If You’re Having Mac Problems, I Feel Bad for You Son

If You’re Having Mac Problems, I Feel Bad for You Son

Justin Esgar [https://www.linkedin.com/in/justinesgar/]'s got 99 problems, but a Mac ain't one! Justin, the CEO of NYC-based MSP VirtuaComputer [https://www.virtuacomputers.com/] and host of the All Things MSP podcast, joins Get NIST-y to talk about the MSP myth that Macs are insecure, unmanageable, or somehow impossible to support without ritual sacrifice. Takeaways: - “We can’t secure Macs” usually means “we don’t know how” - Apple Business and domain claiming are basic security hygiene - Macs being more secure by default does not mean they are (a) more secure or (b) automatically compliant We answer: - Can Macs be managed and secured at scale? - What does Mac compliance look like for NIST, CIS, and CMMC? - Where do Jamf, Addigy, Intune, and Apple Business fit? - Why are some MSPs still treating Macs like cursed objects? Submit your question: https://blacksmithinfosec.com/nisty/

AI is Useful. AI Slop is Not

AI can be wildly useful. It can also be a shiny button duct-taped onto your PSA, RMM, documentation platform, quoting tool, and possibly your coffee maker. This week on Get NIST-y, Jared and Mike talk about how MSPs can tell the difference between useful AI and vendor AI slop, plus what to ask before client data gets shoved into yet another “trust us bro” feature. Takeaways: - Useful AI should solve a real workflow problem, not create a paragraph you now have to babysit. - If you do not know where your data is going, you are not protecting it. - Read the MSA, DPA, privacy policy, subprocessors list, and AI terms before enabling AI features. - Vendors adding AI may be making a material product change, and your contract should matter. We answer: - How can MSPs separate useful AI from vendor AI slop? - What questions should MSPs ask before using AI features with client data? - Should vendors provide a separate DPA, AI addendum, opt-in, or click-through? - Is “trust us bro” now apparently a compliance framework? Submit your question: https://blacksmithinfosec.com/nisty/

Security on a Shoestring

In March 2026, Jared gave a talk titled "Security on a Shoestring" at BSides in San Francisco [https://bsidessf.org]. This week on Get NIST-y, we're bringing that talk to you. We'll be back next week with more answers to your questions. Want to get your own question answered? Head over to https://blacksmithinfosec.com/nisty [https://blacksmithinfosec.com/nisty]

Starting a Security-Focused MSP Without Selling on Fear

A crowded market is not the same thing as a dead market. This week on Get NIST-y, we tackled two questions MSPs should think about before they start selling security with a PowerPoint and a scary ransomware story. We talked about whether it still makes sense to start a security-focused MSP in 2026, and what it actually means to be an M365-based MSP now that identity, governance, and security posture matter more than just managing endpoints. Get NIST-y is the podcast where we make compliance and security practical for MSPs instead of turning them into checkbox theater. What we cover: - The MSP market is crowded, but the bottom is still heavily commoditized and there is room for firms that actually do the work well - Selling on fear is a bad long-term strategy. Trust and business value beat ghost stories - A strong MSP wedge usually starts with specialization, whether that is vertical, geography, or a specific capability - Being M365-based now means managing identity, conditional access, device trust, and user behavior, not just licenses and laptops We answer: - If you were starting a security-focused MSP in 2026, would you sell direct to SMBs, partner with existing MSPs, or avoid the market entirely? - What does it actually mean to be an M365-based MSP now that the real work has moved into identity, governance, and security posture? Submit your question: https://blacksmithinfosec.com/nisty/ [https://blacksmithinfosec.com/nisty/]

CMMC Level 2 Without Lighting Money on Fire

CMMC gets treated like a monster project. A lot of the time, bad scoping is the real monster. This week on Get NIST-y, we focused on CMMC Level 2 for smaller companies and cut through the panic. We talked about how to keep costs under control, how to scope tightly around the people and systems that actually touch CUI, and why buying tools is not the same thing as being audit-ready. Get NIST-y is the podcast where we make compliance practical for MSPs instead of turning it into theater. What we cover: - If only a few people touch CUI, scope the enclave tightly and keep the rest of the business out of it - You do not need to throw the whole company into GCC High if the work can be isolated properly - Mapping data flows first saves a lot of money and prevents scope creep later - CMMC gets harder when companies buy tools but never operationalize the controls behind them We answer: - What does a realistic CMMC Level 2 path look like for a small company without lighting money on fire? - Is CMMC Level 2 really that hard, or are companies making it harder by refusing to scope and operationalize it properly? Submit your question: https://blacksmithinfosec.com/nisty/ [https://blacksmithinfosec.com/nisty/]