Chapter 6:
How to Price Your Services
[25 min read]
Chapter 6 evaluates various pricing models for your compliance offering so you can choose the right fit for your MSP. Use the Pricing Calculator below to figure out how much revenue your compliance offering can generate.
6.1
Pricing Strategies
| Pricing Model | Pros | Cons |
|---|---|---|
| Fixed-Fee |
|
|
| Per-User |
|
|
| Hourly Rate (with a baseline minimum) |
|
|
| Monthly Retainer (MRR) |
|
|
| Project Based |
|
|
| Value Based |
|
|
6.2
Pricing Considerations
Monthly Recurring Costs (MRC)
- Continuous Monitoring: Ongoing monitoring of systems and processes to ensure compliance with frameworks like SOC2, CMMC, etc.
- Automated Reporting: Regularly generate and review compliance reports.
- Policy Management: Regular updates and reviews of security policies and procedures.
- Training & Awareness: Continuous training sessions and updates on compliance best practices for staff.
- Vulnerability Management: Regular scanning and patch management.
Cost Structure:
- Typically charged per user or per device, depending on the complexity and size of the client’s environment.
- Average range: $50 to $150 per user/device per month.
- Log Management: Collection, management, and analysis of logs to identify potential security threats.
- Threat Detection & Response: 24/7 monitoring and response to security incidents.
Cost Structure:
- Often based on the volume of data processed or the number of events per second (EPS).
- Average range: $1,000 to $5,000 per month, depending on the size and complexity.
- Internal Audits: Quarterly or semi-annual internal audits to assess the current compliance status.
- Gap Analysis: Regularly reviewing the system against the desired compliance framework to identify gaps.
Cost Structure:
- These can either be included in the MRC or charged separately, depending on the contract.
- If included, expect an increase in the base MRC by $500 to $2,000 per month.
- On-Call Support: Availability of experts to address any security incidents or compliance-related issues.
- Remediation Plans: Assistance in creating and executing remediation plans for compliance gaps.
Cost Structure:
- Typically included in a comprehensive MRC package.
- May also be charged as an additional service, adding $500 to $1,500 per month.
Project-Based Costs
Initial Compliance Evaluations are one-time projects where you assess a client’s current state of compliance and identify gaps. This includes:
- Comprehensive Assessment:
- Full assessment of the current security posture and compliance against a specific framework (e.g., SOC2, CMMC, FTC Safeguards).
- Deliverables:
- A detailed report outlining current gaps, a remediation roadmap, and recommendations.
- Depends on the size of the organization and complexity of the environment
- Average range for small businesses: $3,000 to $7,500
Policy and Procedure Development involves updating and maintaining compliance-related documentation for your clients to ensure their controls, policies, and procedures align with the latest framework regulations. This includes:
- Implementation of Controls:
- Assisting with the implementation of specific controls, such as multi-factor authentication (MFA), encryption, or data loss prevention (DLP) to adhere to specific compliance frameworks and regulatory standards.
- Documentation & Policy Creation:
- Developing or updating necessary documentation and policies.
- Project cost varies depending on scope and complexity.
- Average range for small businesses: $2,000 to $5,000 per framework
Pre-audit preparation is a one-off project that ensures the client is ready for an external audit by reviewing documentation and verifying controls. This includes:
- Pre-Audit Readiness:
- Helping prepare for an official audit, including mock audits, documentation reviews, and auditor coordination.
- Support During Audit:
- Providing support and guidance during the audit process.
- One-time fee based on the scope of work.
- Average range for small businesses: $5,000 to $10,000
Ongoing Audit Support involves assisting clients during audits by providing documentation, answering auditor questions, and ensuring the audit runs smoothly. This includes:
- Auditor Communication:
-
- Directly addressing auditor questions and providing supporting documentation on behalf of your client.
- General Audit Oversight:
-
- Managing all blockers and barriers to ensure a smooth audit process.
- This can be a substantial project depending on the existing state of the client’s environment. Be sure to adjust your price range depending on your team’s hourly commitment and scope of work.
- Average range for small businesses: $2,500 to $7,500
Customization and Flexibility
Custom Packaging and Pricing:
Given the variability in client needs, a significant portion of the pricing can be customized.
Some clients might require only the essentials, while others may need comprehensive services including:
- Frequent on-site visits
- Additional consulting hours
- Bespoke compliance solutions.
Bundle Discounts:
For clients who engage in both MRC and multiple project-based services, discounts may be offered.
