landscape of compliance, particularly in the context of Managed Service Providers (MSPs) as they look toward 2025. Tim emphasizes that compliance is not a fleeting trend but a critical aspect of business operations, drawing parallels to the historical implementation of seatbelt laws. He highlights the increasing importance of regulations such as the FTC safeguards and CMMC, which are becoming essential for small businesses and the MSPs that support them.
The discussion delves into the challenges faced by software manufacturers regarding compliance and security measures. Tim points out the tension between the need for robust security features, like multi-factor authentication, and the reluctance of some software vendors to implement these measures due to the costs involved. Dave pushes back on this notion, arguing that the industry has a choice in how it approaches compliance and security, and that proactive advocacy for regulations could lead to better outcomes for all stakeholders involved.
As the conversation progresses, Tim shares insights on the self-regulating nature of certain industries and the potential for organizations like CompTIA to set standards for MSPs. He believes that the community of MSPs must take the initiative to establish best practices and compliance measures, akin to the licensing requirements in other professions. This self-regulation could help elevate the standards within the industry and ensure that MSPs are equipped to handle the compliance needs of their clients effectively.
Finally, Tim reveals that Compliance Scorecard is launching a professional services division aimed at supporting MSPs in navigating compliance challenges. This new initiative will provide additional resources and expertise to help MSPs deliver compliance as a service to their clients. Tim expresses optimism about the future, emphasizing the need for MSPs to engage in meaningful conversations about business outcomes and compliance, ultimately positioning compliance as a framework that supports business success rather than a burden.
Supported by: https://tdsynnex.com/StreamOneIon/
💼 All Our Sponsors
Support the vendors who support the show:
👉 https://businessof.tech/sponsors/
🚀 Join Business of Tech Plus
Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.
👉 https://businessof.tech/plus
🎧 Subscribe to the Business of Tech
Want the show on your favorite podcast app or prefer the written versions of each story?
📲 https://www.businessof.tech/subscribe
📰 Story Links & Sources
Looking for the links from today’s stories?
Every episode script — with full source links — is posted at:
🎙 Want to Be a Guest?
Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:
💬 https://www.podmatch.com/hostdetailpreview/businessoftech
🔗 Follow Business of Tech
LinkedIn: https://www.linkedin.com/company/28908079
YouTube: https://youtube.com/mspradio
Bluesky: https://bsky.app/profile/businessof.tech
Instagram: https://www.instagram.com/mspradio
TikTok: https://www.tiktok.com/@businessoftech
Facebook: https://www.facebook.com/mspradionews
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
[00:00:01] Dave Sobel here talking with Tim Golden, CEO of Compliance Scorecard here at IT Nation. Tim, great to have you on the show.
[00:00:08] Yeah, Dave. It's always good to see you. Thanks for having me. Great setup by the way.
[00:00:11] Well, we're excited to be doing these today. So I want to dive right in. One of the things I really was interested to talk to you about is you've now been doing Compliance Scorecard for a couple of years now. You've seen significant growth.
[00:00:23] Yeah.
[00:00:23] You know, you've had an equity round. You've kind of propelled in terms of growth growth. What are you seeing in terms of the landscape as you look to 2025? Like what do you see is going to happen for compliance next year?
[00:00:36] Yeah, that's a great question, you know, and we've been kind of, I don't want to say predicting the future, but it's the end of the year. You know, we get these conversations on what is 2025 look like? You know, from an MSP perspective, compliance is here, right?
[00:00:53] It's not going away. You know, the recent announcement of CMMC all coming to fruition. I look at it like the seatbelt law, right? So if you look at the FTC safeguards, for example, right? You and I were probably old enough to know like cars didn't have seatbelts.
[00:01:11] And then they started to get seatbelts. And then now you can't drive anywhere without clicking a ticket. So when I think of compliance and I pick on FTC, for example, and there's a lot happening there, they can't just keep pulling people over and handing out tickets.
[00:01:28] This will take time to roll these things out. But I've been seeing from specifically around the FTC and the Department of Justice over the last couple of months, going after specific instances.
[00:01:42] So they're not sitting there, you know, with the, you know, cop on the side of the road. But when things happen, now you get the ticket. And so I can foresee the FTC safeguards becoming more and more important to most small businesses.
