May 19, 2026

Governance, Risk, Compliance (GRC), and the MSP Wake-up Call

Governance, Risk, Compliance (GRC), and the MSP Wake-up Call
Apple Podcasts podcast player iconSpotify podcast player iconAmazon Music podcast player icon
Apple Podcasts podcast player iconSpotify podcast player iconAmazon Music podcast player icon
Season 6

In this episode, Chris Johnson sits down with Eric Shoemaker of Genius GRC to unpack one of the most misunderstood shifts in the MSP space: the move from tool-driven cybersecurity to standards-aligned governance, risk, and compliance programs.

Eric explains why Genius GRC isn’t a software platform and why that distinction matters. Together, they explore how early automation wins (like continuous access reconciliations) impressed auditors but didn’t replace the need for real governance, documented reviews, and independent judgment. As the market matures, the conversation turns to a growing risk: MSPs and SMBs stacking new security tools while core systems remain misconfigured and under-governed.

Chris and Eric tackle the myth of “do-it-yourself” GRC, the dangers of vibe-based compliance, and why tools only amplify expertise; they don’t replace it. They also dig into the critical separation between IT operations and security leadership, making the case for advisory or independent CISO models that reduce conflicts of interest and improve risk outcomes.

The discussion closes with practical, budget-conscious fundamentals, such as DNS filtering, CIS IG1, and free or low-cost controls that actually move the needle, plus hard truths about negligence versus resourcing failures and why resilience must be budgeted from day one.

If you’re an MSP, consultant, or business leader navigating cybersecurity maturity, this episode is a grounded, no-hype look at what actually reduces risk.