Blacksmith InfoSec

Get NIST-y

Get NIST-y is a podcast that breaks compliance out of the checkbox trap and turns it into a real security advantage. No fluff, no FUD—just practical strategies to make compliance work for your MSP. Each week, we'll dive into compliance topics based on real questions from our MSP partners and subscribers.

Author

Blacksmith InfoSec

Category

Technology

Podcast website

blacksmithinfosec.com

Latest episode

Jul 7, 2026

Where to listen?

Podcasts in the app Replaio Radio Coming soon

Podcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts

Get it on Google Play Install for free Android 5M+ downloads · 4.8 rating iOS soon

Episodes

Stop Selling Compliance Like a Scary IT Project 07.07.2026

MSPs keep asking how to sell compliance without sounding like a fearmongering weirdo or a walking control spreadsheet. This episode is a talk from ChannelPro Chicago on why compliance sales usually go sideways, and what to do instead. Takeaways: - FUD is a weak sales strategy because whoever tells the best ghost story wins - Clients do not care about your feature list nearly as much as risk, progr...

Evidence Collection Without the Compliance Fire Drill 30.06.2026

Security questionnaires are not the finish line. They are the opening move in a negotiation, and saying “yes” to everything can create a bigger problem than admitting what is still in progress. In this episode of Get NIST-y, the cybersecurity and compliance podcast from Blacksmith InfoSec, Jared and Michael talk about turning evidence collection into a recurring habit instead of a Friday afternoon...

Shared Responsibility, Shared Delusion, and MSP Risk 23.06.2026

Shared responsibility gets ugly when the client wants compliance, but not ownership. This week's episode is about keeping MSPs out of the unpaid compliance department trap. We answer: - A medical client's cyber insurer wants annual security policies, but the doctors want the front desk to handle it. What now? - How should an MSP separate recurring compliance help from client-owned decision...

Compliance Without Security Is Just Paperwork 16.06.2026

Compliance is not security. Security is not compliance. But if you treat either one like a box-checking exercise, your client is going to have a bad time. In this episode of Get NIST-y, Jared and Mike talk with Shawn Duffy from Duffy Compliance Services about where SMBs, MSPs, and service providers keep stepping on the same rakes. Takeaways: - Why “we’re too small to be targeted” is technically tr...

If You’re Having Mac Problems, I Feel Bad for You Son 09.06.2026

Justin Esgar 's got 99 problems, but a Mac ain't one! Justin, the CEO of NYC-based MSP VirtuaComputer and host of the All Things MSP podcast, joins Get NIST-y to talk about the MSP myth that Macs are insecure, unmanageable, or somehow impossible to support without ritual sacrifice. Takeaways: - “We can’t secure Macs” usually means “we don’t know how” - Apple Business and domain claiming ar...

AI is Useful. AI Slop is Not 02.06.2026

AI can be wildly useful. It can also be a shiny button duct-taped onto your PSA, RMM, documentation platform, quoting tool, and possibly your coffee maker. This week on Get NIST-y, Jared and Mike talk about how MSPs can tell the difference between useful AI and vendor AI slop, plus what to ask before client data gets shoved into yet another “trust us bro” feature. Takeaways: - Useful AI should sol...

Security on a Shoestring 26.05.2026

In March 2026, Jared gave a talk titled "Security on a Shoestring" at BSides in San Francisco . This week on Get NIST-y, we're bringing that talk to you. We'll be back next week with more answers to your questions. Want to get your own question answered? Head over to https://blacksmithinfosec.com/nisty

Starting a Security-Focused MSP Without Selling on Fear 19.05.2026

A crowded market is not the same thing as a dead market. This week on Get NIST-y, we tackled two questions MSPs should think about before they start selling security with a PowerPoint and a scary ransomware story. We talked about whether it still makes sense to start a security-focused MSP in 2026, and what it actually means to be an M365-based MSP now that identity, governance, and security postu...

CMMC Level 2 Without Lighting Money on Fire 12.05.2026

CMMC gets treated like a monster project. A lot of the time, bad scoping is the real monster. This week on Get NIST-y, we focused on CMMC Level 2 for smaller companies and cut through the panic. We talked about how to keep costs under control, how to scope tightly around the people and systems that actually touch CUI, and why buying tools is not the same thing as being audit-ready. Get NIST-y is t...

Why SOC 2 Still Takes Forever and When You're Actually Ready 05.05.2026

SOC 2 gets sold like a clean checklist. It usually is not. This week on Get NIST-y, we tackled why evidence collection still eats so much time even when the data already exists, and how to tell whether you're truly ready for a SOC 2 Type 2 or just getting shoved there by sales. Get NIST-y is the podcast where we make compliance useful for MSPs instead of turning it into decorative paperwork. W...

Vendor Risk, Fake Automation, and the Green Check Trap 28.04.2026

A vendor questionnaire is not vendor risk management. This week on Get NIST-y, we use the Mythos supply chain mess as a reminder that your vendors' vendors can absolutely become your problem. Then we get into a second trap that deserves more skepticism: compliance platforms that promise automation but mostly hand you prettier green check marks. What we cover: - A SOC 3 by itself is not enough....

AI, Shadow SaaS, and the Security Theater Problem 21.04.2026

Some companies are treating AI like a productivity cheat code. Others are blocking it and pretending that solves the problem. Both approaches can go sideways fast. In this episode of Get NIST-y, we talk about what it actually looks like to handle AI usage and shadow IT without turning your environment into the Wild West or locking people down so hard they work around you anyway. - If you cannot ex...

