Get NIST-y

Blacksmith InfoSec
  • 5.0 (1)
  • TECHNOLOGY
  • UPDATED WEEKLY

Get NIST-y is a podcast that breaks compliance out of the checkbox trap and turns it into a real security advantage. No fluff, no FUD—just practical strategies to make compliance work for your MSP. Each week, we'll dive into compliance topics based on real questions from our MSP partners and subscribers.

  1. 3D AGO

    Compliance as a Service: Cadence, Risk, Real Deliverables

    Compliance as a service can either calm the chaos or torch your calendar. The difference is whether you’re running a structured security program or improvising. In this episode, we talk about what MSPs should actually deliver, and how to sell it without sounding like you’re selling “compliance.” Key takeaways: - The real deliverable is visibility: a clear view of risk, progress, and what’s next. - A living risk register keeps issues from disappearing between QBRs. - Tabletop exercises are “as needed,” not “once a year.” New execs and new processes change the math. - Bundle a small monthly cadence, then use a short T&M sprint when a client suddenly needs to hit a deadline. We answer: - Is compliance as a service worth getting into, or is it just another way to light your calendar on fire? - What does the real deliverable look like if you’re doing it right? - How do you sell it without sounding like you’re selling compliance? Bundle it, itemize it, or wait until clients are forced? Submit your own question(s) at https://blacksmithinfosec.com/nisty/

    24 min

  2. MAR 3

    Templates Without the Cookie Cutter: Standardize, Customize, Prove Progress

    Templates are supposed to make you faster. But MSPs live in the real world, where a dentist office and a law firm do not need the same controls, the same tolerance for friction, or the same “this is fine” risk posture. In this episode of Get NIST-y, Jared and Mike break down how to standardize your compliance approach without pretending every client is identical, and how to demonstrate progress when meaningful risk reduction takes months or years. Listener questions we answer: John (Salt Lake City): How can I balance standardization (templates, baselines, stacks) with the reality that every client’s risk profile and culture is different? Amelia (Denver): What’s the best way to demonstrate progress to a client when meaningful risk reduction takes months or years? What we cover: Why templates should be “framework + variables,” not one-size-fits-all How to handle exceptions without nuking your baselines (track them as risk, assign owners, build a plan) Quick, visible wins: user audits (especially contractors), tightening identity, and cleaning up access Progress metrics clients can actually understand, like risk register closure rate and Microsoft Secure Score trends Enforced SSO as the cheat code for inheriting MFA and reducing both risk and user friction Lightweight incident response planning: asking the right “what happens if…” questions without making it a huge production Follow/subscribe for more practical compliance guidance for MSPs.Got a question you want us to answer on the show? Submit it here: https://blacksmithinfosec.com/ask

    24 min

  3. FEB 24

    Compliance as a Business Advantage: Risk Appetite, Roadmaps, and Where to Start

    In this episode of Get NIST-y, Jared Casner and Michael Zbarsky dig into how compliance can be more than a burden. Done right, it becomes a business advantage. Listener questions we answer: Wendy (MSP in Scottsdale): “Many clients say they want compliance, but what they really mean is ‘help us pass an audit cheaply.’ How do I reframe the conversation so leadership sees compliance as risk reduction and business protection, not checkbox theater?” Frank: “If a client has limited budget and maturity, where should I start: policies, tools, risk assessment, or controls? What sequencing creates visible progress without overwhelming the organization?” What you’ll take away: Why audits and security are not the same thing, and how to explain that without fear-based selling How to anchor the conversation around business risk and risk appetite Why a framework + roadmap reduces decision fatigue compared to selling one-off tools How a shared risk register keeps both the MSP and the client accountable When to start with a risk assessment vs when to start with policies as the blueprint Links: Listen and submit your question: https://blacksmithinfosec.com/nisty

    29 min

  4. FEB 17 · BONUS

    Using Quarterly Meetings to Boost MRR

    In this special, bonus episode of Get NIST-y, we're joined by our friend Ian Richardson from Fox & Crow Group. Your existing customer base offers your greatest source of additional revenue. Whether you're meeting with your clients daily, quarterly, or once a decade (hopefully not the latter!), the best thing you can be doing is building the relationship and positioning yourself as a strategic partner. From there, good things follow. Listen in as we talk to a former MSP and current master of sales to get some practical advice on sales and account management. Want to get your own questions answered? You can ask them at https://blacksmithinfosec.com/ask

    48 min
  5. Compliant AI: Can We Use LLMs Without Getting Fired?

    FEB 10

    Compliant AI: Can We Use LLMs Without Getting Fired?

    If you're like most MSPs (or their end clients), you're wrestling with how to protect data and IP while also letting people use AI responsibly. If you don't allow AI use, you know your users will find a way. Our first question this week centers around how you can use AI responsibly while also remaining compliant. Our second question is around building and managing security programs. Enjoy! Question 1: If you’re in a regulated industry, are you banning LLMs outright, or is there a compliant way to use them without leaking sensitive data? Question 2: If a regulator-driven assessment tool is being sunset, how do you pick a replacement framework or assessment approach without starting over from scratch? Ask us anything at https://blacksmithinfosec.com/ask and make sure to hit follow so you don't miss the answer!

    24 min

  6. FEB 3

    Vendor Risk: The Spreadsheet Strikes Back

    Vendor risk is where good intentions go to die in a spreadsheet. This week on Get NIST-y, we're tackling some user questions about third-party risk management (TPRM).Question 1: How do companies actually run supplier and third-party risk assessments today, and what makes the process 10x easier? Question 2: We have policies but nobody reads them. How do you get attestations done and track it without manual babysitting? Want to get your own questions answered? Head on over to https://blacksmithinfosec.com/ask

    25 min

  7. JAN 27

    NIS2 and the Tyranny of the Word ‘Continuous’

    NIS2 keeps showing up in conversations, and one word is causing most of the panic: continuous. Question 1: For NIS2, what’s a realistic, defensible way to handle “continuous” vendor and supplier monitoring without chasing 40 vendors by email every week? Question 2: How are teams supposed to do “continuous” asset inventory when legacy systems and unknown dependencies make scanning risky? Want to get your own questions answered? Head on over to https://blacksmithinfosec.com/ask

    25 min

  8. JAN 20

    Continuous Compliance Isn’t a Product Feature

    Everyone’s selling “continuous compliance” right now. Cool. But what does that look like in a real company with real humans? Today we tackle this topic thanks to 2 related listener questions. Question 1: Is continuous compliance actually happening in smaller SOC 2 / ISO programs, or do we all still sprint before audits? Question 2: Our SOC 2 deadline is close and training completion is stuck at 20%. How do we fix this without turning into the Training Police? In this episode, we referenced some videos on social engineering. Here are some links to our favorites: https://youtu.be/lc7scxvKQOo?si=DxCSbATtVNEsl8Vfhttps://youtu.be/PWVN3Rq4gzw?si=InAvEbxQ-VrCya2yWant to get your own questions answered? Head on over to https://blacksmithinfosec.com/ask

    22 min
See All (28)

About

Get NIST-y is a podcast that breaks compliance out of the checkbox trap and turns it into a real security advantage. No fluff, no FUD—just practical strategies to make compliance work for your MSP. Each week, we'll dive into compliance topics based on real questions from our MSP partners and subscribers.

Information

  • Creator
    Blacksmith InfoSec
  • Years Active
    2025 - 2026
  • Episodes
    28
  • Rating
    Explicit
  • Copyright
    © Blacksmith InfoSec
  • Show Website
    Get NIST-y