Report: Compliance Service Providers Struggle to Differentiate

Security, compliance, and risk platform for service providers, Apptega, recently released findings from its second annual report on compliance, indicating that the market is maturing, yet crowded, with 87 percent of security providers now offering compliance services.

The State of Continuous Compliance Report is a survey conducted from February to April 2025 among practice leaders and senior operators. Those surveyed are from more than 150 providers that offer security services.

Key report findings on continuous compliance services in the market

Despite 87 percent of security providers offering compliance services, primarily delivered as consultative and advisory work, 31 percent of providers report an average or lower ability to differentiate themselves. Additionally, one in three struggles to consistently demonstrate value and return on investment. This limits both cross-sell potential and long-term engagement.

The key findings of the report include:

• 90 percent of providers say they face challenges differentiating and standing out in a crowded market.
• 87 percent say automation is a high priority, but manual workflows remain common.
• 66 percent primarily use a GRC or compliance automation platform, and 16 percent still rely on spreadsheets as their main tool, with spreadsheet usage up 50 percent year-over-year.
• Providers with stronger perceived differentiation tend to use GRC/compliance automation platforms or custom-built solutions to deliver compliance services.

Further, only 25 percent of providers met their recurring revenue targets in 2024.

“As compliance becomes mission-critical for organizations of all sizes, security service providers are adapting, but not without friction,” said Rahul Bakshi, chief product officer at Apptega. “While the State of Continuous Compliance Report data shows demand is real, most providers haven’t yet unlocked scalable delivery, sustainable recurring revenue, or the market positioning needed to fully capitalize on compliance as a growth engine. For those that have, the payoff is clear.”

Managed services continue to drive strong recurring revenue

The report also found that service providers offering compliance as a managed service are outperforming their peers on recurring revenue, with 44 percent of managed compliance providers saying at least 25 percent of their compliance revenue is recurring, compared to just 28 percent of consulting-first firms.

“Client demand for continuous compliance, better risk management, and improved visibility into security maturity is rising faster– as is pressure for providers to turn it into scalable, recurring revenue,” said Dave Colesante, CEO at Apptega. “Delivering a clear, actionable roadmap showing where they are today and how you’ll help close gaps, both technically and from a business perspective, requires an end-to-end solution that spreadsheets and disconnected tools simply can’t match.”

The report also finds that many providers are still navigating the shift from traditional processes to scalable systems since spreadsheet use increased this year. There is movement toward automation, with more providers using GRC and compliance automation platforms as primary delivery tools, however.

“Continuous compliance management is a critical defensive measure to reduce overall business risk in an aggressive cybersecurity landscape,” said Bakshi. “While there will always be organizations approaching compliance as a check box exercise, security providers working with customers to operationalize it as a continuous process and close companion to security will see the greatest recurring revenue success.”

Meeting compliance standards in the age of AI is an important factor for organizations’ business growth. Read more about Diligent’s new studio, which is aimed at streamlining GRC analytics and reducing the cost of control management.