Throughout 2021, we've had the opportunity to speak with over 200 leaders of risk advisory firms focused on supporting clients with challenges related to cyber, privacy, and more.
Through these discussions, we've identified five challenges advisors around the world are facing right now.
Solving for these challenges has driven, and will continue to drive, our product innovation and roadmap.
Background & Context
This article follows discussions over the past year with over 200 CEOs and practice heads of cyber security advisory firms and managed security service providers (MSSPs) worldwide. Coupled with the 6clicks innovation strategy and vision for the industry, you will learn strategies and about the innovation available to scale your services business.
More than ever, cyber security is entrenching itself at the top of the agenda for businesses and governments worldwide and across every industry. Of course, companies can't protect themselves alone; they need help from advisors or augmented staffing solutions at a minimum.
Compounding the situation, cyber security professionals are harder than ever to find, and salary expectations are breaking records every month. Despite efforts from the education sector, the demand for skills and expertise well outstrips supply. This makes attracting and retaining the ‘best of the best' harder than ever and the need for more effective techniques to scale your services business.
6clicks was founded on a mission to make risk and compliance easier for both businesses and advisors. For this reason, we focus on innovation and strategies to help your business scale.
What Are the Main Challenges Facing Practice Leaders?
There are various nuances across different regions and markets. However, overall, there are five major, common challenges faced by leaders of advisory firms and MSSPs:
Using analytics and benchmarking to provide more value
The underlying value is the quality of their advice, and as such, there’s natural anxiety associated with maintaining this quality. As more people join a firm and in situations where the demand is acute, there can be a natural dilution of quality. Part of this relates to the fact that, as we are all human, and with a growing workforce, it’s hard to engrain manual processes and re-use intellectual property to maintain quality. The use of analytics, particularly benchmarking, is often identified by advisors as the holy grail of consulting, providing the perfect mix of value and insight expected by clients nowadays. The ability to generate benchmarks and analytics relies mainly on the effective use of technology to support the capture and ongoing analytics.
For years now, advisors have released their ‘annual insights’ publication striving to claim a position in the market as a thought leader. In reality though, the data supporting these publications relies almost exclusively from (manual) ‘client listening’ exercises as to perceived trends, issues, or thematics rather than being based on aggregate and anonymous data from real work operational systems. In addition, most of these publications are either backward-looking or simply a set of loose predictions.
Protecting margins at scale
With growth comes the complexity and layers involved in managing a larger workforce. This complexity makes maintaining realization and utilization targets problematic, and at each increment of growth, this becomes harder. The answer for many advisors to protect their margins is to increase rates. Increasing fees and providing a more sophisticated offering to a more sophisticated client ultimately results in a smaller overall market susceptible to disruptive innovation (where a complex service offering is made simpler and more affordable).
Efficiently serving a bigger market
A challenge with any services business is that growth is limited to the number of highly skilled consultants. And these consultants are increasingly hard to attract and retain. At the same time, it seems near impossible to efficiently service the small, medium, or ‘lower end’ market. We all know that these markets represent the next wave of revenue growth and are the future of any services business. The alternative is to offer a niche and tailored service to an increasingly small market. Doing both is critical for high growth.
Supporting the shift to managed and annuity service offerings
The underlying value is the quality of their advice, and as such, there’s natural anxiety associated with maintaining this quality. As more people join a firm and in situations where the demand is acute, there can be a natural dilution of quality. Part of this relates to the fact that, as we are all human, and with a growing workforce, it’s hard to engrain manual processes and re-use intellectual property to maintain quality.
Supporting the shift to managed and annuity service offerings
Just about all services businesses try to address the challenges of scale and profitability by offering managed services with predictable annuity-based fees and services. Assuming you have the systems and processes in place, this approach provides an elegant way to scale your business. Many cyber security advisors are also looking to integrate their managed SOC offerings or technical assurance service offerings with governance, risk, and compliance offerings.
What Are the Resulting Strategic Objectives?
The above challenges highlight several strategic objectives you need to have in place, as follows:
- More effectively focus on the re-use of intellectual property (IP);
- Put in place a system to automate workflows between you and your clients;
- Ensure the pre-configuration of client environments for seamless onboarding;
- Ensure there is the capability for analytics and benchmarking for you and your clients;
- Establish a leave-behind solution for ongoing client management and retention; and
- Open up opportunities to monetize the use of technology by your clients.
There are then two essential considerations in determining which meets your needs:
- Your upfront investment
Both these are critical considerations for all services businesses.
How Can You Use Innovation & Technology to Achieve These Goals?
