Security Success Stories You Haven't Heard

What separates organizations that truly excel at cybersecurity from those that just spend money on it? In this episode of Threat Vector, host David Moulton sits down with Isaiah Telhado, Senior Cybersecurity Customer Success Engineer at Palo Alto Networks, to explore what cybersecurity success actually looks like. With over 25 years in IT and security leadership across Nestlé, Zscaler, and now Palo Alto Networks, Isaiah has seen firsthand what transforms organizations from vulnerable and reactive to confident and resilient.

You'll learn:

• Why the "castle and moat" security model creates massive blind spots that leave you vulnerable from the inside
• The museum analogy that finally makes Zero Trust architecture click
• How AI is shifting security teams from reactive firefighting to strategic threat forecasting
• What "crypto agility" means and why quantum readiness matters today, not tomorrow
• The cultural shifts that separate mature security programs from expensive tool collections

Isaiah shares a powerful case study of a major financial institution that transformed from a devastating data breach caused by misconfiguration to a proactive, cloud-native security posture. The outcome? Incidents dropped dramatically, and the security team's confidence soared—proving security can be a business driver, not a blocker.

Beyond technology, Isaiah reveals why collaboration across IT, legal, operations, and business leadership is essential—and why the best security awareness programs are bidirectional, not just pushing policies onto users. With insights on breaking down silos, measuring what matters, and avoiding common pitfalls that slow security maturity even in well-funded organizations, this conversation delivers practical wisdom for security leaders at any stage of their journey.

This episode is essential listening if you're: implementing Zero Trust architecture, managing cloud migration while maintaining security, breaking down organizational silos between security and business units, struggling to prove ROI on security investments, or preparing your organization for AI-powered threats and quantum computing risks.

Related Episodes:

• Why Security Platformization Is the Future of Cyber Resilience
• Securing the Modern Workforce
• Unlocking Cybersecurity ROI with Platformization

#ZeroTrust #CloudSecurity

Transcript

[ Music ]

David Moulton: Welcome to "Threat Vector," the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought Leadership for Unit 42.

⁠Isaias Telhado: We have so many different tools nowadays and if you are not properly aware, if you do not strategize, if you do not understand your objective and where you want to go, you may find yourself lost with this whole plethora of different AI tools nowadays. And -- and I think this is -- this is an important thing to -- to have in mind. Stay relevant, stay updated. It is impossible to know about everything at the same time. It's just too much. [ Music ]

David Moulton: I know it's been a minute that we've been talking about having you on the show and what I'm so excited about is we're going to talk about security success stories today, which is maybe a little bit different than most folks are used to, you know, hearing from the podcast when we talk about risks and threats and you know, what did we learn from a failure? In your case, we're going a 180 and -- and I think that's really exciting.

⁠Isaias Telhado: Absolutely. Excited to -- to be talking about it and, you know, looking forward for our conversation.

David Moulton: Isaias, you work closely with a broad range of customers. Are there specific patterns or traits that you've seen in organizations that are succeeding in today's cybersecurity landscape?

⁠Isaias Telhado: Sure, there are definitely clear patterns that I observed and organizations that are truly excelling. They share a few traits and things that I can mention here is that firstly, they see security as a business enabler. It's not just a cost center. It's not just spinning. And that's one important trait of organizations investing in security. You need to have in mind and pass beyond the idea that that's just an expense because security needs to be properly aligned with your business objectives. That's a whole way to get that alignment and so we can succeed, you know, based on that first pillar let's say, right? The -- the disorganizations, they are proactive. They have adaptive security. They look to use threat intelligence and automation, especially as they -- they are always looking for the next and as an example adopting cloud technologies and zero trust models. Also, they have a strong cross-functional collaboration which is -- which is to the point that I mentioned is when these organizations, they have their IT strategy very aligned with the other teams and everything happening into their organization in terms of operational lesson plan, drivers, objectives, definition, everything is cascaded down to the IT level with meaningful, actionable, relevant objectives.

David Moulton: Isaias, can you give an example of a client who turned things around through a particular strategy or approach?