[00:01:58] And obviously the MSPs that support them. CMMC, you know, that horse has been beaten to death. I don't want to talk too much about that. That's obviously here.
[00:02:08] You know, there's a couple of other things in the works, especially overseas. NIST 2, NIS 2, not to be confused with NIST itself, the organization, right?
[00:02:19] Dora, Australian Aid, Cyber Essentials. So there's things that not just affect the U.S. But if we're doing businesses or have clients in those regions, there's a lot of compliance stuff that literally just came out in October of 2024.
[00:02:35] Now, I want to get your perspective on something else that's been kind of percolating for me for a while.
[00:02:38] Sure. You're super big on the SIS is secure by design and secure by default implementation. You signed the pledge.
[00:02:44] I did. We did.
[00:02:45] Yeah. You as an organization, I mean, a compliance scorecard signed the pledge. And that's notable. 230 organizations and growing have signed the pledge.
[00:02:52] Now, what's interesting to me is I love that you brought up the seatbelt analogy.
[00:02:56] Okay.
[00:02:56] Because when we think about the production of cars, if seatbelt laws work because they were also required to be tested, validated, and installed in vehicles.
[00:03:06] Yes.
[00:03:06] However, software manufacturers are actually not required to install seatbelts. They're not required to test them.
[00:03:14] They're not required to do them.
[00:03:16] But we've now made it the requirement of the customer to validate that all the seatbelts work correctly in a vehicle where the manufacturer didn't have to do it.
[00:03:26] Talk to me about your sense of that tension and what we need to change on the software vendor side.
[00:03:32] Yeah. So, you know, SISA, secure by design.
[00:03:37] I kind of like boil it down to like the big bad federal government can't come out and make a law and says everybody has to do this.
[00:03:45] These things take time.
[00:03:47] Right.
[00:03:47] If you think of legacy software that has been around for centuries, whatever, decades, to change those key components.
[00:03:55] I was talking to another SaaS vendor that's, you know, only been in space three or four years.
[00:03:59] And we're talking specifically about this.
[00:04:02] And they don't force 2FA, two factors, one of the components.
[00:04:08] They don't force it because they didn't build it that way in the very, very beginning.
[00:04:13] Now they have to go back in a retro phase.
[00:04:14] So there's development time.
[00:04:16] But on the consumer side, right, on the MSP side, we hamper multi-factor.
[00:04:21] That's right.
[00:04:21] Right.
[00:04:22] And so there's that tension of us as a software developer, wanting to do what the industry is asking, what we as all professionals have been pushing, multi-factor, all the key components secure by design.
[00:04:37] But there's a cost to that as a software developer, as a SaaS company, as a product.
[00:04:43] So there's, you're right, the tension of like everybody needs 2FA.
[00:04:48] I agree, but there's a cost.
[00:04:51] So there's a monetary cost.
[00:04:54] Yeah, I'm going to push back.
[00:04:55] And I'm going to say, on the choice of the word can't, we choose not to.
[00:05:00] American society in particular has chosen not to create laws around this, whereas we chose to create laws for seatbelts.
[00:05:07] Yes, I get your point.
[00:05:09] And I think it's important for us as an industry to recognize the can't versus won't decision.
[00:05:14] We're choosing not to.
[00:05:17] Unless we get involved with lobbying efforts and focus on the laws that require it, it will always be optional.
[00:05:24] And if we compare against other markets, and I don't really like to get your sense of this.
[00:05:27] For example, I was just talking with an MSP that does management across New Zealand, Australia, and the U.S.
[00:05:32] And their big pushback was, well, in Australia and New Zealand, there are active line items for security in people's budgets because it's required by law.
[00:05:41] Yet in the U.S., there isn't because we don't require it.
[00:05:47] And then we are somehow surprised we continue to have cybercrime as a problem here.
[00:05:52] And where I want to go with this is I just want to make sure that I understand.
[00:05:56] So, obviously, you're in favor of this.
[00:05:58] You've signed the pledges.
[00:05:59] You're designing for it.
[00:06:01] Where do you think the appropriate line is for us as an industry to advocate for?
[00:06:07] So, I think I understand your point.