- Discounts on Projects: If the client is on a high-tier MRC plan, project costs might be reduced by 10-20%.
- Tiered Pricing: Offering tiered MRC packages where higher tiers include a bundle of services at a lower combined rate.
Contract Terms:
- Annual Contracts: Typically, MRCs are locked in for annual contracts with discounts for multi-year commitments.
- On-Demand Services: For clients who need flexibility, certain services may be offered on a one-time or on-demand basis, usually at a premium rate.
6.3
Pricing Calculator
This Compliance Pricing Calculator will help you determine how much revenue your MSP can generate based on your number of clients, devices per client, fixed monthly fees, and one-off compliance projects.
Compliance Pricing Calculator
Add your responses to a few questions about your current environment.
We don’t collect data from this calculator, so your responses and results are confidential.
We don’t collect data from this calculator, so your responses and results are confidential.
Total Monthly Recurring Revenue
$
Total Annual Recurring Revenue
$
One-Off Services Revenue
$
6.4
Pricing Examples
15-Seat Client
Considering the smaller scale (15 seats), the cost for each one-time project is on the lower end of the standard range:
Internal Compliance Evaluation: $3,000
Pre-Audit Preparation: $5,000
Ongoing Audit Support: $2,500
Policy & Procedure Development: $2,000
Total One-Time Costs: $12,500
Due to the small scale (15 seats), the price per user is slightly higher at $125 per month:
Continuous Compliance Monitoring & Maintenance: $1,875
Security Information & Event Management (SIEM): $1,500
Regular Compliance Audits & Assessments: $500
Incident Response & Remediation Support: $500
Total Monthly Recuring Costs: $4,375
Total One-Time Costs: $12,500
Total Monthly Recuring Costs: $4,375
45-Seat Client
Considering the mid-sized scale (45 seats), the cost for each one-time project is on the higher end of the standard range:
Internal Compliance Evaluation: $6,000
Pre-Audit Preparation: $7,500
Ongoing Audit Support: $5,000
Policy & Procedure Development: $4,000
Total One-Time Costs: $22,500
Due to the mid-sized scale (45 seats) the price per user is slightly lower at $75 per seat per month:
Compliance Monitoring & Maintenance: $3,375
Security Information & Event Management (SIEM): $2,500
Regular Compliance Audits & Assessments: $1,500
Incident Response & Remediation Support: $1,000
Total Monthly Recuring Costs: $8,375
Total One-Time Costs: $22,500
Total Monthly Recuring Costs: $8,375
6.5
Strategies For Negotiating Contracts and Terms:
Don’t be afraid to say no!
Compliance is expensive to implement. Clients who want the cheapest price are more likely to not buy into the process and instill a culture of compliance, which can make them difficult to work with long-term.
Remind clients the risk is theirs.
You can only show your clients the risks and offer recommendations, but they need to decide their risk level based on their own comfort — and how much they’re willing to pay to safeguard against these risks.
Bundle all services together at a flat rate.
Offering clients an “all or nothing” stack makes it easier to ensure comprehensive coverage (minimizing risk) and clear contract terms (managing client expectations).
6.6
Budget Considerations
Grants:
Depending on your client’s location and industry, there are a variety of grants available to help support SMBs on their journey to compliance. If you can source these grants for your clients, you can help them find the necessary funding to cover the cost of your services — and further justify your value.
Pricing Tiers:
Depending on the size of each individual client you serve, you may want to consider various pricing tiers. These tiers allow a lower entry point for smaller businesses who cannot afford top-tier services, but still need assistance with compliance and risk management. By accommodating these SMBs with an accessible solution at a lower price point, you can nurture the relationship and upsell them to more comprehensive services as their business grows.
Scalability & Flexibility:
As your MSP grows and your clients’ needs evolve, you want to be flexible enough to accommodate these changes. This can include hiring additional technicians, expanding IT infrastructure, and adapting to new compliance regulations that may develop in the future.
Packaging — check! Pricing — check! The foundation is all there.
Learn how to pitch your CaaS offering to clients in Chapter 7.
Chapter 5
How to Package Your Services
Bundling services makes it easier to sell cyber compliance — and actually deliver what your clients need. Find out how to package your CaaS offering.
Chapter 7
How to Talk to Your Clients About Risk Management
Regulatory and compliance training starts the conversation — equip your MSP with the right talking points to communicate the value of your CaaS offering.
