Podcasts
Threat Vector
Ep 87
Threat Vector 10.2.25
Ep 87 | 10.2.25

The High Cost of Chasing Compliance, Not Security

Show Notes
Transcript

David Moulton: Welcome to "Threat Vector," the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of thought leadership for Unit 42.

Joey Smith: You should be part of that entire process from the beginning. Like, okay, let's really define what we're trying to solve here. Let's look at the technologies that are out there and really ensure that we're going to get the value that we're looking to get and then the security team's ensuring that it doesn't put us at, you know, such an increased amount of risk. It's just being part of the conversation early on and being, you know, having a seat at that table and always approaching it from a -- we're here to enable this business, so we're going to figure that part out, but we're here to enable it securely. [ Music ]

David Moulton: Today I'm speaking with Joey Smith, Vice President and Chief Information Security Officer at Schnuck Markets. Joey is a seasoned cybersecurity executive with a deep background in incident response, computer forensics and risk-based security strategy. With experience leading global incident response at MasterCard and shaping PCI compliance standards, he has built a career on the front lines of retail cybersecurity. Schnucks, he's not only strengthened the organization's overall security posture, but he's also helped drive operational efficiency through cloud collaboration and strategic oversight across IT infrastructure, security and compliance. Joey, talk to me a little bit about your journey. From hands on work in data recovery and incident response and then shaping cybersecurity at an enterprise level, what's been the most transformative along the way? >> Yes, so, yes, my career started at a small data recovery company. And -- and what we did there was we fixed broken hard drives, you know, long enough to get the data off of them and get it back to the customers that had, you know, lost whatever data they really needed. And, you know, that was a really cool job. But there was, you know, the main focus of that business was data recovery and fixing these hard drives. But they had another side of that business that was computer forensics. And so, customers would call in and they might need forensic support for, you know, a lot of it you know sadly was, I'm curious what my wife or my husband is doing. And, you know, there's a lot you can tell from -- from a hard drive. And I pursued and was able to get a -- a computer forensic certification. And you know, we would represent various lawyers that -- that would hire us for those services. And that's what really kind of probably got me into the Information security arena. Ultimately, that opened the door for me to get into MasterCard, the payment card brand. There's a big technologies headquarters here in St. Louis. And they were looking for a computer forensics expertise, and also incident response. And I was able to move into that position and I was, you know, spent seven or eight years at MasterCard. That was also a super cool job and got me a lot of exposure to much bigger, bigger global type things that we were dealing with. You know, thinking back to the big breaches of that time, it was like, you know, what do all of these transactions or all these complaints have in common? Well, every single last one of these cardholders all shopped at Target was -- was the big one back then. Remember that.

Joey Smith: And -- and -- and we also had one where all these payment card holders, they all shopped at Schnucks. And so, Schnucks was also a victim of a -- of a payment card breach. And so, you know, the sad part was, you know, this is back in 2012, 2011, was that list of breach merchants was just, you know, miles long. You could take that file and you could just scroll down forever. You know, it was a really bad problem. We would take all the transactions that happened at that -- at that merchant and deduplicate them and we knew, you know, all the payment card -- all the payment cards that were at risk, so to speak.

David Moulton: Yes. So, you were able to like figure out what the commonality was and the dates that there was a -- a set of problems. Yes.

Joey Smith: Yes. Yes, that's right. So, you take all that information and -- and you send it back to the issuing institutions, which are the ones that have the relationship with the cardholders, you and I, and we would let them know, "Hey, you know, this batch of cards we believe is at risk." And, you know, they might reissue the plastic, send you a new card, and randomly you might get a new card in the mail. You might not even know why. Or they would just put some additional fraud controls on, some additional monitoring. You know, they might not do anything. But it was at that point where it was between, you know, the issuers had a choice to say, "Hey, look, we've got this fraud alert from the payment card brands that this group of cards is at risks." Right? And now we have to make a decision what we want to do. So -- so that -- that job ultimately led me to where I've been now for the last 11 and a half years or so.

David Moulton: Compliance does not equal security. Why do so many organizations still treat compliance as the finish line rather than the floor?

