A vendor supply chain incident is not just a developer problem. If your vendors ship software, your MSP is in the blast radius whether you wrote a line of code or not.

In this special Get NIST-y episode, Jared and Mike break down what MSPs should actually do in the wake of the Axios compromise, both before the next incident and after one lands. This is practical security and compliance advice for MSPs, not checkbox theater.

- A SOC 2 is a starting point, not a hall pass. Read the scope, read the opinion, and read management’s response.

- Vendor questionnaires are useless if nobody reviews the answers. Fewer real questions beats 1,900 ignored ones.

- Keep a real vendor inventory, including subprocessors. You cannot assess exposure if you do not know who touches your data.

- Ask vendors for clear answers after an incident, and know how to rotate secrets fast if something gets exposed.

We mentioned Roddy Bergeron's talk from Right of Boom. Here's the link (registration required to view): https://portal.rightofboom.com/calendar/event/019c4cb4-6f89-7211-9a85-236a0a3f922d

Submit your question: https://blacksmithinfosec.com/nisty/

Some MSP clients want to move fast on security. Others only reply when something is on fire.

In this episode of Get NIST-y, the podcast from Blacksmith InfoSec where we turn compliance into practical security for MSPs, we get blunt about what actually moves clients forward and what just creates more noise. The big theme is simple: stop piecing security together from random advice and start operating from a framework. Join us today for part 2 with Josh Hohbein from CentrexIT.

Takeaways:

- Your non-negotiable security controls should be baked into your base offering, not treated like optional add-ons

- If you are still arguing with clients about MFA, you are not ready to sell them a real compliance program

- A framework gives you more than boxes to check. It gives you a roadmap, a way to show progress, and a way to talk about risk like an adult

- One sign your MSP is maturing: you can say no to risky clients instead of taking every headache that shows up

We answer:

- How do you unstick clients who ignore security until something breaks?

- How do you get clients to stop treating security and compliance like optional extras?

- Where should the MSP drive the process, and where does client leadership have to own it?

- How do frameworks help prove progress instead of just creating more paperwork?

Submit your question at:

https://blacksmithinfosec.com/nisty/

A lot of MSPs say they “do security.”

That does not mean they do enough of it.

In this episode of Get NIST-y, Jared and Mike sit down with Josh Hohbein of Centrex IT to talk about where MSP security is getting better, where it still falls apart in the real world, and why community reputation matters more than most vendors want to admit.

Takeaways:

- A lot of MSPs offer security, but the depth of capability is all over the place

- Backups are not enough if they are not isolated, tested, and actually recoverable

- Identity is still one of the biggest weak spots, especially in Microsoft 365

- Mature MSPs do not just buy tools, they align security to a framework and improve over time

We answer:

- What are MSPs getting right about security right now, and where are they still falling short?

- Where does real-world MSP execution clash with “perfect” security guidance?

- Why does a framework like GTIA Trustmark matter for MSPs?

- How do MSP communities shape buying decisions, tooling, and security standards?

- How should MSPs think more strategically about tool selection instead of chasing shiny objects?

Submit your own questions at https://blacksmithinfosec.com/nisty/

Some compliance mistakes are boring. These are not. In this episode of Get NIST-y, Jared and Mike tackle two real-world MSP questions that can create liability fast if you handle them the wrong way. They break down where MSPs should help, where they should back off, and how to think clearly about MFA when the framework language gets fuzzy.
- Why MSPs should not fill out cyber insurance questionnaires for clients
- How bad answers on insurance forms can come back during a claim
- What MFA compliance really means when systems touch customer data
- When compensating controls and documented risk acceptance make sense
We answer:
- When clients forward cyber insurance questionnaires, do you bill for filling them out? And how do you answer without accidentally taking responsibility for stuff you can't prove?
- For FTC Safeguards, what actually counts as MFA compliance in the real world? Is VPN plus MFA enough, or do you need MFA at the workstation, file access, admin actions, all of it?
Submit your question:
https://blacksmithinfosec.com/nisty/

Compliance as a service can either calm the chaos or torch your calendar. The difference is whether you’re running a structured security program or improvising.

In this episode, we talk about what MSPs should actually deliver, and how to sell it without sounding like you’re selling “compliance.”

Key takeaways:

- The real deliverable is visibility: a clear view of risk, progress, and what’s next.

- A living risk register keeps issues from disappearing between QBRs.

- Tabletop exercises are “as needed,” not “once a year.” New execs and new processes change the math.

- Bundle a small monthly cadence, then use a short T&M sprint when a client suddenly needs to hit a deadline.

We answer:

- Is compliance as a service worth getting into, or is it just another way to light your calendar on fire?

- What does the real deliverable look like if you’re doing it right?

- How do you sell it without sounding like you’re selling compliance? Bundle it, itemize it, or wait until clients are forced?

Submit your own question(s) at https://blacksmithinfosec.com/nisty/

Templates are supposed to make you faster. But MSPs live in the real world, where a dentist office and a law firm do not need the same controls, the same tolerance for friction, or the same “this is fine” risk posture.

In this episode of Get NIST-y, Jared and Mike break down how to standardize your compliance approach without pretending every client is identical, and how to demonstrate progress when meaningful risk reduction takes months or years.

Listener questions we answer:

1. John (Salt Lake City): How can I balance standardization (templates, baselines, stacks) with the reality that every client’s risk profile and culture is different?

2. Amelia (Denver): What’s the best way to demonstrate progress to a client when meaningful risk reduction takes months or years?

What we cover:

• Why templates should be “framework + variables,” not one-size-fits-all

• How to handle exceptions without nuking your baselines (track them as risk, assign owners, build a plan)

• Quick, visible wins: user audits (especially contractors), tightening identity, and cleaning up access

• Progress metrics clients can actually understand, like risk register closure rate and Microsoft Secure Score trends

• Enforced SSO as the cheat code for inheriting MFA and reducing both risk and user friction

• Lightweight incident response planning: asking the right “what happens if…” questions without making it a huge production

Follow/subscribe for more practical compliance guidance for MSPs.
Got a question you want us to answer on the show? Submit it here: https://blacksmithinfosec.com/ask

In this episode of Get NIST-y, Jared Casner and Michael Zbarsky dig into how compliance can be more than a burden. Done right, it becomes a business advantage.

Listener questions we answer:

1. Wendy (MSP in Scottsdale): “Many clients say they want compliance, but what they really mean is ‘help us pass an audit cheaply.’ How do I reframe the conversation so leadership sees compliance as risk reduction and business protection, not checkbox theater?”

2. Frank: “If a client has limited budget and maturity, where should I start: policies, tools, risk assessment, or controls? What sequencing creates visible progress without overwhelming the organization?”

What you’ll take away:

• Why audits and security are not the same thing, and how to explain that without fear-based selling

• How to anchor the conversation around business risk and risk appetite

• Why a framework + roadmap reduces decision fatigue compared to selling one-off tools

• How a shared risk register keeps both the MSP and the client accountable

• When to start with a risk assessment vs when to start with policies as the blueprint

Links:

• Listen and submit your question: https://blacksmithinfosec.com/nisty

In this special, bonus episode of Get NIST-y, we're joined by our friend Ian Richardson from Fox & Crow Group.

Your existing customer base offers your greatest source of additional revenue. Whether you're meeting with your clients daily, quarterly, or once a decade (hopefully not the latter!), the best thing you can be doing is building the relationship and positioning yourself as a strategic partner. From there, good things follow. Listen in as we talk to a former MSP and current master of sales to get some practical advice on sales and account management.

Want to get your own questions answered? You can ask them at https://blacksmithinfosec.com/ask