Risk Never Sleeps Podcast – Episode #196

Title: Compliance Is Not a Checkbox, It’s a Trust Strategy
Host: Ed Gaudet
Guest: Chris Johnson, Senior Director of Cybersecurity Compliance Programs, GTIA
Date: February 26, 2026

Episode Overview

In this engaging episode, Ed Gaudet welcomes Chris Johnson of GTIA for an in-depth conversation about the evolving nature of cybersecurity compliance in healthcare and IT. Chris argues that compliance should not be viewed as a mere checkbox activity but as an essential component of building trust and organizational resilience. The discussion covers the impact of AI on cybersecurity, the pitfalls of tool-centric thinking, the enduring importance of human factors and process, and career advice for aspiring professionals.

Key Discussion Points & Insights

1. Chris Johnson’s Journey into Cybersecurity Compliance

Chris shares his unconventional entry into IT, driven by a DIY spirit and eventual burnout from intense travel and risk evaluations.
Transitioned into educational IT roles before joining GTIA, emphasizing his passion for compliance and helping mature cybersecurity postures in the IT service provider space.
- (02:00–03:30)

2. GTIA: Past, Present, & Mission

GTIA is the evolved version of CompTIA, carrying forward its 40+ year legacy with a broader mission for the IT and vendor community.
- (00:47–01:33)

3. The Myth of Check-the-Box Compliance

Chris argues compliance frameworks are often misinterpreted as punitive checkbox exercises, rather than starting points for ongoing improvement:

“Compliance isn’t security. Security isn’t necessarily compliance. One can hope that if you're complying with something, it's hopefully showing evidence… but these [frameworks] are baselines, a starting point.”
— Chris Johnson (15:00)
The “checkbox” mentality misses the purpose: building and demonstrating trustworthy, consistent protection of sensitive information.

4. The Evolving Threat Landscape: AI, Attack Surfaces, and Tool Sophistication

AI amplifies both risk and response, accelerating everything “for good or bad.” The attack surface is now more data- and integrity-oriented.
Tools have grown more dynamic and capable; however, effective use depends on appropriate configuration and trained personnel.

“…the sophistication of tools have gotten and [with] the ability to leverage AI… we are more resilient on the left side [prevention] than we ever have been in the past.”
— Chris Johnson (08:10)
AI also increases the threat of deep fakes, voice impersonation, and sophisticated phishing, challenging traditional verification methods.

“The email that I’m being presented with… with sophistication of the threat actors and AI… they can impersonate people's voices.”
— Chris Johnson (11:00)

5. Compliance Programs Must Evolve

Regulatory frameworks like HIPAA were designed for a different era. The modern landscape requires compliance to be agile and proactive, reflecting ongoing evaluation, not static evidence.
Real-world examples (e.g., encryption choices and enclave management) illustrate common compliance shortfalls that leave organizations vulnerable.

“We had a data security company… we wrapped [data] with policy and controls… but the market did full-disk encryption. It solves at rest, not in transit.”
— Ed Gaudet (17:10)

6. The People, Process, and Technology Triad

Both agree most failures are not rooted in tools, but in misaligned processes and lack of investment in people.

“It's never about the tool… it's always about the people and the process. And if those things aren't harmonized… you failed already.”
— Ed Gaudet (21:12)
The allure of new tools (“shiny object syndrome”) often distracts from foundational improvements in process and human behavior.
Leadership, intentionality, and governance are necessary for true transformation—not just technology adoption.

“Transformation requires leadership. Failureship is a leadership concern.”
— Ed Gaudet (26:44)

7. AI & The Future of Work

There’s skepticism about AI instantly replacing jobs, but agreement that "winners and losers" will emerge as some organizations adopt and leverage AI more effectively.
Cautions that adopting AI (and new tech) without considering people/process implications can lead to failed or sabotaged projects.
Encourages listeners to “recreate yourself for the future” and not ignore the inevitability of technological change.