Joey Smith: Yes, yes. I've said compliance does not equal security, but security does equal compliance. And -- and that I've sort of -- I've learned over my career and just sort of better understanding everyone else's perspective of their information security posture. And my -- my thought on that has a lot to do with my time at MasterCard. And we were investigating all of these merchants that were breached, and we would have this list that would go on for, you know, it seemed like miles. You could just scroll down this list, and every line was another merchant that we were very confident was having some sort of breach issue because there was all this fraud on all of the cards that happened to go through their point-of-sale system. And -- and every single person that we worked with, every single company that we worked with that was breached had a PCI compliance program. Every single one of them was compliant. So, you know, we'd get in there and we'd work with them, and -- and you know, we would be very curious, like, you know, we know this is happening. And they were like, "This can't be happening to us. We have our PCI compliance stamp," right? "We have our report on compliance. I just had a QSA into my environment, and they went and they did all of the things that they do, and they told me I'm compliant. So, how is it even possible that we have a breach event right now?" And that's where, you know, the stars kind of started to align in my head where like, obviously, compliance isn't good enough, because they weren't wrong. You know, we could see their report. They'd send it over to us, and -- and we'd look like, "Well, sure enough, you're compliant." But, you know, we can find one thing here or there that, you know, your auditor may have missed. And now, you know, you're -- you're in a breach situation. So -- so, the -- the issue that I always had with just kind of ruling your program through the lens of compliance is good enough, is that it gave this, you know, this false sense of security to the people that were not in the IT teams or the people that were not, you know, thinking about cybersecurity all the time. The CEO or the executive team would get this report and go, "Okay, cool, I don't need to continue to invest here. Right? We're good." You know?

David Moulton: Right.

Joey Smith: We're good. We're good. And they would -- they would be able to then, you know, redirect what could have been or should have been investments into hardening their infrastructure or doing some of the basic -- more basic security things. They'd be able to move that money towards other strategies that they had instead, because again, they have this compliance report. And that was really, I -- I believe the way that the retail industry was, you know, going back 10 or 15 years was they'd get this report, and everyone would think they're good and they'd move on, and they'd be able to do other things with that money. And I think, you know, around 2012, 2-13, which was this huge spike in payment card breaches across the United States. And at that time, Europe had already moved to EMV transactions, which is that chip and pen that is now very common. But, you know, the United States was slow to adopt that. So, that's where all the attackers were -- were looking at was United States businesses and you know, breaching that payment card data. And you know, more and more -- more and more merchants and -- and companies were recognizing that even though I've got this compliance report, I've got some pretty big problems that I still got to -- got to figure out.

David Moulton: So, you've read a lot of the breach reports. You know, you have that experience of understanding that being compliant doesn't mean that you're secure, that you've controlled the risk. What do you recommend to other security leaders to help those executive teams avoid that false sense of security when they get a clean audit report?

Joey Smith: Yes, you know, so much of it comes down to relationship and having a rapport with the executive team so that they know you, they trust you. It's -- it's great and it's always great to, you know, continue to sort of forward and -- and let them know of what's going on in the industry and some of the events that are happening. But at the end of the day, if you don't have that relationship and that rapport with the executive team, you're just, you know, you're another -- you're another person doing a great job, but they might not be giving you the focus that you really need or the attention you really need to make, you know, that -- those risk mitigating type decisions and you -- you know, it's harder to get the support behind it.

David Moulton: So, what are some of the things that you've seen successful security leaders do or you yourself have experienced, to build those relationship. Is it language that resonates? It's a -- a cadence of a conversation. Talk to me a little bit about that.

Joey Smith: It's -- yes, it's definitely all of those things and just trying to, you know, show up and be human to them. But you know, it's also like, you know, our jobs as security leaders is to sort of simplify what is really, really hard concepts to understand. You know, it's hard to wrap your head around the real cyber risks that we're dealing with. And so, trying to -- trying to simplify the best you can, like what my program's here for, and also being like, very -- very candid in that, you know, there's no silver bullet, just, you know, recognizing that at the end of the day, I cannot guarantee something won't happen. But what -- what I -- what I do say is I can guarantee that if something does happen, we're going to know about it and we're going to be in a position to respond to it. So, you know, just simplifying. Like, I look at my program and I sort of try to -- everything we do sort of falls into one of three buckets. And it's -- you know, if we're doing one of these three things, we're doing what the organization needs for us. And -- and it's as simple as we want to complicate unauthorized access. Right? Any unauthorized access, make it harder for that person to have that access. It's unauthorized, so it shouldn't be happening. So, complicating unauthorized access. Minimizing the attack surface. So, don't have this giant, huge, you know, obvious, humongous target that everyone can start hitting and eventually they'll get through. Just make that as small as possible. So, minimizing that. And then -- and last but certainly not least is actively respond and contain to the incidents when they happen. And it's not if they happen, it's when they happen. Right? So, I try to simplify everything that we do in my cybersecurity program to those three things. Complicate unauthorized access, minimize your attack surface and actively respond and recover and contain incidents when they happen, and sort of boiling those three, you know, kind of concepts down into a program. You can get more and more detailed under each one of those things, but that's a pretty high level. Like, certainly anybody should be able to understand those types of three things. And so, you know, working through that with your executive team, I think you get a lot of the different light bulbs, of course, with all the breaches that happen, the ransomware that's going -- that -- that's been happening and the like, you know, hopefully, given your -- the relationships that you're working on, though, they are at that point listening to you and going, "Okay, like, we should ensure that -- that this team is getting the funding they need to -- to do those three things successfully.

