Threat Vector by Palo Alto Networks

The High Cost of Chasing Compliance, Not Security

Oct 2, 2025
Joey Smith, Vice President and CISO at Schnuck Markets, draws on his vast experience in incident response from MasterCard to highlight the crucial distinction between compliance and actual security. He discusses how treating compliance as the finish line leads to vulnerabilities, especially during breaches. Joey emphasizes the importance of effective risk communication to executives and stresses the need for early security integration in AI initiatives, advocating for clear guardrails to prevent hasty adoption of emerging technologies.
Ask episode
AI Snips
Chapters
Transcript
Episode notes
ANECDOTE

From Hard Drives To Global Incident Response

  • Joey started in data recovery and moved into computer forensics which led to roles at MasterCard handling global incident response.
  • He tracked large merchant breaches and helped identify compromised card batches that issuers used to mitigate fraud.
INSIGHT

Compliance Is A Floor, Not The Finish Line

  • Compliance often gives organizations a false sense of security because passing audits doesn't prevent breaches in practice.
  • Joey learned many breached merchants were PCI-compliant, showing compliance is necessary but not sufficient for security.
ADVICE

Simplify Security Into Three Buckets

  • Build rapport with executives and simplify cybersecurity into three clear buckets to gain funding and attention.
  • Frame your program as: complicate unauthorized access, minimize attack surface, and actively respond to incidents.
Get the Snipd Podcast app to discover more snips from this episode
Get the app