Compliance is not security. Security is not compliance. But if you treat either one like a box-checking exercise, your client is going to have a bad time.

In this episode of Get NIST-y, Jared and Mike talk with Shawn Duffy from Duffy Compliance Services about where SMBs, MSPs, and service providers keep stepping on the same rakes.

Takeaways:

- Why “we’re too small to be targeted” is technically true, but completely misses the point

- Why HIPAA cleanup can cost way more than doing the work correctly the first time

- Why “panic” is technically an incident response plan, just a terrible one

- Why network diagrams and data flow diagrams are not optional compliance arts and crafts

We also hit cyber insurance, forensics, CMMC scoping, MFA exceptions, security policies, weird robot tech support, and the danger of assuming your MSP is the answer to everything.

Listen now and submit your own questions at https://blacksmithinfosec.com/nisty/