David Moulton: I -- I like that. It's not oversimplifying it, but it's putting it in clean buckets that somebody can track. Like, if we complicate that access, then that slows down the ability of the attacker to get in and to exfil, which means that we have more time to, you know, stop them. It makes it so that the size of the exfil is smaller if they're not able to get as much access and downstream, that means that we have maintained more trust with our customers or our partners. And I think that that's the last piece that, you know, I was just talking with one of our researchers about a massive cloud breach. And it wasn't that it was 90,000 credentials that were lost. That's the problem. It's the knock-on effects after that of what --

Joey Smith: Yes.

David Moulton: -- ends up impacting your business. And to make that -- that transfer over to the -- the business impact, whether it's reputational risk or you're no longer allowed to operate as a business because you're locked up. Right? Those are the things that I think any executive or board can understand. And sometimes the technical details of what does this control do aren't really illuminating for them what the -- the risk is that they're -- they're facing or they're accepting by not funding what you're asking for. So, I like the idea of bucketing it and then being able to tell good stories --

Joey Smith: Right.

David Moulton: -- that - that resonate with those leaders.

Joey Smith: And at the end of the day, I think it's important that the security teams, our -- our real job is to enable the business. And I think that's been sort of a change over -- over the last 15 years as well, where security departments can no longer go in and -- and just be what we used to call the Department of No. Like, "No, you can't do it. No, you can't get to that website. No, you can't use this -- this way to send data. No, you can't do all these things." But, you know, trying to flip that on its head and being a business enabler saying, "No, you can't do that, but you can do it this way. Here's the right way to do it. Let me lead you to the way that is a safe way to transfer this data or, you know, use your computer or ultimately get your job done." We have to be business enablers and think through that lens so that our executive teams aren't just figuring we're the guys that just make it hard to do everything, right? Like, I don't want to complicate your access as another teammate of mine and a trusted employee of this organization. I want to complicate the unauthorized access. You know, and yours is authorized. So, how do I make it easy on you as a business enabler so you can do your job better, faster, more efficiently, all those types of things, and -- and leverage technology to do those things. But at the same time, put yourself in a position of better security posture. So, you're -- you're protecting the organization at the same time, you're enabling it to do whatever it is that they -- that they do best. [ Music ]

David Moulton: Yes. I was recently talking to another CISO, Nigel Hedges, and one of the things he talked about with a board conversation was, here are the things that I want to do. Here are the things that aren't funded, and this is the risk that you're accepting if we don't put these controls in place. If the business is okay with that, we'll move forward. Right? Like, my job isn't to tell you, you can't take the risk. My job is to make sure you understand the risk you are taking. And I like that reframing. You know, he said in some cases, the business wouldn't accept the risk, or the board wouldn't accept the risk, and so they'd go back and figure out how to fund it. But it, to me, was that clear moment of, I now understand what I'm exposed to if we don't do this. And that was a little bit of a shift. And like you, he wants the business to move forward and not be that block or that department of no. So, I think that those storytelling and reframing what I'm asking for, leaders like yourself that are able to do that really well, I think it helps businesses move forward in a way that allows them to grow and to maintain their -- their trust with their customers and their partners.

Joey Smith: Yes, a hundred percent. And that's -- that's what it's all about is just, you know, you're -- you're articulating that risk in a way that we can make a business decision about what we want to do with it. You know, do we want to fund a technology to mitigate it? Maybe not. A lot of times the answer might be no. It could be just, let's change the process instead. It could be, let's, you know, pick up some additional insurance to help mitigate it from an insurance perspective. But ultimately, you know, if -- if the business said yes to every single thing your security teams wanted, you'd probably end up putting your business out of business because nothing -- nothing would be work. Like --

David Moulton: You would be the risk that they couldn't accept. Right, where you'd shut it down.

