This month, Commercial Integrator once again invites several prominent members of The ASCII Group — the oldest and largest independent IT community in the world, with 1,300-plus members across North America — to share their perspectives on topical issues affecting not only MSPs but also the broader technology trades.
This time, we turn to regulatory requirements, which can be national, regional or local, in addition to being specific to a particular industry. How do technology businesses navigate this potentially fraught landscape?
Read on to learn the perspectives of the following members of The ASCII Group: Angel R. Rojas, Jr., president and CEO, DataCorps Technology Solutions; David Laughlin, CEO, DML IT Solutions; Paul Nebb, founder/CEO, Titan Technologies, LLC; and David Cox, CISSP, chief security officer, AvTek Solutions.
Commercial Integrator: What are the types of regulatory requirements to which your business is currently subject? Are these primarily national, regional, local or industry-specific?
Angel R. Rojas, Jr.: We’re primarily subject to national and state-level regulations. Federally, we deal with laws like HIPAA and GLBA based on the industries we serve. At the state level, we comply with the Florida Information Protection Act (FIPA), which governs how personal information must be protected and reported if compromised. There aren’t industry-specific regulations for IT itself — it’s all based on the client’s regulatory environment.
David Laughlin: We navigate a range of federal and state regulations. Key requirements include HIPAA for healthcare, GLBA for financial services and the California Consumer Privacy Act (CCPA) for data privacy. In addition, we align with industry-specific standards like PCI DSS to support our clients’ security and compliance needs. Our focus is on meeting both broad regulatory expectations and the specific demands of the industries we serve.
Paul Nebb: Depending on your industry and the clients you support, you might be subject to regulatory compliance. These requirements are primarily national and industry-specific, and they include the FTC Safeguards Rule, HIPAA for healthcare organizations, GLBA for financial institutions and CMMC for defense contractors. Some states, such as New York, California and Massachusetts, to provide some examples, have state-specific requirements for certain industries that are greater than the national guidelines. In addition, certain industries, such as CPA firms and law practices, must adhere to ethical obligations that, although not always codified as federal mandates, require strong data-protection standards to safeguard client confidentiality and privileged information.
David Cox: Our industry does not require any regulatory compliance. However, because we deal with clients in the financial services industry, we are aligning with the SOC2, NIST CSF 2.0 and GTIA Trustmark frameworks. All three of these frameworks are valid nationwide, so we are not limited geographically when pursuing business.
CI: How challenging do you find it to stay compliant with these regulations? Would you describe it as a constant hurdle, or do you feel your business has a solid handle on it?
Rojas, Jr.: Staying compliant is an ongoing discipline — not a one-time effort. We have a strong handle on it because we run a process-driven business where compliance requirements are naturally produced by the way we work. That said, it’s critical to have a strong relationship with an attorney who specializes in privacy law, as well as to maintain regular communication with them. They help us ensure our processes and systems stay aligned with evolving regulations, and they advise when adjustments are needed. Conducting an annual risk assessment is also a major part of our approach to proactively identifying and addressing gaps before they become liabilities.
Laughlin: Maintaining compliance requires ongoing vigilance and adaptability — not a one-time effort. Regulatory landscapes evolve rapidly, requiring constant vigilance and adaptation. Although managing multiple frameworks can be complex, a proactive approach, rooted in strong processes and regular reviews, allows us to stay ahead rather than just reacting to compliance challenges.
Nebb: Compliance should not be viewed as a one-time task but, rather, as an ongoing discipline, and it needs to become an integral part of how you operate as an organization. Although staying up to date with changing regulations can introduce periodic challenges, we’ve developed a framework that emphasizes proactive readiness. Through consistent training, process documentation, strategic automation and alignment with industry best practices, we’ve embedded compliance into our organizational culture. Rather than being a hurdle, it becomes a daily habit — much like preventative maintenance is. When done regularly and intentionally, it helps avoid larger, more costly issues down the road.
Cox: I feel as though we have a solid handle on these regulations, and we have made compliance a business priority. It’s a lot of work, but it’s also necessary in our line of business.
CI: What tools, strategies or resources would you recommend to peers in the tech industry who are struggling with compliance and who are looking for guidance to better protect their businesses?
Rojas, Jr.: The best advice I can give is to build your business around disciplined processes in which compliance artifacts — documentation, records, risk assessments — are the natural output of day-to-day operations. Don’t rely on after-the-fact scrambling or bandage-style tools. Invest in structured internal communication, ticketing, change management and risk-assessment processes. Most importantly, understand that compliance isn’t achieved through checklists or shiny tools; rather, it’s achieved by running a disciplined, intentional business every day, with expert legal guidance shaping how you operate.
Laughlin: Successful compliance begins with structure and visibility. We recommend adopting a flexible compliance-management platform to centralize requirements, automate audits and simplify reporting. Tools like Compliance Manager GRC can help organizations identify applicable standards and manage evolving risks. Regular internal assessments, ongoing staff training and engagement with peer networks strengthen a company’s ability to adapt and maintain compliance. Embedding structure and clear processes into everyday operations lays the foundation for a strong culture of compliance that will drive resilience and position the business for sustainable growth.
Nebb: The first step toward meaningful compliance is conducting a comprehensive risk assessment. This provides a clear baseline, and it reveals existing gaps in security or policy alignment. From there, a structured compliance roadmap tailored to the relevant regulatory frameworks (e.g., NIST, HIPAA, CMMC) can guide the next steps. One of the most overlooked, yet critical, strategies is education: empowering your team to understand why compliance matters — not just what must be done. Compliance isn’t the responsibility of one department; rather, it requires cross-functional collaboration, including input from legal, insurance and IT security stakeholders. Most importantly, remember that compliance is not static. It evolves as your business grows and as regulatory landscapes shift. Treat your compliance framework as a living program that is reviewed, tested and updated regularly.
Cox: Vendor tooling matters a great deal from the perspective of whether it can provide you with the information you require to manage your compliance stance. We have spent a great deal of time determining the vendors and tools that best serve our needs. However, those tools might be different for other people. For us, the key to tracking our compliance status is a good portal to manage all the information. After evaluating a lot of different platforms, we decided to use Cynomi for our compliance tracking, as well as for our customers. The strategy we take and relay to our clients is that compliance is a journey — not a destination. You have to get started, and you can’t allow perfection to get in the way. An OK policy or procedure is better than no policy or procedure. And by continuously reviewing and improving both, you can become more aligned with any framework as time goes on.