[00:06:11] I hate to beat the CMMC horse, but there is regulations in those government contracts saying you will adhere to these frameworks.
[00:06:19] Sure, for any organization that serves the federal government.
[00:06:22] Yes.
[00:06:23] We have to start someplace.
[00:06:25] I agree with that.
[00:06:26] But what I guess I'm getting at is I'm trying to understand.
[00:06:28] Would you advocate imposing that across all businesses done in the U.S.?
[00:06:33] So, I'm actually in favor more of a self-regulating organization.
[00:06:38] Okay.
[00:06:39] Right?
[00:06:39] Much like legal does with the boards, right?
[00:06:43] There's a lot of organizations.
[00:06:44] There's a lot of verticals that are self-regulating.
[00:06:47] Okay.
[00:06:47] Right?
[00:06:49] Maybe we'll talk about CompTIA.
[00:06:51] We're going there next.
[00:06:52] An organization that can self-regulate from the MSP perspective for us to have a standard of due care, a standard of due diligence for us as our own.
[00:07:05] Yeah.
[00:07:05] Like, I can't go get my hair cut from somebody that's not licensed.
[00:07:10] 100%.
[00:07:10] Right?
[00:07:11] I use this example all the time.
[00:07:12] I know.
[00:07:13] That's why I brought it up.
[00:07:13] Yeah.
[00:07:14] That's what you're saying.
[00:07:14] And for listeners, I always say, like, the person that cuts my hair has more requirements than the person that manages my data backups.
[00:07:21] Exactly.
[00:07:22] I'm not sure I'm comfortable with that is my statement when I compare the industries because that's critically important to the operations of business and data.
[00:07:31] Right.
[00:07:32] And that's actually sort of where I wanted to go with this.
[00:07:34] You've been significantly involved with CompTIA's initiatives, particularly around things like the Trustmark and some of the certifications.
[00:07:41] That's an organization undergoing shift right now.
[00:07:44] They are.
[00:07:45] Literally yesterday.
[00:07:46] Literally.
[00:07:46] It's a nice way of saying it.
[00:07:47] Give me a sense of how you think those efforts fit in and your perspective on what's going on there.
[00:07:54] Yeah.
[00:07:55] So let me just level set a wee bit.
[00:07:58] Cool.
[00:07:58] A couple emails came out.
[00:08:00] A couple press releases came out.
[00:08:01] There was some ambiguous words, some big words that even I struggled with.
[00:08:06] And in conversation, I made this analogy this morning.
[00:08:10] Okay.
[00:08:10] If you think of CompTIA before today, before this week, as a bookstore with a book club.
[00:08:19] Book clubs are free.
[00:08:20] People get resources.
[00:08:21] They're fun.
[00:08:22] The bookstore sells the books.
[00:08:23] And for those who may not be up on the story, CompTIA announced that they are splitting off their training organization to a new for-profit organization.
[00:08:30] The remaining piece will not be called CompTIA.
[00:08:33] It will be the association.
[00:08:34] Correct.
[00:08:34] So that's the book club portion versus the bookstore.
[00:08:37] That's the book club versus the bookstore.
[00:08:39] Right.
[00:08:39] And so I don't know enough of the details about this store.
[00:08:43] You know, I did have a little bit of conversation on the efficacy and the validity and the quality of that.
[00:08:50] I actually think it will improve.
[00:08:52] Okay.
[00:08:52] Right.
[00:08:53] Yeah, the training and certification.
[00:08:55] Right.
[00:08:56] You know, the real value and kind of, I hate to say like the core of CompTIA is the community.
[00:09:02] Right.
[00:09:02] Is us as MSPs.
[00:09:05] And now not having to be dependent on income to build the other.
[00:09:09] Like if you think of that, like the bookstore.
[00:09:13] Right.
[00:09:13] Selling books is now giving, in a sense, an endowment, for lack of a better word.
[00:09:19] Yeah.
[00:09:19] It's very much an endowment.
[00:09:20] Right.
[00:09:20] So that us as the community can do the things that we've been always wanting and trying to push forward, but have been limited by the funds and the business side.
[00:09:31] Mm-hmm.
[00:09:31] Right.
[00:09:32] Right.