Joey Smith: Yes, I'd either -- you know --

David Moulton: -- and so, it was perfectly secure.

Joey Smith: Yes. You know, I've joked with our CEO before, like, if you really want me to 100% secure this company, like, you know, we'll unplug everything from -- from network altogether. We will bury all of our servers in concrete, unplug it all, and we'll be secure, but you know, we'll probably be out of business in about one day. So, I know that's not what you want, right? So obviously, we have to operate with some risk. There's, you know, there's no, you know, making money or -- or serving customers or doing, you know, doing whatever your organization does without operating at some risk. So, you're right. It's all about --

David Moulton: All reward requires some risk, right?

Joey Smith: Yes, yes. Otherwise, everybody wouldn't be able to do anything. So, it's just -- yes, you said it, right. You got to, you know, have those relationships and -- and work through, you know, here's the risk. Here's a couple of things that we can do to mitigate it, or are we good with living with it, or, you know, what -- what do you want to do about it so we can continue to thrive but operate, at a tolerance that we're okay with?

David Moulton: You know, you've talked about when you're evaluating new technologies that you want to run a proof of concept battles with really strict criteria. Why is that approach so critical in today's vendor landscape?

Joey Smith: Yes, there's just so many vendors out there, so many solutions that -- that were constantly being, you know, that are hitting our inbox or, different outings that you see. There's just this landscape of technology. It's hard to figure out which one's the best, but you know, that's going to be different for every organization. So, if we know we have a need, if we know there's a particular risk that we want to, you know, tackle, there's definitely multiple options as far as technology to -- to look at. And so, you know, I like to take, you know, my top two, three, probably no more than four options and do that, do exactly a proof of concept and say, "Okay, if you -- if you're really going to help me with this before I buy your -- your thing that's going to help me, I want to prove that it actually works." And so, you know, putting them up against each other, really validates, you know, what's going to work for your organization and, you know, helps them also recognize that they just don't default in the business. They've got to win it over their competitors as well. You know, I got it -- there's -- we -- I did a session once where we talked with a group of CISOs at a conference about how do you sell to a CISO, because we're all just so inundated with the salespeople. What is it that actually works? And shout out to my friend Andrew -- Andrew Wilder, who's -- he's over at Vector. He's the CSO of Vector. He came up with like, this is -- this is, if I'm interested in buying something, he's like, "These are the four things that -- that need to be where, you know, number one, I have a known issue. I've budgeted for it. My funds have been approved, and I can start POCing all these options. Number two is there's some sort of new regulatory requirement that says, you know, you need to do this type of protection with this type of data. Number three, an incident actually happened, and now we essentially have an open checkbook to -- to -- to respond or start putting some controls in place. Or lastly, my peers in my community are talking about it and we're recommending it to each other. And it's like, if one of those four things are happening, then we're interested in said technology, and we can start to move towards the POC. But it's just very hard. The vendor landscape is loud, it's very aggressive, and -- and I think you got to put them up against each other to ensure that they're going to provide that risk mitigation that they say that they can.

David Moulton: So, you just mentioned your peers saying something as an influencer, and earlier you talked about having that relationship with your executive team and the board. You've been this proponent of CISO communities and peer collaboration. Talk to me about why that network is so essential in the environment that you operate in today.

Joey Smith: Yes, it's -- it's one of those things where, you -- you know, I jump on. We have monthly CISO calls, and it's a variety of different industries, but we're all battling the same challenges. And if nothing else, it's just a group of -- of security leaders that can sort of look at each other and be like, "Yes, yes, I've got that problem, too. And, you know, these are the things that keep me up at night." So, you know, we're not alone. So, there's some strength in just having, like, others that are understanding the battles we're fighting. But at the same time, you know, you can -- you start to recognize or -- or you can tell stories between each other about what's working, what's not working, strategies around. You know, there's certain companies, and -- and I've had some really good conversations in those -- in those meetings where it's like, "This particular company is looking to move all of their renewals to a OPEX model." So, that's going to happen to us. So, be cautious if you're trying to continue to keep this as a Capex model, maybe you want to do your renewal before now, before it becomes an operational expense for you. So just, you know, we're all in this battle together and it's just sharing that information. I don't consider anybody in the world that's in cyber my competitor. Right? Like, I could be working with the CISO of another grocery store that directly competes with my organization, but when it comes to cyber, that person's not my competitor. Like, let's fight out in the aisles of our stores who can -- who can better serve their customers and the like, but at the end of the day, we, between the security industry, we're fighting the same adversaries. And you know, we'll let the best -- may the best business win. But ultimately we're all in this together and we got to recognize that our adversaries are working together. You know, they're largely, you know, they, you know, they largely out-fund us. Their -- their teams are, you know, largely more motivated. You know, they don't take the weekend off. They, you know, don't enjoy Fourth of July holiday with their family. You know, they're, you know -- and you know, in the case of nation states, they're getting significantly more funding to do their programs and do their things than we are. So, it's, you know, it's the least we can do is start to, you know, collaborate with one another to say, "Hey, look, we're outnumbered, but -- but we can work together to -- to do what we can to mitigate these -- these threats that we're seeing all the time. Yes.