⁠Isaias Telhado: Sure. I can share a powerful story about one of the, you know, major financial institutions that I've worked with. And -- and that's a common story, but -- and it's also very relatable with other customers as well. You know, they -- they had the traditional castle and moat security model. Pretty much everything is -- it's focused on that -- those outside limits where you have the moat, pretty much to get into the castle, which is the internal customer infrastructure. And with that model, we know thinking everything inside the network was safe, brings some -- some points that you need to be concerned with and -- and you need to take into consideration when searching for your strategy going into the cloud. The -- they -- with that approach, they have developed massive blind spots into their architecture leading to a significant data breach from a simple misconfiguration, because the way castle-moat traditional architecture works is you pretty much ensure that you secure the out -- outbound limits to access your infrastructure. So, if something is disguised as something that -- that's not supposed to be that particular thing to -- which is being tested again as security policy, then you are vulnerable and all your internal perimeter gets compromised because of that. So, after that incident, that was their wake-up call. Right? And working with Palo Alto networks, our strategy was to help them shift to a more proactive cloud native security model. And -- and with that, we start bringing to the customer the implementation of a true zero trust model, which is imagine to better illustrate what the zero-trust security model is in comparison to a castle and moat approach. Imagine that, you know, first example I already explained here, and the zero-trust model would be you are in a very big museum, a very technological one with a lot of things implemented, and each piece of that museum has its own dedicated control. So, to access each one of those individual art pieces, you -- you have different types of security and different groups that can access that -- that particular item at the museum. So, that -- that's more or less what the zero-trust is. Trust nobody. Everything has its own control. And -- and no matter -- no matter what it is, you -- you have that comprehensive secure layer applied to each element on your network. The outcome to that customer was remarkable. They got their incidents dropped dramatically and the security team's confidence just soared after the implementation. That was a good example of security leading the way for a faster, safer digital transformation, I would say.

David Moulton: So, you said that their confidence soared and the -- the direction I wanted to go in was like, what does it look like for a client who's truly winning, when they put these -- these policies into -- into practice? Can you talk more about, you know, some of the things that you've seen, what they're able to do, what they can stop doing and -- and maybe even go into that idea of like what does the confidence going up, how does that impact a team?

⁠Isaias Telhado: So, when a customer is winning, it's all about achieving its digital confidence and operational resilience, which brings to the points that I mentioned and a few things that I can talk about is verified access. Their users get access to what they need from anywhere on any device. Every connection is always checked and based on the principle of never trust, always verify, which is making a -- a comparison to the museum case illustrating zero trust. You know, never trust nobody. Always verify to everyone getting to those different places where they want to go. They have unified security, helping them to have centralized management, simplified operations and much faster approach to how to manage their network and infrastructure security, you know, across their -- the whole landscape. And that also creates a strong security foundation that lets them build up on top of those security solutions without constantly having to look over its shoulders. Because the -- the whole architecture, the whole zero trust platform brings them functionality and elements of the updates and elements that -- that -- that will keep them always in the game. You know, they are always looking to the next, especially now in times where we have so many zero days vulnerabilities that brings the customer the capability to be always updated and always ready for what comes next.

David Moulton: So, let's shift gears a little bit and talk about collaboration both internally and externally. What role do cross-functional teams and partnerships play in a client's success?

⁠Isaias Telhado: Collaboration is everything. You can't achieve real security wins in a vacuum without proper collaboration from other areas, without having you know, your users and you know, your remote users, the -- the -- the -- all the -- the companies' people without proper collaboration and -- and from them, one other example of collaboration would be the security awareness and -- and that's a both way sort of collaboration. You -- you cannot depend only on customers being aware and know what to do at all time. A good security awareness program, it's key inside this model of collaboration between users and -- and on operations. Another example is internally, success on that will depend on departments working together. Not just IT, but also you have a -- a great infrastructure set between your legal, your operations and business leadership. And -- and that brings to the point that I mentioned that IT strategy needs to be aligned from the top, going down to the organization and sharing all the objectives. Once those things are aligned, the security program actually fits the business needs. And one -- another great example is open communication that will ensure your -- your clients and users to get the most value and support as threats evolve. So, communication is key for enablement and communication is key for awareness. Communication is key for that alignment from the top, down to -- to every aspect from the business. Ensuring that you have proper alignment with IT objectives and business and -- and making that cross-functional partnership and collaboration play effectively in customer success.

David Moulton: You know, I know the cartoon that you're talking about and you know, it's like a boxing match and you've got millions in spend on one side and then you've got one user, Dave. And I've always felt seen as a -- as a guy that shared the name with the guy in the cartoon that you're talking about. And I think that --

⁠Isaias Telhado: Exactly.

David Moulton: -- I think that you're absolutely right there where you know, all those tools don't collaborate. It really doesn't matter if you know the -- the end user's not able to participate in that security for themselves and for the organization. So, you know, Isaias, have you seen a customer successfully break down silos between security IT and those lines of business?

