In this episode of Threat Vector, host David Moulton, Senior Director of Thought Leadership at Unit 42, speaks with Jiphun Satapathy, SVP and CISO of Medallia. They discuss how security and user experience must coexist in today’s hybrid and AI-driven workplace. Satapathy explains how Medallia secures its global workforce, manages SaaS adoption, and uses enterprise browsers to protect users without adding friction. The conversation explores GenAI risk, shadow AI, endpoint visibility, and how SASE architecture enables smarter, safer workflows. Learn how CISOs can rethink old processes to keep innovation and protection in balance.
Protect yourself from the evolving threat landscape – more episodes of Threat Vector are a click away
Transcript
David Moulton: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought Leadership for Unit 42.
Jiphun Satapathy: The challenge here is one angle is, again, someone can question that. Why is it any different than shadow IT? We have not solved that problem. Then we came to shadow AI. We have not solved that problem. But, with shadow IT, at least there is one angle is there is at least a human involved, where that person was either using unapproved apps or downloading something that you have to wait to manage or hold that person accountable. But, when you go into agent report, like, somebody now has gone and enabled, let's say, multiple agents on a platform like Salesforce, that person leaves the company, who owns them; and how do we know that this agent is making the right decision?
David Moulton: Today I'm speaking with Jiphun Satapathy, SVP, Chief Information Security Officer at Medallia. Jiphun leads Medallia's global security strategy, driving transformation across product, infrastructure, and corporate environments, with over two decades of experience in product security, risk management, and engineering-led innovation. Today we're going to talk about secure browsers, workforce security, and how organizations can protect data while enabling productivity in a cloud-first hybrid work world. Jiphun, under your leadership, Medallia has helped global organizations navigate a really complex intersection of cloud, AI, application modernization, and cybersecurity. I'm wondering how do you balance those areas and then your clients' or your customers' business priorities?
Jiphun Satapathy: Yeah. I think the way we prioritize is by basically going back to some ground rules or first principles that we say. Right. So what's the main objective of security team or a cybersecurity team? Why do we exist? The first thing is empowering or enabling businesses to run their business smoothly, securely, safely, right? So how do -- how does that work? So that's one of the key objectives that I set with my team. So one of the things that we have done is, after I joined here, is identifying or determining what are some of the key priorities that we are going to focus. So how do you determine those priorities? So we take two major items into consideration. One is business objectives. What is business wanting to do? What products they are shipping for our external customers? What products or services like SaaS apps that our enterprise is adopting to increase productivity? That's like, you know, business drivers, right, internally or externally. Second thing is risk. What are some of the major risks that are out there in our environment and which one we should prioritize and why, right? In general, you want to prioritize based on the most critical ones that you can address, right? So those two drive our prioritization. So, for example, if we are now building AI apps and services for our external customers, we want to make sure that this is going through the right scrutiny; this is meeting the right security guidelines or the certification needs. So, for that, what do we need to do, what kind of tooling we need to bring in, what kind of processes, or how do we need to evolve the existing processes that can adopt this new use cases? Same thing internally. Like, for example, IT wants to roll out Google Gemini or ChatGPT or GitHub Copilot. These are all brand new use cases. So how do you drive that? So those are primarily how I see defining some of the themes which has helped us define our priorities.
David Moulton: So I was reading in the State of Workforce Security Report that I think it was 42% of employees are expected to remain remote. And I'm curious how Medallia adapts its security model in that reality.
Jiphun Satapathy: Yeah. So Medallia has been a remote-first company for a very long time, and we are still a hybrid work environment. So we fully support people working remotely. And we are a company of 2,000 about 2,000 people. And we are spread across multiple countries. Again, going back to the same principle of ensuring that Medallians get the right tools, products, and services that they need so that they can do their job, right. So, instead of forcing them to come to an office, what we do is we identify what are some of the key use cases, key challenges they face. So, for example, we want to make sure they're using Medallia laptops, right, Medallia and Medallia-provided endpoints. So how do we protect that endpoint so that whether they work remotely or in office, we have the right visibility, right protection on that? There are certain use cases. For example, our -- some of our employees interact with customer data directly. So just having an endpoint would not solve that problem because we need additional controls so that we can earn customer trust. So what kind of tools can we introduce there? So this is where the innovation angle comes. For example, Prisma access browser is helping us there, right? So, again, working backward from our employees' needs, their location, their current situation on whether they are working remotely or in office, whether they are full time or contingent workers, what are their roles and responsibilities, high-privileged users versus regular users. Using that angle, again, business need and security risks, we drive our current posture. So, again, we can go into specifics; but this is the primary driver which determines how do we support them while supporting this hybrid work environment.
