- Популярные видео
- Авто
- Видео-блоги
- ДТП, аварии
- Для маленьких
- Еда, напитки
- Животные
- Закон и право
- Знаменитости
- Игры
- Искусство
- Комедии
- Красота, мода
- Кулинария, рецепты
- Люди
- Мото
- Музыка
- Мультфильмы
- Наука, технологии
- Новости
- Образование
- Политика
- Праздники
- Приколы
- Природа
- Происшествия
- Путешествия
- Развлечения
- Ржач
- Семья
- Сериалы
- Спорт
- Стиль жизни
- ТВ передачи
- Танцы
- Технологии
- Товары
- Ужасы
- Фильмы
- Шоу-бизнес
- Юмор
Vendor Risk, Fake Automation, and the Green Check Trap
A vendor questionnaire is not vendor risk management.
This week on Get NIST-y, we use the Mythos supply chain mess as a reminder that your vendors' vendors can absolutely become your problem. Then we get into a second trap that deserves more skepticism: compliance platforms that promise automation but mostly hand you prettier green check marks.
What we cover:
- A SOC 3 by itself is not enough. If that is the whole review, you are checking a box, not managing risk.
- Recent vendor incidents matter, but context matters too. A "critical" vuln is not automatically critical for every environment.
- The best vendors do not stay quiet. They tell you whether you were affected, where the risk exists, and what changed.
- Automated evidence collection can save time, but it cannot own your risk or replace human review.
We answer:
- Should vendor vulnerabilities and recent incidents change how you score vendor risk?
- How much of "automated evidence collection" is real, and how much is expensive wallpaper over manual work?
Submit your question: https://blacksmithinfosec.com/nisty/
Видео Vendor Risk, Fake Automation, and the Green Check Trap канала Blacksmith InfoSec
This week on Get NIST-y, we use the Mythos supply chain mess as a reminder that your vendors' vendors can absolutely become your problem. Then we get into a second trap that deserves more skepticism: compliance platforms that promise automation but mostly hand you prettier green check marks.
What we cover:
- A SOC 3 by itself is not enough. If that is the whole review, you are checking a box, not managing risk.
- Recent vendor incidents matter, but context matters too. A "critical" vuln is not automatically critical for every environment.
- The best vendors do not stay quiet. They tell you whether you were affected, where the risk exists, and what changed.
- Automated evidence collection can save time, but it cannot own your risk or replace human review.
We answer:
- Should vendor vulnerabilities and recent incidents change how you score vendor risk?
- How much of "automated evidence collection" is real, and how much is expensive wallpaper over manual work?
Submit your question: https://blacksmithinfosec.com/nisty/
Видео Vendor Risk, Fake Automation, and the Green Check Trap канала Blacksmith InfoSec
Комментарии отсутствуют
Информация о видео
28 апреля 2026 г. 14:15:10
00:20:20
Другие видео канала
What is an RMF and how can I scale it for my SMB clients?
MC Compliance and Vanilla NIST
Get NIST-y LIVE: Incident Response with Bob Miller
Get NIST-Y (Episode 1) - Is Your Compliance Prescriptive or Performative?
Most MSPs Aren't Built to Scale (But They Could Be!)
Why SOC 2 Still Takes Forever and When You're Actually Ready
If Nothing’s Broken, Why Fix Security? Making Cyber Risk Visible
Get NIST-Y (Episode 2) - Expert vCISO: "MSPs are doing compliance all wrong!"
Welcome to Get NIST-y!
CMMC Level 2 Without Lighting Money on Fire
Templates Without the Cookie Cutter: Standardize, Customize, Prove Progress
Compliance as a Business Advantage: Risk Appetite, Roadmaps, and Where to Start
NIS2 and the Tyranny of the Word ‘Continuous’
Security Frameworks, Non-Negotiables, and Risky Clients
CIA Triad and the Value of Compliance
Relationship Intelligence: Can AI Build Real Trust in Sales and Security?
Starting a Security-Focused MSP Without Selling on Fear
Compliance, Clients, and the QBR Problem: Part 1
MSP Security Theater, Trustmarks, and the Community Effect
Using Quarterly Meetings to Boost MRR
Compliant AI: Can We Use LLMs Without Getting Fired?