⁠Isaias Telhado: Sure, customers that I observed that I had the opportunity to -- to seeing them breaking down those silos are the ones that we can say they are truly winning because often it involves a cultural shift and you know, culture eats a strategy for breakfast. That's another phrase I like to say on that. But when you're able to -- to break that -- that culture, to break that and -- and have that cultural shift, it -- it pays off enormously. So, meaning with the -- with the culture change, you -- you -- you can bring, you know, improvement on the way you utilize your tools. You can bring improvement the way users will utilize those tools because it's not just about, you know, the tools. It's about behaviors. You cannot expect someone to achieve the objective and I'm going to give you a very simplistic example here. You cannot achieve someone -- you cannot expect someone to achieve to kind of properly hit the nail on the head if they don't know how to use the hammer. They -- they might be hitting with the handle or I don't know, you know. So, that's a very simplistic example about it's not about the tools. It's about the behavior. And -- and that's the -- one of the biggest shifts that -- that comes often from the culture and -- and -- and you know, having the right program to set the new behavior into customers to lead the culture to a point that you have, you know, communications that will flow freely through regular cross-functional meetings and share platforms. And when an incident happens, you have that collaborative problem solving, not finger pointing. That type of integrated approach is what is essential in complex environments and is often the biggest indicator of a mature secure program. And consequently, one good example of how organizations broke the silo between IT and the business.

David Moulton: No, I really like that and I think that your example is really right. You can imagine somebody picking up a hammer and holding it right near the head and trying to tap something in or getting their hand further back, so they get the actual leverage of the tool. And, you know, you could put the same amount of work in. In fact, you might be able to put in less work if you use the tool right, and get better results. And not having everyone know what to do, not having everyone work together, likely means that there's more work and poor results versus you know, going with this idea of like how do we reset so everyone knows how to work together. From -- from your vantage point, are there some common missteps that really do slow down security maturity even for the most well-funded organizations?

⁠Isaias Telhado: Yes. And even with a big budget, organizations can stumble. I -- I can see and I can -- I can mention some common pitfalls that can slow down the security maturity on organizations. I can mention missing a clear strategy which means to the point that I'm -- that I'm being repetitive on it so far is without a plan that is aligned with business goals and without an IT plan, which or IT and secure plan align with those goals, the security investments can become scattered and ineffective. Meaning sometimes organizations, they will buy solutions, that -- that, you know, they are not -- they are doing patches and -- and just trying to tackle pinpoints and -- and isolated needs that they have in terms of security. Other important thing I'd like to mention is ignoring the people. You can have the best tools in the world, but if you don't invest in user training and awareness, you are still vulnerable to your network. And that brings us to that meme where you have the fighting ring.

David Moulton: Man, for a second I thought you were going a different direction with that. You know, you're saying that one of the things you needed to do is ignore the people. You had me going there in the first half.

⁠Isaias Telhado: Yes. No, way. That's -- that's the common pitfalls organization might -- might take when acquiring security solutions. That's like one problem that would slow down security maturity. It's often seen like organizations just ignoring the people in the sense, well let's implement this, let's just push to everyone. But we are not taking any clear and effective awareness program or the proper enablement just to have users utilizing properly that solution, and which bring -- bring me to the -- the previous answer about you know, culture, behaviors and tools. Right? Over -- overly complex tools is another example. They can slow down security maturity. Too many disconnected security tools, that will create confusion, will reduce visibility. The -- the -- the IT staff will encounter problems while using it. There'll be compatibility issues. It's overly complex. They need to do integrations. They -- they don't have that flexibility. That can leave dangerous steps. And lastly here, maybe failing to measure results. So, if you don't track metrics, you cannot prove the value of security investments and -- and nowhere you need to improve. It's like having a map. You're navigating the seas, but you have this map or there's nothing there, or if there's something there, you don't have a clear direction where you're going to. So, without proper measurements, without proper KPIs and measures, leading and lagging measures, you might -- you might be in that situation. [ Music ]

David Moulton: So, when we set this up, one of the things I was most excited about was to hear a story of client success, something positive. Can you share maybe what happened and why you think it worked, in one of these customer success stories?

⁠Isaias Telhado: That's a good question, and I can relate to an example from a fast-growing tech company that was being slowed down by its own, you know, clunky security infrastructure. They -- they -- they had, you know, that sort of like messy VPNs, frustrating types of connectivity, all sort of like stitched together -- stitched together types of -- of solutions and VPN concentrators here. Internal gate is in one side, in inconsistent policies. And -- and -- and their security team because of that, they were always playing defense unfortunately. Right? So, they decided to make the change and embrace the zero trust mindset. Also being powered by a modern SASE architecture, secure access -- secure access service edge. Right? But this wasn't just happening about the -- the new technology. Right? It was a complete strategic overhaul underneath that, meaning they had to get everyone on the same page, security, IT, the business with a -- a clear plan from day one to avoid the -- the pitfalls we discuss here, where they -- they would be ultimately rendered ineffective if they were, you know, creating the plan and laying down the strategy. And they had those gaps. So, what worked well in that case? Right? And what -- what was the positive client success history over there? So, zero trust brought them that strong foundation. Right? Everything was very fine. And -- and that dramatically reduced their risk, their -- their inherited risk for users connecting to their systems and business applications. Right? Second, the SASE platform was the -- the engine that was providing them with security, and -- and secure, fast access for everyone no matter what they were. So, SASE was providing that with the elements that they so much needed and in a way that it was far better integrated, consolidated and -- and centralized and -- and flexible, in comparison to what they had before. And -- and third, that whole change, that -- that -- that success they were achieving, was helping them breaking down the internal silos. Meaning that they start having security as a business driver and not a blocker anymore. They shift into that, "Oh, it's an IT problem. Oh, you know, we need to connect here. Oh, this is slow. This is preventing me to connect over here, over there." So, if that whole integration of tools with that SASE platform with the visibility achieved, the -- the management, they -- they went from being vulnerable and slow to being confident and resilient. So, they could now innovate and -- and grow at a -- at a full speed, knowing their secure program is now an advantage as -- as an opposed being something cumbersome and -- and something just, you know, just there because they need it.