[00:09:32] So what does this mean for us as a community?
[00:09:34] What does this mean for small businesses that we support?
[00:09:38] And back to your legal question, right?
[00:09:40] First and foremost, I think us MSPs as a community, like, need to get our own house in order.
[00:09:47] Trustmark is one way to do that.
[00:09:49] Right.
[00:09:49] Having being involved in developing the controls and working with Chris Johnson and the team over there.
[00:09:54] It is obtainable, and it actually sort of level sets the MSP for doing the best practices as ourself.
[00:10:05] Okay.
[00:10:05] That whole SRO, the whole self-regulating organization.
[00:10:10] Where the laws come in, I want to get back to that, is, you know, they can't...
[00:10:17] All right, let's remove the politicalness aside.
[00:10:20] Okay.
[00:10:20] But if you know a little bit about how laws are created and they come up through the ranks and the House and the Senate and the VOTA and all that kind of stuff, like...
[00:10:28] Mm-hmm.
[00:10:29] It's a process.
[00:10:30] I mean, if we look at CMMC again, that was probably the fastest I have ever seen something move in a legal sense.
[00:10:40] Right.
[00:10:41] And that's just one, quote, quote, little vertical when we look at the entire economy here and all the businesses in the U.S.
[00:10:50] They couldn't do that to the 97% of the businesses here in the United States, which, by the way, according to all research, is less than 10 people.
[00:10:59] Right.
[00:10:59] Sure.
[00:11:00] Right?
[00:11:00] That...
[00:11:01] I think it will come.
[00:11:03] I think FTC is one mechanism.
[00:11:05] Okay.
[00:11:06] Right?
[00:11:07] And what I've been seeing in all the releases and all the things in the Department of Justice, kind of working hand-in-hand in the Whistleblowers Act...
[00:11:13] Mm-hmm.
[00:11:14] These things will start to come to fruition, but I don't think it will move as quickly as
[00:11:20] CMMC has.
[00:11:21] That's fair.
[00:11:22] I'm a small business owner.
[00:11:23] You're a small business owner.
[00:11:25] Right.
[00:11:25] The last thing we want is more taxes, more laws, more rules, more regs, more things.
[00:11:30] But there's a balance of staying protected, no secure.
[00:11:34] And I think I would argue this is that's easy to say broadly.
[00:11:38] Yeah.
[00:11:38] But I think all of us would say, well, I'd pay a little bit more if the criminals want to
[00:11:43] away.
[00:11:44] Like, broadly.
[00:11:44] Broadly.
[00:11:45] Broadly.
[00:11:46] Right?
[00:11:46] A broad statement.
[00:11:47] And we have to decide what portion of those resources go into private funds to deal with it.
[00:11:52] And what would have to be collective action as a society.
[00:11:55] Right.
[00:11:55] Because it can't...
[00:11:58] And politics is uncomfortable to talk about.
[00:12:01] But that's the choice of the balance of where those levers go.
[00:12:04] We need to have that conversation as smart people talking about it in order to get there
[00:12:09] or we're never going to get better at this.
[00:12:12] And ultimately, we are trying to all collectively fight the cybercrime.
[00:12:15] Let's never lose them from the conversation.
[00:12:18] Right.
[00:12:18] Is we have a threat of crime that we have to collectively work on.
[00:12:22] And what we're talking about is what proportions do we put our resources in?
[00:12:26] How much of this will be done privately and how much must be done by collective action?
[00:12:31] Because not everything can be solved purely by law.
[00:12:36] Or by private aid.
[00:12:38] Either one.
[00:12:38] Right.
[00:12:38] It's not an either.
[00:12:39] And it's an and.
[00:12:40] Yes.
[00:12:41] Yes, and.
[00:12:42] And that's right.
[00:12:42] New phrase I've been learning.
[00:12:43] Yes, and.
[00:12:44] Yeah, and so it's an and conversation.
[00:12:45] And so we have to just figure out what that and is.
[00:12:47] And I don't want to joke.
[00:12:49] Because the other thing I wanted to get a sense of is you've got some interesting stuff
[00:12:52] going on from a strategic perspective.
[00:12:54] And, you know, can you be a little bit of insight into what's going on there?
[00:12:58] You mean that compliance scorecard directly?
