Some MSP clients want to move fast on security. Others only reply when something is on fire.

In this episode of Get NIST-y, the podcast from Blacksmith InfoSec where we turn compliance into practical security for MSPs, we get blunt about what actually moves clients forward and what just creates more noise. The big theme is simple: stop piecing security together from random advice and start operating from a framework. Join us today for part 2 with Josh Hohbein from CentrexIT.

Takeaways:

- Your non-negotiable security controls should be baked into your base offering, not treated like optional add-ons

- If you are still arguing with clients about MFA, you are not ready to sell them a real compliance program

- A framework gives you more than boxes to check. It gives you a roadmap, a way to show progress, and a way to talk about risk like an adult

- One sign your MSP is maturing: you can say no to risky clients instead of taking every headache that shows up

We answer:

- How do you unstick clients who ignore security until something breaks?

- How do you get clients to stop treating security and compliance like optional extras?

- Where should the MSP drive the process, and where does client leadership have to own it?

- How do frameworks help prove progress instead of just creating more paperwork?

Submit your question at:

https://blacksmithinfosec.com/nisty/

A lot of MSPs say they “do security.”

That does not mean they do enough of it.

In this episode of Get NIST-y, Jared and Mike sit down with Josh Hohbein of Centrex IT to talk about where MSP security is getting better, where it still falls apart in the real world, and why community reputation matters more than most vendors want to admit.

Takeaways:

- A lot of MSPs offer security, but the depth of capability is all over the place

- Backups are not enough if they are not isolated, tested, and actually recoverable

- Identity is still one of the biggest weak spots, especially in Microsoft 365

- Mature MSPs do not just buy tools, they align security to a framework and improve over time

We answer:

- What are MSPs getting right about security right now, and where are they still falling short?

- Where does real-world MSP execution clash with “perfect” security guidance?

- Why does a framework like GTIA Trustmark matter for MSPs?

- How do MSP communities shape buying decisions, tooling, and security standards?

- How should MSPs think more strategically about tool selection instead of chasing shiny objects?

Submit your own questions at https://blacksmithinfosec.com/nisty/

Some compliance mistakes are boring. These are not. In this episode of Get NIST-y, Jared and Mike tackle two real-world MSP questions that can create liability fast if you handle them the wrong way. They break down where MSPs should help, where they should back off, and how to think clearly about MFA when the framework language gets fuzzy.
- Why MSPs should not fill out cyber insurance questionnaires for clients
- How bad answers on insurance forms can come back during a claim
- What MFA compliance really means when systems touch customer data
- When compensating controls and documented risk acceptance make sense
We answer:
- When clients forward cyber insurance questionnaires, do you bill for filling them out? And how do you answer without accidentally taking responsibility for stuff you can't prove?
- For FTC Safeguards, what actually counts as MFA compliance in the real world? Is VPN plus MFA enough, or do you need MFA at the workstation, file access, admin actions, all of it?
Submit your question:
https://blacksmithinfosec.com/nisty/