A crowded market is not the same thing as a dead market.

This week on Get NIST-y, we tackled two questions MSPs should think about before they start selling security with a PowerPoint and a scary ransomware story. We talked about whether it still makes sense to start a security-focused MSP in 2026, and what it actually means to be an M365-based MSP now that identity, governance, and security posture matter more than just managing endpoints. Get NIST-y is the podcast where we make compliance and security practical for MSPs instead of turning them into checkbox theater.

What we cover:

- The MSP market is crowded, but the bottom is still heavily commoditized and there is room for firms that actually do the work well

- Selling on fear is a bad long-term strategy. Trust and business value beat ghost stories

- A strong MSP wedge usually starts with specialization, whether that is vertical, geography, or a specific capability

- Being M365-based now means managing identity, conditional access, device trust, and user behavior, not just licenses and laptops

We answer:

- If you were starting a security-focused MSP in 2026, would you sell direct to SMBs, partner with existing MSPs, or avoid the market entirely?

- What does it actually mean to be an M365-based MSP now that the real work has moved into identity, governance, and security posture?

Submit your question: https://blacksmithinfosec.com/nisty/