In this episode, Josh Hohbein of CentrexIT breaks down a practical, MSP-centric approach to risk assessments that moves beyond complex, consultant-driven reports and toward clear, actionable business outcomes. He shares how combining vulnerability scans, client interviews, and system configuration reviews, anchored in a cyber maturity model, helps MSPs translate technical findings into meaningful risk conversations, especially during onboarding. The discussion highlights the importance of ownership, communication, and collaboration in managing inherited client risk, while previewing a live demonstration session at Pack State Beyond, designed to equip MSPs with repeatable frameworks they can own. Ultimately, the episode reinforces that effective risk assessments aren’t about identifying more issues; they’re about enabling better decisions, strengthening governance, and driving measurable security maturity.

In this MSP1337 fireside chat, you and Matt Lee unpack the idea of a “vulnpocalypse”, a rapidly emerging reality in which AI-driven tools are accelerating vulnerability discovery at a pace organizations can't keep up with. While much of the industry is focused on the fear and hype, the conversation shifts to what actually matters: operational response. You highlight that the shrinking gap between proof of concept and active exploitation is forcing a fundamental change in how MSPs and organizations manage risk, especially in patching velocity, exposure management, and accountability for internet-facing systems. The takeaway is clear: this isn’t just a future threat, it’s a present inflection point requiring faster, more automated, and governance-aligned security practices.

In this episode, Chris Johnson sits down with Eric Shoemaker of Genius GRC to unpack one of the most misunderstood shifts in the MSP space: the move from tool-driven cybersecurity to standards-aligned governance, risk, and compliance programs.

Eric explains why Genius GRC isn’t a software platform and why that distinction matters. Together, they explore how early automation wins (like continuous access reconciliations) impressed auditors but didn’t replace the need for real governance, documented reviews, and independent judgment. As the market matures, the conversation turns to a growing risk: MSPs and SMBs stacking new security tools while core systems remain misconfigured and under-governed.

Chris and Eric tackle the myth of “do-it-yourself” GRC, the dangers of vibe-based compliance, and why tools only amplify expertise; they don’t replace it. They also dig into the critical separation between IT operations and security leadership, making the case for advisory or independent CISO models that reduce conflicts of interest and improve risk outcomes.

The discussion closes with practical, budget-conscious fundamentals, such as DNS filtering, CIS IG1, and free or low-cost controls that actually move the needle, plus hard truths about negligence versus resourcing failures and why resilience must be budgeted from day one.

If you’re an MSP, consultant, or business leader navigating cybersecurity maturity, this episode is a grounded, no-hype look at what actually reduces risk.