"The risk… is to ignore it, to not think about what could I do to recreate myself for the future."
— Chris Johnson (30:54)

Notable Quotes & Memorable Moments

On Compliance as Trust:

“Those good, bad or otherwise, the reason frameworks exist, the reason the omnibus rule came out—they exist because we were failing with consistency at protecting the things that we have been entrusted with.”
— Chris Johnson (15:00)
On Tool Obsession:

“There should be a 12-step program for shiny object syndrome. It is a real thing.”
— Chris Johnson (18:33)
On Failure to Harmonize:

“Most CRM systems fail within six months or nine months because people aren't thinking about it from transformation.”
— Ed Gaudet (22:21)
On Career Growth:

“Biggest mistake is not remembering that I didn’t get here by myself…there were a lot of people that kept me propped up to get where I am today.”
— Chris Johnson (34:47)

Segment Timestamps

00:47–03:30 — Chris Johnson’s background and journey into compliance
03:30–05:40 — GTIA’s focus and the evolution of preventative to responsive cybersecurity strategies
05:40–07:15 — The role and reality of AI in cybersecurity tools
09:31–13:54 — The risk side of AI, deep fakes, and modern attack surface
14:05–17:41 — How compliance lags technology and the failures of checkbox thinking
18:09–25:31 — Shiny object syndrome, pitfalls of tool-centric solutions, lessons from failed tech projects
26:39–31:04 — The importance of leadership in transformation; AI, workforce, and future challenges
31:09–41:38 — Personal insights: passions, career mistakes, advice for newcomers
40:09–41:38 — Final career advice for students and early-career professionals

Advice for Newcomers & Final Thoughts

Don’t fixate on specific job titles:

“Be open to a job in business and operations—business risk, process, due diligence. If you go down this path of… ‘level two threat analyst’… you’re probably going to be disappointed.”
— Chris Johnson (40:09)
Stay humble, be intentional, keep learning, and value teamwork.
Prepare for ongoing change—technological and regulatory. Ignore at your own risk.

Closing Reflection

Chris Johnson closes with practical wisdom: Focus on the basics, invest in people, and view compliance as a strategic, trust-building activity—not a checkbox. Real transformation comes through harmonizing people, process, and technology, guided by leadership and a willingness to adapt.

For more resources and ways to increase your risk awareness and patient safety, visit:
www.censinet.com

Risk Never Sleeps Podcast – Episode #196

Title: Compliance Is Not a Checkbox, It’s a Trust Strategy
Host: Ed Gaudet
Guest: Chris Johnson, Senior Director of Cybersecurity Compliance Programs, GTIA
Date: February 26, 2026

Episode Overview

Key Discussion Points & Insights

1. Chris Johnson’s Journey into Cybersecurity Compliance

Chris shares his unconventional entry into IT, driven by a DIY spirit and eventual burnout from intense travel and risk evaluations.
Transitioned into educational IT roles before joining GTIA, emphasizing his passion for compliance and helping mature cybersecurity postures in the IT service provider space.
- (02:00–03:30)

2. GTIA: Past, Present, & Mission

GTIA is the evolved version of CompTIA, carrying forward its 40+ year legacy with a broader mission for the IT and vendor community.
- (00:47–01:33)

3. The Myth of Check-the-Box Compliance

Chris argues compliance frameworks are often misinterpreted as punitive checkbox exercises, rather than starting points for ongoing improvement:

“Compliance isn’t security. Security isn’t necessarily compliance. One can hope that if you're complying with something, it's hopefully showing evidence… but these [frameworks] are baselines, a starting point.”
— Chris Johnson (15:00)
The “checkbox” mentality misses the purpose: building and demonstrating trustworthy, consistent protection of sensitive information.

4. The Evolving Threat Landscape: AI, Attack Surfaces, and Tool Sophistication

AI amplifies both risk and response, accelerating everything “for good or bad.” The attack surface is now more data- and integrity-oriented.
Tools have grown more dynamic and capable; however, effective use depends on appropriate configuration and trained personnel.

“…the sophistication of tools have gotten and [with] the ability to leverage AI… we are more resilient on the left side [prevention] than we ever have been in the past.”
— Chris Johnson (08:10)
AI also increases the threat of deep fakes, voice impersonation, and sophisticated phishing, challenging traditional verification methods.

“The email that I’m being presented with… with sophistication of the threat actors and AI… they can impersonate people's voices.”
— Chris Johnson (11:00)

5. Compliance Programs Must Evolve

Regulatory frameworks like HIPAA were designed for a different era. The modern landscape requires compliance to be agile and proactive, reflecting ongoing evaluation, not static evidence.
Real-world examples (e.g., encryption choices and enclave management) illustrate common compliance shortfalls that leave organizations vulnerable.

“We had a data security company… we wrapped [data] with policy and controls… but the market did full-disk encryption. It solves at rest, not in transit.”
— Ed Gaudet (17:10)

6. The People, Process, and Technology Triad

Both agree most failures are not rooted in tools, but in misaligned processes and lack of investment in people.