[00:13:00] Yes.
[00:13:00] Yeah, so.
[00:13:02] And I'm being a little ambiguous because not everything is finalized yet.
[00:13:06] But we're almost two years in.
[00:13:10] You know, been working with, you know, a lot of MSPs.
[00:13:13] I generally never give the number.
[00:13:15] And what we keep hearing over and over and over again is the MSPs falls into three buckets.
[00:13:21] I know what I'm doing.
[00:13:23] I do it manually.
[00:13:24] I need something to help me.
[00:13:26] Okay.
[00:13:26] Great.
[00:13:27] Platform, blah, blah, blah.
[00:13:28] But the other two key components is really how I actually founded this to begin with,
[00:13:33] which is I don't know what I'm doing.
[00:13:36] Right.
[00:13:36] But can you help me?
[00:13:39] Right.
[00:13:40] Then do some professional services.
[00:13:43] And the third is I don't want to do any of it, but I have customer that's in the DOD that has a requirement.
[00:13:48] Okay.
[00:13:49] Do it for me.
[00:13:49] Gotcha.
[00:13:50] Yeah.
[00:13:50] IE professional services.
[00:13:52] That's how I started.
[00:13:53] You mentioned the investment.
[00:13:55] Like before we had that, bootstrap.
[00:13:57] Right.
[00:13:57] I would work with an MSP.
[00:13:59] We would work through it together.
[00:13:59] Figure that together.
[00:14:00] Right.
[00:14:00] Right.
[00:14:01] And so we have always known that MSPs want the help, look for the help, and that professional services for them, the I do, you do, we do kind of model.
[00:14:14] So we are about to launch our professional services division to partner alongside with the MSP to be a third-party independent resource that is not an MSP or an MSSP to compete with you.
[00:14:29] But we are, in a sense, exactly what you are doing as an MSP for your customer.
[00:14:34] You are providing fractional or augmented services to your small businesses.
[00:14:39] We're doing that with you.
[00:14:41] Okay.
[00:14:41] We're taking our 20 years of knowledge from a privacy side, from a security side, from a compliance side, bringing that all together as pro services to help MSPs.
[00:14:52] So I'm really intrigued by that, and I want to start with kind of an interesting question.
[00:14:56] So one of the interesting, you launched this sort of a SaaS software model is what Compliance Scorecard has been doing now.
[00:15:03] Yep.
[00:15:03] That has a particular way of looking at things as a product business, product margins.
[00:15:07] Yeah.
[00:15:07] I'm really curious how you're looking at it and managing a business that then's introducing services, which is a very different P&L.
[00:15:16] It's a very different type of balances.
[00:15:17] You've come from that world.
[00:15:19] Oftentimes those that have come from services move to product because we always joke that it's easier and better from a margin perspective.
[00:15:25] How is you as a leader, how are you thinking about balancing these two now very different components of a business as you're thinking about the planning going forward?
[00:15:32] Different general ledgers.
[00:15:34] Yeah.
[00:15:34] And at one point we were like, maybe they should just be two completely separate companies.
[00:15:37] That doesn't obviously work.
[00:15:39] It sometimes does.
[00:15:40] Right.
[00:15:42] So I'm not an accountant.
[00:15:44] Fair.
[00:15:44] No, I want to know strategy-wise.
[00:15:46] But strategy-wise, they're all one books.
[00:15:49] Right?
[00:15:50] The income all comes into one.
[00:15:52] The services all come out of one.
[00:15:54] Us as an organization want to maintain that level of service.
[00:15:58] We want to make sure that we maintain that high touch.
[00:16:01] Right?
[00:16:02] Right.
[00:16:02] You know, MSPs are our partners.
[00:16:05] They're our, I hate to use the word friend.
[00:16:07] You're not just another number.
[00:16:08] Sure.
[00:16:08] And so from a strategy perspective, being able to teach the MSPs the process part and the technology part of building a compliance as a service, a governance as a service, but then having the platform or the tool to support all that, they're missing the people.
[00:16:29] Right.
[00:16:29] So from a strategy perspective, it's, you know, the peanut butter to the jelly.
[00:16:34] Right?
[00:16:34] A lot of tools that exist nowadays, I mean, we're here at ConnectWise.
