In this episode of Get NIST-y, Jared Casner and Michael Zbarsky dig into how compliance can be more than a burden. Done right, it becomes a business advantage.

Listener questions we answer:

1. Wendy (MSP in Scottsdale): “Many clients say they want compliance, but what they really mean is ‘help us pass an audit cheaply.’ How do I reframe the conversation so leadership sees compliance as risk reduction and business protection, not checkbox theater?”

2. Frank: “If a client has limited budget and maturity, where should I start: policies, tools, risk assessment, or controls? What sequencing creates visible progress without overwhelming the organization?”

What you’ll take away:

• Why audits and security are not the same thing, and how to explain that without fear-based selling

• How to anchor the conversation around business risk and risk appetite

• Why a framework + roadmap reduces decision fatigue compared to selling one-off tools

• How a shared risk register keeps both the MSP and the client accountable

• When to start with a risk assessment vs when to start with policies as the blueprint

Links:

• Listen and submit your question: https://blacksmithinfosec.com/nisty