The High Cost of Chasing Compliance, Not Security

Oct 2, 2025

Joey Smith, Vice President and CISO at Schnuck Markets, draws on his vast experience in incident response from MasterCard to highlight the crucial distinction between compliance and actual security. He discusses how treating compliance as the finish line leads to vulnerabilities, especially during breaches. Joey emphasizes the importance of effective risk communication to executives and stresses the need for early security integration in AI initiatives, advocating for clear guardrails to prevent hasty adoption of emerging technologies.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

From Hard Drives To Global Incident Response

Joey started in data recovery and moved into computer forensics which led to roles at MasterCard handling global incident response.
He tracked large merchant breaches and helped identify compromised card batches that issuers used to mitigate fraud.

INSIGHT

Compliance Is A Floor, Not The Finish Line

Compliance often gives organizations a false sense of security because passing audits doesn't prevent breaches in practice.
Joey learned many breached merchants were PCI-compliant, showing compliance is necessary but not sufficient for security.

ADVICE

Simplify Security Into Three Buckets

Build rapport with executives and simplify cybersecurity into three clear buckets to gain funding and attention.
Frame your program as: complicate unauthorized access, minimize attack surface, and actively respond to incidents.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Welcome to Threat Vector, the Palo Alto Networks podcast. In this episode, host David Moulton speaks with Joey Smith, Vice President & Chief Information Security Officer at Schnuck Markets. Joey brings experience from leading incident response and forensics at MasterCard to spearheading risk-based security and cloud transformation in retail. Together we explore how today’s CISOs rethink risk, measurement, and leadership in a threat landscape reshaped by AI, compliance expectations, and fast-moving innovation.

We also revisit a key theme from our earlier episode, Human in the Loop for AI Security—how security leaders must take the wheel when it comes to embedding secure design into AI initiatives before they scale too fast, too soon. Joey’s perspective reinforces the need to lead AI adoption with risk clarity, not just curiosity.

Vote for David Moulton as the Media Creator of the Year

Host David Moulton has been nominated for the SANS Difference Maker Award for Media Creator of the Year. These awards recognize people pushing cybersecurity forward and giving back to the community, and it would mean a lot if you gave David your vote. Voting is open through Wednesday, October 8th at 11:59 PM, You can cast your vote here. Thank you for helping David get there.

Join the conversation on our social media channels:

Website: ⁠⁠⁠⁠https://www.paloaltonetworks.com/
Threat Research: ⁠⁠⁠⁠https://unit42.paloaltonetworks.com/⁠⁠⁠⁠
Facebook: ⁠⁠⁠⁠https://www.facebook.com/LifeatPaloAltoNetworks/⁠⁠⁠⁠
LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/company/unit42/⁠⁠⁠⁠
YouTube: @paloaltonetworks
Twitter: ⁠⁠⁠⁠https://twitter.com/PaloAltoNtwks⁠⁠⁠⁠

About Threat Vector

Threat Vector by Palo Alto Networks is your premier podcast for security thought leadership. Join us as we explore pressing cybersecurity threats, robust protection strategies, and the latest industry trends.

The podcast features in-depth discussions with industry leaders, Palo Alto Networks experts, and customers, providing crucial insights for security decision-makers.

Whether you're looking to stay ahead of the curve with innovative solutions or understand the evolving cybersecurity landscape, Threat Vector equips you with the knowledge needed to safeguard your organization.

Palo Alto Networks

Palo Alto Networks enables your team to prevent successful cyberattacks with an automated approach that delivers consistent security across the cloud, network, and mobile. ⁠http://paloaltonetworks.com