Automation Doesn't Equal Security: Compliance Tools, Vanta, and MSP Reality 14.04.2026

Automation can help. It can also give you a very pretty false sense of security. In this episode of Get NIST-y, we get blunt about automated compliance platforms, evidence collection, and the gap between a green check mark and an actual security program. If you support SOC 2 or ISO 27001 work, this one is for you. - Automated evidence collection is useful, but APIs break, integrations miss things,...

Axios Fallout: What MSPs Should Do After a Supply Chain Hit 07.04.2026

A vendor supply chain incident is not just a developer problem. If your vendors ship software, your MSP is in the blast radius whether you wrote a line of code or not. In this special Get NIST-y episode, Jared and Mike break down what MSPs should actually do in the wake of the Axios compromise, both before the next incident and after one lands. This is practical security and compliance advice for...

Security Frameworks, Non-Negotiables, and Risky Clients 31.03.2026

Some MSP clients want to move fast on security. Others only reply when something is on fire. In this episode of Get NIST-y, the podcast from Blacksmith InfoSec where we turn compliance into practical security for MSPs, we get blunt about what actually moves clients forward and what just creates more noise. The big theme is simple: stop piecing security together from random advice and start operati...

MSP Security Theater, Trustmarks, and the Community Effect 24.03.2026

A lot of MSPs say they “do security.” That does not mean they do enough of it. In this episode of Get NIST-y, Jared and Mike sit down with Josh Hohbein of Centrex IT to talk about where MSP security is getting better, where it still falls apart in the real world, and why community reputation matters more than most vendors want to admit. Takeaways: - A lot of MSPs offer security, but the depth of c...

Cyber Insurance Forms, MFA, and Risky MSP Assumptions 17.03.2026

Some compliance mistakes are boring. These are not. In this episode of Get NIST-y, Jared and Mike tackle two real-world MSP questions that can create liability fast if you handle them the wrong way. They break down where MSPs should help, where they should back off, and how to think clearly about MFA when the framework language gets fuzzy. - Why MSPs should not fill out cyber insurance questionnai...

Compliance as a Service: Cadence, Risk, Real Deliverables 10.03.2026

Compliance as a service can either calm the chaos or torch your calendar. The difference is whether you’re running a structured security program or improvising. In this episode, we talk about what MSPs should actually deliver, and how to sell it without sounding like you’re selling “compliance.” Key takeaways: - The real deliverable is visibility: a clear view of risk, progress, and what’s next. -...

Templates Without the Cookie Cutter: Standardize, Customize, Prove Progress 03.03.2026

Templates are supposed to make you faster. But MSPs live in the real world, where a dentist office and a law firm do not need the same controls, the same tolerance for friction, or the same “this is fine” risk posture. In this episode of Get NIST-y, Jared and Mike break down how to standardize your compliance approach without pretending every client is identical, and how to demonstrate progress wh...

Compliance as a Business Advantage: Risk Appetite, Roadmaps, and Where to Start 24.02.2026

In this episode of Get NIST-y, Jared Casner and Michael Zbarsky dig into how compliance can be more than a burden. Done right, it becomes a business advantage. Listener questions we answer: Wendy (MSP in Scottsdale): “Many clients say they want compliance, but what they really mean is ‘help us pass an audit cheaply.’ How do I reframe the conversation so leadership sees compliance as risk reduction...

Using Quarterly Meetings to Boost MRR 17.02.2026

In this special, bonus episode of Get NIST-y, we're joined by our friend Ian Richardson from Fox & Crow Group . Your existing customer base offers your greatest source of additional revenue. Whether you're meeting with your clients daily, quarterly, or once a decade (hopefully not the latter!), the best thing you can be doing is building the relationship and positioning yourself as a strategic...

Compliant AI: Can We Use LLMs Without Getting Fired? 10.02.2026

If you're like most MSPs (or their end clients), you're wrestling with how to protect data and IP while also letting people use AI responsibly. If you don't allow AI use, you know your users will find a way. Our first question this week centers around how you can use AI responsibly while also remaining compliant. Our second question is around building and managing security programs. En...

Vendor Risk: The Spreadsheet Strikes Back 03.02.2026

Vendor risk is where good intentions go to die in a spreadsheet. This week on Get NIST-y, we're tackling some user questions about third-party risk management (TPRM). Question 1: How do companies actually run supplier and third-party risk assessments today, and what makes the process 10x easier? Question 2: We have policies but nobody reads them. How do you get attestations done and track it w...

NIS2 and the Tyranny of the Word ‘Continuous’ 27.01.2026

NIS2 keeps showing up in conversations, and one word is causing most of the panic: continuous. Question 1: For NIS2, what’s a realistic, defensible way to handle “continuous” vendor and supplier monitoring without chasing 40 vendors by email every week? Question 2: How are teams supposed to do “continuous” asset inventory when legacy systems and unknown dependencies make scanning risky? Want to ge...

Continuous Compliance Isn’t a Product Feature 20.01.2026

Everyone’s selling “continuous compliance” right now. Cool. But what does that look like in a real company with real humans? Today we tackle this topic thanks to 2 related listener questions. Question 1: Is continuous compliance actually happening in smaller SOC 2 / ISO programs, or do we all still sprint before audits? Question 2: Our SOC 2 deadline is close and training completion is stuck at 20...

Listen to the Get NIST-y podcast in Replaio

Radio and podcasts in one app - free, with no sign-up. Install today and do not miss the launch

Get it on Google Play

Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.