Everyone’s selling “continuous compliance” right now. Cool. But what does that look like in a real company with real humans? Today we tackle this topic thanks to 2 related listener questions.

Question 1: Is continuous compliance actually happening in smaller SOC 2 / ISO programs, or do we all still sprint before audits?

Question 2: Our SOC 2 deadline is close and training completion is stuck at 20%. How do we fix this without turning into the Training Police?

In this episode, we referenced some videos on social engineering. Here are some links to our favorites:

• https://youtu.be/lc7scxvKQOo?si=DxCSbATtVNEsl8Vf
• https://youtu.be/PWVN3Rq4gzw?si=InAvEbxQ-VrCya2y

Want to get your own questions answered? Head on over to https://blacksmithinfosec.com/ask

If your systems are running and nothing bad has happened, how should leaders think about cyber risk?

In this episode, we tackle two listener questions. Kevin, a COO in Phoenix, asks how business leaders should evaluate security risk when there has been no breach, outage, or audit failure to force the issue. Allison, an IT Director in Portland, wants to know how to show real progress in cybersecurity and compliance when success mostly looks like nothing going wrong.

We break down how to think about cyber risk proactively, why progress often feels invisible, and how MSPs and business leaders can talk about security in a way that actually makes sense to executives.

Have a security or compliance question you want us to cover? Submit it at blacksmithinfosec.com/ask.

We're kicking off the 2026 season of Get NIST-y with some predictions about what's to come in the world of compliance and cybersecurity. At the end of year, we'll make sure to grade ourselves on how well we predicted things, too.

Want to get your compliance or cybersecurity questions answered? Head over to https://blacksmithinfosec.com/ask

We're taking this week off, so instead of hearing us talk about compliance this week, you get to hear us rap!

In this special episode, Mike and Jared talk about the compliance trends and cybersecurity disasters in an entertaining recap of 2025. Stay tuned for the 2026 preview!

Want to get your own questions about cybersecurity or compliance answered? Head on over to https://blacksmithinfosec.com/ask

This is part one of a two-part crossover with Adam Walter from Humanize IT⁠. In this episode, we dig into two real listener questions that every MSP will recognize. First, we help Marisol from a dental practice understand why compliance is a program and not a one-off project, using an orthodontics metaphor that goes way further than anyone planned. Then we answer a question from Ryan, a COO who is tired of QBRs that feel like meaningless status updates. We break down what a useful business review should actually look like and how MSPs can steer the conversation toward real outcomes. If you want clearer, more human client communication, start here.

Drop your own question at blacksmithinfosec.com/ask and make sure to catch part two next week on the Humanize IT podcast.

In this episode of Get NIST-y, hosts Jared Casner and Michael Zbarsky talk about how MSPs can stop seeing compliance as a burden and start using it to grow their business.

Question 1: “When I'm talking to prospects, compliance always comes up as a pain. How can MSPs flip compliance into a trust signal or competitive advantage instead of a burden?” — Daniel, MSP Sales Leader in Chicago

Jared and Mike dig into how strong compliance can actually make you faster, smoother, and more secure. They share real examples of how automating user management, auditing accounts, and simplifying security can build trust and help you win bigger contracts.

Question 2: “I'm really struggling to grow recurring revenue. How can packaging compliance into our offering actually increase margins and reduce those emergency calls?” — Alex, MSP Owner in Phoenix

They explain how to turn repeatable compliance work into steady revenue, reduce late-night “hair on fire” calls, and make your MSP more valuable to clients. You’ll hear how a simple “say it, do it, prove it” approach can strengthen your security culture, keep clients loyal, and help you charge what you’re worth.

Got your own compliance question? Send it in at blacksmithinfosec.com/ask.

Most MSPs think they have incident response under control, at least until chaos hits. In this live episode of Get NIST-y, hosts Jared Casner and Michael Zbarsky sit down with Bob Miller, CEO of IR Game and Chief Evangelist for Right of Boom, to explore why even the most “mature” IR plans crumble under pressure and what real-world readiness actually looks like.

From the limitations of tabletop exercises to the emotional gap that keeps decision-makers complacent, Bob shares hard-won lessons from decades in the trenches. The trio dives into:

• Why traditional tabletop exercises fail to simulate true incident pressure

• How emotional engagement and muscle memory are key to effective response

• The overlooked human and legal pitfalls, from communication missteps to conflicts of interest with insurers and forensics teams

• Why 80% of incident response is not technical, it’s business continuity, PR, compliance, and people under stress

• How to align your IR plan with frameworks like NIST and HIPAA (without tripping contractual landmines)

It’s a masterclass in turning theory into muscle memory, packed with war stories, practical guidance, and a few “oh sh*t” moments every MSP can learn from.

Want to get your own questions answered? Head over to https://blacksmithinfosec.com/ask!