There is a range of approaches to addressing the needs of leaders and overcoming the problems highlighted in this document. These approaches, include, but are not limited to:
- Developing macro-based spreadsheets accompanied by manual processes;
- Relying on client-supplied technology to automate complex tasks;
- Developing capability on one of many low-code platforms that are emerging;
- Customizing legacy GRC software like IBM Open Pages or RSA Archer to meet the needs to both advisors and their clients; and
- Relying on ‘people power’ and outsourcing initiatives to provide capability at scale.
All of the above have been options for some time, however, at 6clicks our platform represents the next generation of multi-entity and white-labeled GRC we call 6clicks Hub & Spoke™, explicitly designed to support the interplay between advisors and clients.
What Innovation is 6clicks Bringing to the Table Right Now?
We are here to serve a purpose of easier, more efficient, and automated GRC for advisors, MSSPs, and clients alike.
Here's a short list of new releases and what's headed your way before Xmas:
- OUT NOW: 6clicks Pixel Perfect™ - automated compliance reporting for standards like PCI DSS, used widely across the financial services industry.
- COMING SOON: Integrated vulnerability scans – taking outputs from Qualys, Nessus, and other leading vulnerability scanning tools and integrating this data directly into 6clicks risk, issues, and actions modules to support end-to-end management.
- OUT NOW: AI-powered control gap assessment – extending from our success with Hailey to identify overlaps between standards, laws, and regulations, Hailey takes one step further, now able to identify compliance gaps and risks related to your internal control sets and policies.
- COMING SOON: Pre-defined and automated risk and issue identification – designed to operationalize and standards service delivery for advisors with the ability to develop standard risk and issues libraries to be used across client accounts and prompt your advisors with issues and risks related to specific assessment questions or audit requirements.
- COMING SOON: A new ‘lite’ plan to support audit and assessment at scale – a new plan with unique features and pricing for advisory firms looking to perform audits and assessments across a large portfolio of clients at scale.
Automated (6clicks Pixel Perfect™) compliance reporting
So, think PCI-DSS ROC reporting (section 6). If this (painful) process now is familiar then consider the impact of going from audit (requirements-based assessment) to report at the click of a button. To boot, the report is generated in Microsoft Word format so you can then edit/amend and finish off the report offline ready for submission directly to the standards body.
What’s better, is to imagine being able to define the ‘bundle’ – the standard/framework, audit, or assessment template and then the Pixel Perfect™ report template all in one hit, ready for download and use within an in-app marketplace.
Integrating vulnerability scans for a holistic risk picture
MSSPs and cyber security advisory firms tend to have two major divisions or practice areas - a) technology assurance and b) governance, risk, and advisory. These two worlds are typically run separately save a common sales and relationship management activity. That said, in the clients’ interest it's important that technical vulnerabilities along with strategic and operational risks and issues and managed in a single spot. So, that’s what we’ve done – made it really easy for you and your clients to see and understand the big picture including technology, people, and process views of the world.
Automating the grunt work of compliance using AI
Back when 6clicks was founded we invested in artificial intelligence. It was a research project at that point and there was a high degree of experimentation since then to find the most effective application of AI and in fact, the requisite component parts that make up an intelligent and automated integrated system.
The upshot was our use of two ‘engines’ used widely in the field of artificial intelligence in this space – natural language processing (NLP), and machine learning (ML). When Hailey (our AI engine) was born, the first cab of the rank was Hailey’s application to identifying similarities across provisions; in essence, identifying the overlap. The business case here is pretty obvious and reporting in the platform speaks to the benefit – if you are aligned or compliant with framework X, then where are the gaps with framework Y?
More recently, Hailey’s taken another (big) step, this time focused not on reducing the compliance footprint and overlap between frameworks or standards, but rather identifying the coverage a control set has in relation to a standard.
Automating risk and issue audit findings for re-use and consistency
Imagine if you could define a library of issues and risks, along with their associated candidate actions and risk treatment plans. And, for each audit/assessment response, you define the risks/issues that would apply based on the response? From there, your consultants just need to 'pick and go' - as easy as 1-2-3.
Where Is 6clicks Taking Innovation Next?
Our brand new reporting and analytics suite is about the be unleashed. Total game changer. Stay tuned. The best of 6clicks is yet to come.
Developing a holistic view of your organization’s GRC program utilizing 6clicks creates immediate value and ROI for your organization. Leverage your first mover advantage with a renewed approach towards governance, risk, and compliance. Download this free eBook that explains the Paradigm Shift in Modern Governance, Risk & Compliance.
Ready to get started on your GRC journey? Let 6clicks show you how easy bringing your teams together and curating your single-pane-of-glass landscape can be.
All we want to do, every day, is make the world of GRC easier to manage. We can't do that without you, so we hope to hear from you real soon!
Fast, clear, smart, agile. #NoSpreadsheets 🚫