Threat Vector by Palo Alto Networks
Episode: The High Cost of Chasing Compliance, Not Security
Release Date: October 2, 2025
Host: David Moulton (Palo Alto Networks)
Guest: Joey Smith, VP & CISO, Chinook Markets
Episode Overview
Theme:
This episode explores why treating compliance as the endpoint, rather than true security, puts organizations at risk. Host David Moulton interviews Joey Smith (CISO, Chinook Markets), who shares insights from his career responding to major breaches, building security strategies in the retail sector, and driving security innovation that goes beyond the checkbox mentality. They discuss the pitfalls of compliance-focused security, the importance of building business-aligned security programs, constructive board relations, and current AI risks.
Key Insights & Discussion Points
1. Why Compliance ≠ Security
-
PCI Compliance Isn’t Breach-Proof: Joey recalls his years investigating breaches at MasterCard, revealing that most breached merchants were compliant at the time of incident (05:46–07:30).
“Every single company that we worked with that was breached had a PCI compliance program…Sure enough, you’re compliant. But, you know, we can find one thing here or there that your auditor may have missed. And now—you’re in a breach situation.”
— Joey Smith [06:21] -
“Finish Line” Mentality: Many executives wrongly see compliance reports as ‘insurance’ and pull back on investments in actual controls.
“They’d be able to move that money towards other strategies that they had instead, because again, they have this compliance report…everyone would think they're good and they'd move on.”
— Joey Smith [08:09] -
False Sense of Security: This attitude encourages underinvestment and ignores emerging threats. Smith says security must be treated as an ongoing commitment, not a certification event.
2. Building Real Security Programs
-
Security as Simplification, Not Obstruction:
“Our jobs as security leaders is to simplify what is really, really hard concepts to understand.”
— Joey Smith [10:35] -
Three Program Buckets:
- Complicate Unauthorized Access
- Minimize the Attack Surface
- Actively Respond & Contain Incidents
Smith frames every security action under these pillars, making the message digestible for non-technical leaders (11:40–12:56).
-
Active Business Enablement:
“We have to be business enablers... I don’t want to complicate your access…I want to complicate the unauthorized access. Yours is authorized. So how do I make it easy for you as a business enabler?”
— Joey Smith [14:47]
3. Winning Executive & Board Support
-
Means Building Trust & Rapport:
“If you don’t have that relationship and that rapport with the executive team, you’re just another person doing a great job. But they might not be giving you the focus that you really need.”
— Joey Smith [09:41] -
Risk Communication as Empowerment: Security leaders should present clear options and their consequences, enabling business-driven risk decisions (16:24–18:13).
“My job isn’t to tell you you can’t take the risk. My job is to make sure you understand the risk you are taking.”
— David Moulton paraphrasing Nigel Hedges [16:59] -
Flexibility in Controls: Sometimes, non-tech mitigations (process changes, insurance) are best. If security ‘gets everything it wants,’ the business may grind to a halt:
“If you really want me to 100% secure this company…we’ll unplug everything from network altogether. We will bury all of our servers in concrete…we’ll probably be out of business in about one day.”
— Joey Smith [18:15]
4. Smart Technology Procurement in a Noisy Vendor Market
-
Proof-of-Concept Battles: Test vendor solutions head-to-head, with strict criteria based on real risks, to ensure fit and effectiveness (19:17–22:09).
-
Signals for Procurement:
- Known, budgeted issue
- New regulatory mandate
- Post-incident urgency
- Peer recommendations
5. Collaboration & Peer Communities
-
Value in CISO Networks:
“Between the security industry, we’re fighting the same adversaries...we can work together to do what we can to mitigate these threats.”
— Joey Smith [23:56] -
No Silos Among Competitors: Direct business competitors can—and should—share cyber learnings, because cybercriminals certainly collaborate (22:30–25:53).
6. New Frontiers: AI Risks and Lessons from the Past
-
AI Parallels the Early Internet:
“It just reminds me of…the early Internet...We saw all this value in being able to work smarter and work faster and work better...People got dollar signs in their eyeballs...and paid [no] attention to the cyber risk that, that introduced—subsequently birthing an entire cybersecurity industry as a result of a...poorly built Internet.”
— Joey Smith [27:00] -
Alarm at AI Hype Outpacing Security:
“We are putting the excitement and the, all the positive things about AI in front of thinking about all the negative things...It does concern me that as humans, we’re more excited about all the cool things AI can do and we’re not really focusing yet on the negative side of it.”
— Joey Smith [28:50]
7. Inserting Security Into Innovation
-
Early, Embedded Security: It's crucial to join innovation efforts from the start to guide secure adoption rather than bolt on controls later (32:03–33:19).
“You should be part of that entire process from the beginning…we’re here to enable this business, so we’re going to figure that part out, but we’re here to enable it securely.”
— Joey Smith [32:23]
Notable Quotes & Moments
-
On business alignment:
“Ultimately, if the business said yes to every single thing your security teams wanted, you’d probably end up putting your business out of business because nothing would work.”
— Joey Smith [17:32] -
On collective learning:
“Maybe collectively, more brains are smarter than just one brain.”
— Joey Smith [25:53] -
On enabling with security:
“We have to leverage AI…We have to leverage it securely though.”
— Joey Smith [30:57]
Timestamps for Key Segments
- Joey’s Security Journey & Major Breaches: 02:20–04:36
- Compliance vs. Security Realities: 05:35–09:14
- Communicating Security to Execs/Boards: 09:34–12:56
- Building Business-Aligned Security Programs: 14:18–18:13
- On Risk Acceptance & Security Funding: 16:24–18:49
- Vendor Selection and PoC Approach: 19:17–22:09
- Role of CISO Communities: 22:09–25:53
- AI Risks and Lessons from History: 26:13–31:33
- Embedding Security in Innovation: 32:03–33:19
Episode Takeaways
- Compliance is a baseline, not a shield. Security leaders must drive true risk reduction, not just checkboxes.
- Business alignment means understanding and enabling organizational goals while protecting its assets.
- Security’s value is demonstrated when it’s embedded in both innovation and governance—not when it’s policing from the sidelines.
- Collaboration, inside and outside the organization, amplifies defenses.
- The temptation to adopt new technologies (like AI) without proper controls echoes historic mistakes. Security must be part of the conversation from day one.
For security leaders:
Joey Smith’s approach—distilling programs into simple, business-relevant buckets, building board relationships, and prioritizing enablement—offers a practical blueprint for moving beyond compliance and building resilient organizations.
