Vendor Risk, Fake Automation, and the Green Check Trap

Security on a Shoestring

In March 2026, Jared gave a talk titled "Security on a Shoestring" at BSides in San Francisco [https://bsidessf.org]. This week on Get NIST-y, we're bringing that talk to you. We'll be back next week with more answers to your questions. Want to get your own question answered? Head over to https://blacksmithinfosec.com/nisty [https://blacksmithinfosec.com/nisty]

Starting a Security-Focused MSP Without Selling on Fear

A crowded market is not the same thing as a dead market. This week on Get NIST-y, we tackled two questions MSPs should think about before they start selling security with a PowerPoint and a scary ransomware story. We talked about whether it still makes sense to start a security-focused MSP in 2026, and what it actually means to be an M365-based MSP now that identity, governance, and security posture matter more than just managing endpoints. Get NIST-y is the podcast where we make compliance and security practical for MSPs instead of turning them into checkbox theater. What we cover: - The MSP market is crowded, but the bottom is still heavily commoditized and there is room for firms that actually do the work well - Selling on fear is a bad long-term strategy. Trust and business value beat ghost stories - A strong MSP wedge usually starts with specialization, whether that is vertical, geography, or a specific capability - Being M365-based now means managing identity, conditional access, device trust, and user behavior, not just licenses and laptops We answer: - If you were starting a security-focused MSP in 2026, would you sell direct to SMBs, partner with existing MSPs, or avoid the market entirely? - What does it actually mean to be an M365-based MSP now that the real work has moved into identity, governance, and security posture? Submit your question: https://blacksmithinfosec.com/nisty/ [https://blacksmithinfosec.com/nisty/]

CMMC Level 2 Without Lighting Money on Fire

CMMC gets treated like a monster project. A lot of the time, bad scoping is the real monster. This week on Get NIST-y, we focused on CMMC Level 2 for smaller companies and cut through the panic. We talked about how to keep costs under control, how to scope tightly around the people and systems that actually touch CUI, and why buying tools is not the same thing as being audit-ready. Get NIST-y is the podcast where we make compliance practical for MSPs instead of turning it into theater. What we cover: - If only a few people touch CUI, scope the enclave tightly and keep the rest of the business out of it - You do not need to throw the whole company into GCC High if the work can be isolated properly - Mapping data flows first saves a lot of money and prevents scope creep later - CMMC gets harder when companies buy tools but never operationalize the controls behind them We answer: - What does a realistic CMMC Level 2 path look like for a small company without lighting money on fire? - Is CMMC Level 2 really that hard, or are companies making it harder by refusing to scope and operationalize it properly? Submit your question: https://blacksmithinfosec.com/nisty/ [https://blacksmithinfosec.com/nisty/]

Why SOC 2 Still Takes Forever and When You're Actually Ready

SOC 2 gets sold like a clean checklist. It usually is not. This week on Get NIST-y, we tackled why evidence collection still eats so much time even when the data already exists, and how to tell whether you're truly ready for a SOC 2 Type 2 or just getting shoved there by sales. Get NIST-y is the podcast where we make compliance useful for MSPs instead of turning it into decorative paperwork. What we cover: - Evidence collection drags when teams pull proof from 20 systems instead of the one place that already has it - Some tools still make basic reporting absurdly hard, which turns audits into screenshot Olympics - The wrong auditor can slow everything down, but the bigger problem is usually weak scoping and sloppy evidence workflows - SOC 2 Type 2 readiness is less about feelings and more about whether you've been operating the controls consistently over time We answer: - Why does SOC 2 evidence collection still take so long when the data already exists? - How do you know whether you're actually ready for a SOC 2 Type 2 versus just emotionally ready because sales wants the logo yesterday? Submit your question: https://blacksmithinfosec.com/nisty/ [https://blacksmithinfosec.com/nisty/]

Vendor Risk, Fake Automation, and the Green Check Trap

A vendor questionnaire is not vendor risk management. This week on Get NIST-y, we use the Mythos supply chain mess as a reminder that your vendors' vendors can absolutely become your problem. Then we get into a second trap that deserves more skepticism: compliance platforms that promise automation but mostly hand you prettier green check marks. What we cover: - A SOC 3 by itself is not enough. If that is the whole review, you are checking a box, not managing risk. - Recent vendor incidents matter, but context matters too. A "critical" vuln is not automatically critical for every environment. - The best vendors do not stay quiet. They tell you whether you were affected, where the risk exists, and what changed. - Automated evidence collection can save time, but it cannot own your risk or replace human review. We answer: - Should vendor vulnerabilities and recent incidents change how you score vendor risk? - How much of "automated evidence collection" is real, and how much is expensive wallpaper over manual work? Submit your question: https://blacksmithinfosec.com/nisty/ [https://blacksmithinfosec.com/nisty/]