[00:16:39] Right.
[00:16:39] The number of ConnectWise consultants that are here as vendors every year and have been around for decades.
[00:16:47] ConnectWise, great tool, PSA, automate, blah, blah, blah, great tool.
[00:16:50] But they need the person to help get it right.
[00:16:53] Right.
[00:16:53] Same thing with compliance.
[00:16:55] It makes sense.
[00:16:55] I will look forward to us talking in another sort of 12 months to get a sense of how that's working because I totally see the vision.
[00:17:04] There are challenges to that.
[00:17:05] Of course.
[00:17:05] It is very difficult to run a combined business.
[00:17:08] Yeah.
[00:17:08] I'll be curious to see how that's going because I think there's lessons to be learned from that execution.
[00:17:13] So give me, you know, as we're sort of wrapping the thoughts up here a little bit, give me a little bit of a sense of kind of the one thing you're looking for in 2025 to give you a read on how the compliance market is shifting.
[00:17:28] Like what's a big indicator that you're keeping an eye on?
[00:17:30] Well, obviously product market fit.
[00:17:32] Sure.
[00:17:33] You know, we talk to a lot of colleagues, even competitors, right?
[00:17:38] Like there's a small number of us that are really trying to help this industry in that space.
[00:17:43] Blue ocean, all the big words.
[00:17:45] What I see right now is little to no to zero penetration.
[00:17:51] Right.
[00:17:52] So when you think of market penetration, we think of growth of the company.
[00:17:56] Where do we want to go?
[00:17:57] I'd like to see deeper penetration into the MSPs that understand it, have customers that like that market penetration right now in my brain.
[00:18:08] And again, there's some data and research around that is like nil.
[00:18:12] Right.
[00:18:12] I'd like to be able to see us start to move that needle to more MSPs, understanding the need, but even more so the clients.
[00:18:25] Right.
[00:18:26] There's a huge disconnect between us technical folks that get it, the ones and zeros, and the business outcomes that Johnny's Lugnut or Joey's Bakery.
[00:18:38] Right.
[00:18:38] Right.
[00:18:39] The business outcomes, they don't care about 2FA.
[00:18:43] They want to make sure are the donuts ready and is my milk sour.
[00:18:46] Yep.
[00:18:46] Right.
[00:18:47] But those business outcomes is really.
[00:18:50] Nate's in it.
[00:18:51] It's one of my bigger goals for 2025 is to empower the MSPs to have those business outcome conversations.
[00:18:59] And compliance is just the referee to give them a framework and a roadmap.
[00:19:04] Yep.
[00:19:04] Well, Tim, that is a perfect place to end on because we're constantly talking about business outcomes.
[00:19:07] Really appreciate you joining me today.
[00:19:09] Thanks.
[00:19:11] Are you ready to take your cloud business to the next level?
[00:19:14] TD Cynics is changing the game for MSPs with their Stream 1 platform, where all clouds meet.
[00:19:21] With Stream 1, you get access to Microsoft, AWS, Google, and more all in one place.
[00:19:28] Stream 1 Commerce API enables headless commerce, and there is seamless integration with your PSA tools, making billing easier than ever.
[00:19:36] Plus, white label storefronts allow you to extend a fully customizable marketplace to your customers.
[00:19:43] And Stream 1 is more than a marketplace.
[00:19:45] It simplifies the complexity of cloud ecosystems and empowers you to grow at scale.
[00:19:51] To learn more, visit tdcynex.com slash stream1ion and see how Stream 1 can transform your business.
[00:20:02] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines, posted at businessof.tech.
[00:20:10] If you like the content, please make sure to hit that like button and follow or subscribe.
[00:20:15] It's free and easy and the best way to support the show and help us grow.
[00:20:20] You can also check out our Patreon, where you can join the Business of Tech community at patreon.com slash mspradio.
[00:20:28] Or buy our Why Do We Care merch at businessof.tech.
[00:20:33] Finally, if you're interested in advertising on this show, visit mspradio.com slash engage.
[00:20:40] Once again, thanks for listening to me, and I will talk to you again on our next episode of the Business of Tech.
[00:20:49] Part of the MSP Radio Network.