Everyone’s selling “continuous compliance” right now. Cool. But what does that look like in a real company with real humans? Today we tackle this topic thanks to 2 related listener questions.

Question 1: Is continuous compliance actually happening in smaller SOC 2 / ISO programs, or do we all still sprint before audits?

Question 2: Our SOC 2 deadline is close and training completion is stuck at 20%. How do we fix this without turning into the Training Police?

In this episode, we referenced some videos on social engineering. Here are some links to our favorites:

• https://youtu.be/lc7scxvKQOo?si=DxCSbATtVNEsl8Vf
• https://youtu.be/PWVN3Rq4gzw?si=InAvEbxQ-VrCya2y

Want to get your own questions answered? Head on over to https://blacksmithinfosec.com/ask

If your systems are running and nothing bad has happened, how should leaders think about cyber risk?

In this episode, we tackle two listener questions. Kevin, a COO in Phoenix, asks how business leaders should evaluate security risk when there has been no breach, outage, or audit failure to force the issue. Allison, an IT Director in Portland, wants to know how to show real progress in cybersecurity and compliance when success mostly looks like nothing going wrong.

We break down how to think about cyber risk proactively, why progress often feels invisible, and how MSPs and business leaders can talk about security in a way that actually makes sense to executives.

Have a security or compliance question you want us to cover? Submit it at blacksmithinfosec.com/ask.

We're kicking off the 2026 season of Get NIST-y with some predictions about what's to come in the world of compliance and cybersecurity. At the end of year, we'll make sure to grade ourselves on how well we predicted things, too.

Want to get your compliance or cybersecurity questions answered? Head over to https://blacksmithinfosec.com/ask