Compliance Without Security Is Just Paperwork

Compliance Without Security Is Just Paperwork

Compliance is not security. Security is not compliance. But if you treat either one like a box-checking exercise, your client is going to have a bad time. In this episode of Get NIST-y, Jared and Mike talk with Shawn Duffy from Duffy Compliance Services [http://duffycompliance.com/] about where SMBs, MSPs, and service providers keep stepping on the same rakes. Takeaways: - Why “we’re too small to be targeted” is technically true, but completely misses the point - Why HIPAA cleanup can cost way more than doing the work correctly the first time - Why “panic” is technically an incident response plan, just a terrible one - Why network diagrams and data flow diagrams are not optional compliance arts and crafts We also hit cyber insurance, forensics, CMMC scoping, MFA exceptions, security policies, weird robot tech support, and the danger of assuming your MSP is the answer to everything. Listen now and submit your own questions at https://blacksmithinfosec.com/nisty/ [https://blacksmithinfosec.com/nisty/]

If You’re Having Mac Problems, I Feel Bad for You Son

Justin Esgar [https://www.linkedin.com/in/justinesgar/]'s got 99 problems, but a Mac ain't one! Justin, the CEO of NYC-based MSP VirtuaComputer [https://www.virtuacomputers.com/] and host of the All Things MSP podcast, joins Get NIST-y to talk about the MSP myth that Macs are insecure, unmanageable, or somehow impossible to support without ritual sacrifice. Takeaways: - “We can’t secure Macs” usually means “we don’t know how” - Apple Business and domain claiming are basic security hygiene - Macs being more secure by default does not mean they are (a) more secure or (b) automatically compliant We answer: - Can Macs be managed and secured at scale? - What does Mac compliance look like for NIST, CIS, and CMMC? - Where do Jamf, Addigy, Intune, and Apple Business fit? - Why are some MSPs still treating Macs like cursed objects? Submit your question: https://blacksmithinfosec.com/nisty/

AI is Useful. AI Slop is Not

AI can be wildly useful. It can also be a shiny button duct-taped onto your PSA, RMM, documentation platform, quoting tool, and possibly your coffee maker. This week on Get NIST-y, Jared and Mike talk about how MSPs can tell the difference between useful AI and vendor AI slop, plus what to ask before client data gets shoved into yet another “trust us bro” feature. Takeaways: - Useful AI should solve a real workflow problem, not create a paragraph you now have to babysit. - If you do not know where your data is going, you are not protecting it. - Read the MSA, DPA, privacy policy, subprocessors list, and AI terms before enabling AI features. - Vendors adding AI may be making a material product change, and your contract should matter. We answer: - How can MSPs separate useful AI from vendor AI slop? - What questions should MSPs ask before using AI features with client data? - Should vendors provide a separate DPA, AI addendum, opt-in, or click-through? - Is “trust us bro” now apparently a compliance framework? Submit your question: https://blacksmithinfosec.com/nisty/

Security on a Shoestring

In March 2026, Jared gave a talk titled "Security on a Shoestring" at BSides in San Francisco [https://bsidessf.org]. This week on Get NIST-y, we're bringing that talk to you. We'll be back next week with more answers to your questions. Want to get your own question answered? Head over to https://blacksmithinfosec.com/nisty [https://blacksmithinfosec.com/nisty]

Starting a Security-Focused MSP Without Selling on Fear

A crowded market is not the same thing as a dead market. This week on Get NIST-y, we tackled two questions MSPs should think about before they start selling security with a PowerPoint and a scary ransomware story. We talked about whether it still makes sense to start a security-focused MSP in 2026, and what it actually means to be an M365-based MSP now that identity, governance, and security posture matter more than just managing endpoints. Get NIST-y is the podcast where we make compliance and security practical for MSPs instead of turning them into checkbox theater. What we cover: - The MSP market is crowded, but the bottom is still heavily commoditized and there is room for firms that actually do the work well - Selling on fear is a bad long-term strategy. Trust and business value beat ghost stories - A strong MSP wedge usually starts with specialization, whether that is vertical, geography, or a specific capability - Being M365-based now means managing identity, conditional access, device trust, and user behavior, not just licenses and laptops We answer: - If you were starting a security-focused MSP in 2026, would you sell direct to SMBs, partner with existing MSPs, or avoid the market entirely? - What does it actually mean to be an M365-based MSP now that the real work has moved into identity, governance, and security posture? Submit your question: https://blacksmithinfosec.com/nisty/ [https://blacksmithinfosec.com/nisty/]