NIS2 keeps showing up in conversations, and one word is causing most of the panic: continuous.

Question 1: For NIS2, what’s a realistic, defensible way to handle “continuous” vendor and supplier monitoring without chasing 40 vendors by email every week?

Question 2: How are teams supposed to do “continuous” asset inventory when legacy systems and unknown dependencies make scanning risky?

Want to get your own questions answered? Head on over to https://blacksmithinfosec.com/ask

Everyone’s selling “continuous compliance” right now. Cool. But what does that look like in a real company with real humans? Today we tackle this topic thanks to 2 related listener questions.

Question 1: Is continuous compliance actually happening in smaller SOC 2 / ISO programs, or do we all still sprint before audits?

Question 2: Our SOC 2 deadline is close and training completion is stuck at 20%. How do we fix this without turning into the Training Police?

In this episode, we referenced some videos on social engineering. Here are some links to our favorites:

• https://youtu.be/lc7scxvKQOo?si=DxCSbATtVNEsl8Vf
• https://youtu.be/PWVN3Rq4gzw?si=InAvEbxQ-VrCya2y

Want to get your own questions answered? Head on over to https://blacksmithinfosec.com/ask

If your systems are running and nothing bad has happened, how should leaders think about cyber risk?

In this episode, we tackle two listener questions. Kevin, a COO in Phoenix, asks how business leaders should evaluate security risk when there has been no breach, outage, or audit failure to force the issue. Allison, an IT Director in Portland, wants to know how to show real progress in cybersecurity and compliance when success mostly looks like nothing going wrong.

We break down how to think about cyber risk proactively, why progress often feels invisible, and how MSPs and business leaders can talk about security in a way that actually makes sense to executives.

Have a security or compliance question you want us to cover? Submit it at blacksmithinfosec.com/ask.