Get NIST-y

Blacksmith InfoSec
  • 5.0 (1)
  • TECHNOLOGY
  • UPDATED WEEKLY

Get NIST-y is a podcast that breaks compliance out of the checkbox trap and turns it into a real security advantage. No fluff, no FUD—just practical strategies to make compliance work for your MSP. Each week, we'll dive into compliance topics based on real questions from our MSP partners and subscribers.

  1. Compliant AI: Can We Use LLMs Without Getting Fired?

    3D AGO

    Compliant AI: Can We Use LLMs Without Getting Fired?

    If you're like most MSPs (or their end clients), you're wrestling with how to protect data and IP while also letting people use AI responsibly. If you don't allow AI use, you know your users will find a way. Our first question this week centers around how you can use AI responsibly while also remaining compliant. Our second question is around building and managing security programs. Enjoy! Question 1: If you’re in a regulated industry, are you banning LLMs outright, or is there a compliant way to use them without leaking sensitive data? Question 2: If a regulator-driven assessment tool is being sunset, how do you pick a replacement framework or assessment approach without starting over from scratch? Ask us anything at https://blacksmithinfosec.com/ask and make sure to hit follow so you don't miss the answer!

    24 min

  2. FEB 3

    Vendor Risk: The Spreadsheet Strikes Back

    Vendor risk is where good intentions go to die in a spreadsheet. This week on Get NIST-y, we're tackling some user questions about third-party risk management (TPRM).Question 1: How do companies actually run supplier and third-party risk assessments today, and what makes the process 10x easier? Question 2: We have policies but nobody reads them. How do you get attestations done and track it without manual babysitting? Want to get your own questions answered? Head on over to https://blacksmithinfosec.com/ask

    25 min

  3. JAN 27

    NIS2 and the Tyranny of the Word ‘Continuous’

    NIS2 keeps showing up in conversations, and one word is causing most of the panic: continuous. Question 1: For NIS2, what’s a realistic, defensible way to handle “continuous” vendor and supplier monitoring without chasing 40 vendors by email every week? Question 2: How are teams supposed to do “continuous” asset inventory when legacy systems and unknown dependencies make scanning risky? Want to get your own questions answered? Head on over to https://blacksmithinfosec.com/ask

    25 min

  4. JAN 20

    Continuous Compliance Isn’t a Product Feature

    Everyone’s selling “continuous compliance” right now. Cool. But what does that look like in a real company with real humans? Today we tackle this topic thanks to 2 related listener questions. Question 1: Is continuous compliance actually happening in smaller SOC 2 / ISO programs, or do we all still sprint before audits? Question 2: Our SOC 2 deadline is close and training completion is stuck at 20%. How do we fix this without turning into the Training Police? In this episode, we referenced some videos on social engineering. Here are some links to our favorites: https://youtu.be/lc7scxvKQOo?si=DxCSbATtVNEsl8Vfhttps://youtu.be/PWVN3Rq4gzw?si=InAvEbxQ-VrCya2yWant to get your own questions answered? Head on over to https://blacksmithinfosec.com/ask

    22 min

  5. JAN 13

    If Nothing’s Broken, Why Fix Security? Making Cyber Risk Visible

    If your systems are running and nothing bad has happened, how should leaders think about cyber risk? In this episode, we tackle two listener questions. Kevin, a COO in Phoenix, asks how business leaders should evaluate security risk when there has been no breach, outage, or audit failure to force the issue. Allison, an IT Director in Portland, wants to know how to show real progress in cybersecurity and compliance when success mostly looks like nothing going wrong. We break down how to think about cyber risk proactively, why progress often feels invisible, and how MSPs and business leaders can talk about security in a way that actually makes sense to executives. Have a security or compliance question you want us to cover? Submit it at blacksmithinfosec.com/ask.

    21 min

  6. JAN 6

    Compliance Predictions for 2026

    We're kicking off the 2026 season of Get NIST-y with some predictions about what's to come in the world of compliance and cybersecurity. At the end of year, we'll make sure to grade ourselves on how well we predicted things, too. Want to get your compliance or cybersecurity questions answered? Head over to https://blacksmithinfosec.com/ask

    23 min
  7. A little rapping paper for the holidays

    12/30/2025 · BONUS

    A little rapping paper for the holidays

    We're taking this week off, so instead of hearing us talk about compliance this week, you get to hear us rap!

    3 min

  8. 12/23/2025 · BONUS

    A NIST-y Review of 2025

    In this special episode, Mike and Jared talk about the compliance trends and cybersecurity disasters in an entertaining recap of 2025. Stay tuned for the 2026 preview! Want to get your own questions about cybersecurity or compliance answered? Head on over to https://blacksmithinfosec.com/ask

    20 min
See All (24)

About

Get NIST-y is a podcast that breaks compliance out of the checkbox trap and turns it into a real security advantage. No fluff, no FUD—just practical strategies to make compliance work for your MSP. Each week, we'll dive into compliance topics based on real questions from our MSP partners and subscribers.

Information

  • Creator
    Blacksmith InfoSec
  • Years Active
    2025 - 2026
  • Episodes
    24
  • Rating
    Explicit
  • Copyright
    © Blacksmith InfoSec
  • Show Website
    Get NIST-y