David Moulton: I -- I used to sit in on a -- a board of advisors and they were direct competitors. Insurance company, medical company, you know, they always had a counterpart or a peer there. And it was so inspiring to me that just like you said, let's let the grocery stores beat each other as businesses or attract customers as businesses in the aisle. They were looking at it the same way of like, it doesn't really work if one of us goes out of business because we had a cyber weakness or a cyber breach that caused us to be harmed as a business. And I think that that's one of the best things about our industry. And if, you know, you're coming up and you're -- you're listening to the pod, I think reaching out and finding that mentorship, finding those folks that'll have those conversations with you, maybe even just letting off a little steam to somebody who fully understands what you're talking about, is -- it's the release valve that we need. And it's where I think you can find those insights and innovations that maybe aren't really obvious right away.

Joey Smith: Yes, you're right. It's -- it's just having a room of, you know, a group of peers that are all in this together. You know, it's -- it's -- it is. It's that deep sigh of relief that, hey, I'm not the only one trying to figure this out. Maybe collectively, you know, more brains are smarter than just one brain. So, yes, it's -- it's hugely important.

David Moulton: Joey, you drew this interesting parallel between the rise of artificial intelligence and the early days of the Internet where connecting everything without securing it seemed like a great idea. Are we making the same mistake again?

Joey Smith: I don't want to be like doomsday, but it does scare me because, you know, I just got back from an industry conference that was more focused on compute storage and infrastructure stuff, not -- not like a Cyber Security conference. And AI, you know, like it is in everywhere is the buzzword. AI. We do it with AI. AI is going to fix everything. And, you know, I battle with that even internally at Schnucks now, where, like, we're, you know, we want to leverage AI to be a differentiator for our customers. We want to figure out the, you know, these tasks that we can automate through AI, so that we can better focus our associates on serving our customers' needs and getting rid of just the busy work type stuff. And everyone's really excited about it. And it just reminds me of, you know, the early Internet where we started connecting as, you know, as a species. We started connecting systems and computers together and we reckoned, you know, we had -- we -- we saw all this value in -- in, you know, being able to work smarter and work faster and work better. And this is just, you know, the early advent of, you know, basic networks. And, you know, all these people, I think, got these dollar signs in their eyeballs and said, "Oh, you know, we can bring in these things, like, we can make money online now and we can do banking online now and let's connect it all." And paid, you know, paid no mind to the cyber risk that, that introduced. Subsequently, you know, birthing an entire cybersecurity industry as a result of a, you know, arguably poorly built Internet. I just think, like, us as humans, we're marching down a scary path that sounds very similar with AI, right? Like, oh, AI. AI, it's going to -- we can make so much money with AI. We can do all these things. And again, not to sound like doomsday, but you know, where are the regulatory controls around this? Or is anybody, you know, thinking about the risk that this poses to my organization or all the bad things that this can happen -- that can happen as a result? And so, I -- I, you know, I challenge and I'm still looking, even as, you know, a CISO, these are the risks that we're thinking about. I'm still looking for the technologies out there that can identify malicious AI or -- and things. And I, you know, it's a huge opportunity for -- for companies like Palo Alto and others to, you know, solve some of these problems that we're now dealing with because I do fear that we are putting the excitement and the -- all the positive things about AI in front of thinking about all the negative things. And so, yes, it's -- it's going to be very interesting how this all goes the next couple of years. But it does concern me. It really does concern me that as a -- as humans, we're more excited about all the cool things AI can do and we're not really focusing yet on the -- on the negative side of -- side of it.