“It's never about the tool… it's always about the people and the process. And if those things aren't harmonized… you failed already.”
— Ed Gaudet (21:12)
The allure of new tools (“shiny object syndrome”) often distracts from foundational improvements in process and human behavior.
Leadership, intentionality, and governance are necessary for true transformation—not just technology adoption.

“Transformation requires leadership. Failureship is a leadership concern.”
— Ed Gaudet (26:44)

7. AI & The Future of Work

There’s skepticism about AI instantly replacing jobs, but agreement that "winners and losers" will emerge as some organizations adopt and leverage AI more effectively.
Cautions that adopting AI (and new tech) without considering people/process implications can lead to failed or sabotaged projects.
Encourages listeners to “recreate yourself for the future” and not ignore the inevitability of technological change.

"The risk… is to ignore it, to not think about what could I do to recreate myself for the future."
— Chris Johnson (30:54)

Notable Quotes & Memorable Moments

On Compliance as Trust:

“Those good, bad or otherwise, the reason frameworks exist, the reason the omnibus rule came out—they exist because we were failing with consistency at protecting the things that we have been entrusted with.”
— Chris Johnson (15:00)
On Tool Obsession:

“There should be a 12-step program for shiny object syndrome. It is a real thing.”
— Chris Johnson (18:33)
On Failure to Harmonize:

“Most CRM systems fail within six months or nine months because people aren't thinking about it from transformation.”
— Ed Gaudet (22:21)
On Career Growth:

“Biggest mistake is not remembering that I didn’t get here by myself…there were a lot of people that kept me propped up to get where I am today.”
— Chris Johnson (34:47)

Segment Timestamps

00:47–03:30 — Chris Johnson’s background and journey into compliance
03:30–05:40 — GTIA’s focus and the evolution of preventative to responsive cybersecurity strategies
05:40–07:15 — The role and reality of AI in cybersecurity tools
09:31–13:54 — The risk side of AI, deep fakes, and modern attack surface
14:05–17:41 — How compliance lags technology and the failures of checkbox thinking
18:09–25:31 — Shiny object syndrome, pitfalls of tool-centric solutions, lessons from failed tech projects
26:39–31:04 — The importance of leadership in transformation; AI, workforce, and future challenges
31:09–41:38 — Personal insights: passions, career mistakes, advice for newcomers
40:09–41:38 — Final career advice for students and early-career professionals

Advice for Newcomers & Final Thoughts

Don’t fixate on specific job titles:

“Be open to a job in business and operations—business risk, process, due diligence. If you go down this path of… ‘level two threat analyst’… you’re probably going to be disappointed.”
— Chris Johnson (40:09)
Stay humble, be intentional, keep learning, and value teamwork.
Prepare for ongoing change—technological and regulatory. Ignore at your own risk.

Closing Reflection

For more resources and ways to increase your risk awareness and patient safety, visit:
www.censinet.com

wavePod

Episode #196. Compliance Is Not a Checkbox, It’s a Trust Strategy, with Chris Johnson, Senior Director of Cybersecurity Compliance Programs for GTIA

Powered by Wave AI

Summary

Risk Never Sleeps Podcast – Episode #196

Episode Overview

Key Discussion Points & Insights

1. Chris Johnson’s Journey into Cybersecurity Compliance

2. GTIA: Past, Present, & Mission

3. The Myth of Check-the-Box Compliance

4. The Evolving Threat Landscape: AI, Attack Surfaces, and Tool Sophistication

5. Compliance Programs Must Evolve

6. The People, Process, and Technology Triad

7. AI & The Future of Work

Notable Quotes & Memorable Moments

Segment Timestamps

Advice for Newcomers & Final Thoughts

Closing Reflection

Summary

Risk Never Sleeps Podcast – Episode #196

Episode Overview

Key Discussion Points & Insights

1. Chris Johnson’s Journey into Cybersecurity Compliance

2. GTIA: Past, Present, & Mission

3. The Myth of Check-the-Box Compliance

4. The Evolving Threat Landscape: AI, Attack Surfaces, and Tool Sophistication

5. Compliance Programs Must Evolve

6. The People, Process, and Technology Triad

7. AI & The Future of Work

Notable Quotes & Memorable Moments

Segment Timestamps

Advice for Newcomers & Final Thoughts

Closing Reflection