David Moulton: So, let's look ahead. What are some of the trends that you see coming or maybe you're most excited about or hopeful for right now?

⁠Isaias Telhado: So, I'm most excited about the convergence of advanced technology into a more proactive and human centric approach to security and what that means. Now, we have AI as a force multiplier for defects. And while we hear a lot about AI powered attacks, the use of AI in defensive tools is incredibly promising and big example. Let's look at our own solutions. Palo Alto Networks Precision AI. Now, it's time to fight AI with AI. So, what that means, that means that AI is now helping to automate tasks. It's helping with a lot of prediction models, helping to predict those threats, those zero days attacks or if something happens based on all that new approach to security data and threat vectors, it'll help to predict those threats and vulnerabilities and allow security teams to be more strategic and less reactive, because as AI is taking care of the commonly known existing threats in a reactive way that allow the IT teams to be more strategic about it and use AI as a tool to kind of forecast and be ahead of those threats the -- the -- the best way they can. I'm also very excited and in -- in a way like I want to learn -- I'm always trying to learn new stuff and -- and you know, and Palo Alto is great because it's every second they have something new going on. And one -- another thing that's very exciting is the proactive approach that we have towards quantum readiness and in quantum security. So, the threat coming from quantum -- quantum computing to current encryption models is real and -- and it's inspiring to see for example in -- in common center inside historical manager tools, right, how we are having solutions that start giving recommendation and start analyzing customers quantum readiness before that becomes a -- a crisis, right, let's say. This foresight about building crypto agility into our infrastructure today, it's -- it's a very exciting thing. It's -- it's a very nice thing to see and to have for organizations. And -- and finally, beyond technology, I have great hope in growing recognition that cybersecurity is sort of like a team sport. Right? And -- and that -- what sums up a lot of points that we discussed here. The focus on breaking down silos, fostering collaboration and prioritizing user enablement, awareness, education is this power -- powerful shift towards this team support for cybersecurity. When organizations invest in their people and build a security aware culture, the technology truly gains its -- its purpose. It really gets utilized to that -- to the best way. This move, this whole move toward share responsibility, is what will ultimately make us all more secure.

David Moulton: So, I think you just introduced a new term to me, Crypto-agility. I hadn't heard this before and I want to go back to it because I'm guessing that it might be something that I'm either way behind or you're way ahead on. And -- and maybe spend a moment on that. While you're talking, and forgive me, Isaias, I -- I had to look it up. Crypto-agility is the ability to rapidly replace or adapt cryptographic algorithms, keys and protocols within a system without disrupting its ongoing operations. So, if you're a listener and you were thinking, "Did Isaias just drop a new phrase on me?" Yes, it seems like he did. Props to you for doing that right here on "Threat Vector." And if you were wondering what it was, I just gave you the AI definition. What an insane idea, but one that I think is -- is a real positive to be able to swap out those algorithms very quickly, especially in that context, you know, whether you're on the camp that says, you know, quantum compute is never coming and it's been one of those things that, you know, is something to not be worried about. You know, we've had folks on the podcast, Near [phonetic] in particular, who had that point of view. And then on the other side is you might as well be ready for it. And we've got some of the different tools that are necessary to help, as we've said with Richu [phonetic]. You know, like you don't want to cram right before the test. So, start that process today. And that way when Q day hits, you're not -- you're not struggling to keep up, because that's an impossible ask. Isaias, thanks for this awesome conversation today. I really appreciate how much prep you did for our show and that you came on and you shared so many of your insights into cybersecurity, into customer success. And I'm looking forward to hearing from you again on the types of wins customers have, as we, you know, advance on some of these technologies.

⁠Isaias Telhado: Absolutely. Thank you so much for having me here. It was a pleasure. [ Music ]

David Moulton: If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcasts and Spotify. Your reviews and your feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, email me at ThreatVector @paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenne Miller, Joe Bettencourt and Virginia Tran. Original music and mix by Elliott Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]