David Moulton: Yes, I think it's a combination of being naive, being excited about the -- the opportunity, the dollar signs. It's -- it's weird. As you were talking about it, my son introduced me to two gaming platforms. You know, he's a -- he's a teenager and he -- he started playing Roblox. He started doing Minecraft and you know, a lot of fun. Lots of different things that you can do in those. They're -- they're different in some ways. Same in some ways. And the thing that was really surprising to me was the rampant fraud and the attacks and the different things that are going on in this sort of like micro-environment of platform gaming. And I'm going like, wait a minute, we already know all these lessons. How is it that, oh yeah, they wanted to grow fast, they wanted to innovate, they didn't necessarily have the knowledge and the information that they needed. And then I see a parallel as we're screaming towards a, you know, an AI infused future. And a lot of folks are looking at the things that are cool, the things that you can, you can build. And as a, I don't know, a positive person and a former designer, I feel that urge. But as somebody who's had a foot in the security side for almost a decade now, I'm going, hold up, there's some risk here and somebody's going to figure out how to take something from you that you value using this technology or using your blindness, whether it's being naive or -- or greedy, you know, to -- to put you in a compromise. And -- and we know better. And yet, I don't feel us putting enough as a -- as a tech industry, just a little tap of the brakes. So --

Joey Smith: Right. And it goes -- it goes back to what I said earlier. It's -- our job is to articulate exactly what you just said. And while we still want to enable the business, like we have to leverage AI. There's so many positive things we can do it, we have to leverage it securely though. So, educating the business with everything you and I just said while still enabling them to use it. But let's put these -- some of these guardrails around how we use it, why we use it, what are we really trying to achieve here? And let's -- let's, you know, flesh that entirely out so that we can be using it to drive the business but using it in a safe way that doesn't put us more at risk than -- than we want to be.

David Moulton: Do you have any recommendations or thoughts on how to insert security or some of these conversations into the drive for innovation? You know, so that you're not necessarily labeled as a blocker but you're helping the companies and -- and those teams understand that a little bit of that prevention or a little bit of that thought allows them to scale and achieve speed later when they don't hit that, you know, whether it's a speed bump or a full on breach, from -- from a cyber risk.

Joey Smith: Yes, it's, you know I think the answer is a lot of just you got to be part of that team. You can't just be this siloed information security program and it's just part of the other, you know, hopefully at least companies are looking at their information security teams to, you know, to at least do some reviews and checks but that you know, you should be part of that entire process from the beginning. Like okay, let's really define what we're trying to solve here. Let's look at the technologies that are out there and really ensure that we're going to get the value that we're looking to get and then the security team's ensuring that it doesn't put us at, you know, such an increased amount of risk. It's just being part of the conversation early on and being you know, having a seat at that table and always approaching it from a -- we're here to enable this business, so we're going to figure that part out, but we're here to enable it securely. And so, it just -- it's so important to have those relationships with the business side so that you do have a seat at the table and you're not just perceived again as that department that, "If we bring them in, they're just going to -- they're just going to throw the whole thing out." [ Music ]

David Moulton: Joey, thanks for this awesome conversation today. I -- I really appreciate you sharing your insights on security leadership, strategy, you know, telling me your stories of coming up from the, you know, the hard drive side in forensics and through, you know, the -- the retail side of MasterCard and into what you're doing today. And then, you know, even offering some of your thoughts on maybe some of the mistakes we're making as we rush for new technologies like AI.

Joey Smith: Well, it's great to be here, David. I appreciate the conversation, and I know we -- we you know, just scratched the surface of so many things and I appreciate what you're doing on this podcast to -- to bring, you know, like-minded people together to just sort of, you know, have a voice and have a seat at the table like we talked about. So, thanks for having me. [ Music ]

David Moulton: That's it for today. If you like what you heard, please leave us a review on Apple Podcasts or Spotify. Those reviews really do help me understand what you want to hear about. Or you can reach out to me directly about the show at ThreatVector@ PaloAltoNetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]

Threat Vector
Podcast Info
HOST(S):
Sherrod DeGrippo

Meet David Moulton, the voice for Threat Vector, the Palo Alto Networks podcast dedicated to sharing knowledge, know-how, and groundbreaking research to safeguard our digital world.

Moulton, leads Thought Leadership for Palo Alto Networks, draws on a rich background of experience, including roles in design, strategy, marketing, and sales, to connect with experts from across the globe.

Schedule: Biweekly, Thursdays
Credits: Executive Producer is Michael Heller, Show production by Kenne Miller, Joe Bettencourt, Virginia Tran and David Moulton. Editing and audio engineering by Elliott Peltzman.
Creator: Palo Alto Unit 42
Threat Vector