David Moulton: Well, earlier you talked about some of the LLMs that are out there and then mentioned a number of different tools that different employees need. And I really like how you start with the end user, the employee, and then work backwards into, you know, what the experience is going to need to stay secure and earn that -- that customer trust, depending on the role. And just today a cohort of mine was talking about are we going to use something? Is it blocked? How do we go about having the productivity we want? The report was very clear that blocking access to some of the bring your own devices has a detrimental effect on productivity.
Jiphun Satapathy: Yeah.
David Moulton: And you mentioned, you know, you want to issue a device and make sure that you've got an endpoint control on it. But how do you go about ensuring strong security for those employees that want to bring their own device without absolutely frustrating users or turning them into folks that are clever in their way of getting around the security that you provide, and what you're really trying to do is protect them. What does it look like to get them to adopt what you're doing?
Jiphun Satapathy: Yeah. So I think, first of all, what we have done is identifying what are our critical infrastructure, critical systems and defining policies around it. For example, bring your own device and access GitHub, is that necessary? Probably not. You know, accessing production environment from your device, probably not, right? You would not do that.
David Moulton: Right.
Jiphun Satapathy: So, if you look at it, though, instead of going and setting a policy or principle saying all your working your devices are not allowed, that would be a major hindrance to productivity because, if you really look at it, depending on the org, a good solid 70 to 80% of the time they spend on their time on mostly SaaS or browser-specific apps and services, right?
David Moulton: Right.
Jiphun Satapathy: So how do we make sure we secure that when they are accessing those services from their devices? So what we have done is maybe segment some of our critical assets from not so critical assets, like production from corporate; enforcing VPN when you're accessing those strong or extremely critical systems. And that you have to use Medallia-provided laptop to do that. But, if you're accessing Slack, email, documentation, or some of these assets, you can access that from your devices because we are providing some additional controls on your endpoints, like either a browser or deeper monitoring on some of these SaaS services. So that has helped us, you know, meet user experience needs that our employees have while also having the right controls in place.
David Moulton: So it's a -- it's that flexibility. And then, as you're looking at something that's going to have a critical impact, if there's a problem that's more locked down, some of these other spaces that allow you to have, you know, communication -- we'll pick on Slack for a second -- that may end up being a space where monitoring is enough. But I can bring my own phone, or I could bring a device that, you know, makes sense for me to be able to flex where and when I work. So really similar to what -- what I see here at Palo Alto Networks with how there are certain things only going to work on a device that's, you know, shipped from our IT team; and then other things, you know, as long as we're willing to bring in a little bit of responsibility and control, we can get that flexibility we need. That works out really well to have that balance.
Jiphun Satapathy: Yeah.
David Moulton: Let's shift to talking about Gen AI -- I know you'll be shocked -- and maybe some of those SaaS apps and the browser-based workflows. This is a conversation that has come up over and over, and I'm more and more surprised about how often work gets done in the browser as opposed to in the application. Can you talk to me about the best practices that you'll have for maintaining visibility and control over browser-based activity.
Jiphun Satapathy: Yeah. I think the -- I would say the top of that list is adopting an enterprise browser in the first place. So I've done that here. I've done that in the previous company, Snowflake, as well, where we use enterprise browser. It is not fully enrolled -- sorry, enforced here at Medallia just yet, but we are in that journey. Right. So first thing is have an enterprise browser. Or, basically, the first big strategic goal that I would say to take enterprises to take is manage your browsers. The way you want to manage your browsers is, first, go user enterprise browser, which would help you manage all critical apps going through, let's say, some sort of single signon or IDP enforced through that browser. So you don't have to deal with patching or updates for those browsers. You can set policies. So managed browsers or enterprise browser is one, top of the list. Second one is, I have been in the -- with companies where we don't prevent people from not bringing their own device or not using company provided devices for reasonable personal usage. So we have not enforced the rules saying enterprise browser is the only thing that you can use. But we also don't want to say you can use 20 other different types of browsers. So manage the non-enterprise or non-secure browsers, in this case, two or three. That is the second one. How do you manage unmanaged or somewhat, you know, consumer browsers like Chrome or Safari or Firefox. Have a plan for that. Manage extensions. If you -- do you know that -- how many extensions are being used by employees within your company? If it is an enterprise or secure browser, you can absolutely manage that effectively because that's coming from IT. But, if it is a consumer-grade browser, you have to have mechanisms to manage that. So that is the third thing that we have done. Enforcing single signon, something that we have done. So you -- if you want to procure any SaaS service and you want to access, you have to go through that single signon. And then we enforce enterprise browser on top of it. So you can do that. The other best practice is, if you are using some sort of endpoint protection solution, then having the visibility and setting policies, right, like, for example, what URLs can you visit, what systems you can access, somewhat like a zero trust architecture in place where you want to validate the user location, user behavior, purpose before granting access to some of those critical resources. So those are few things that I would recommend.
David Moulton: So let's shift to the Gen AI tools because this is one that over and over when I get feedback for the show I'm hearing about. You know, a lot of times you have, like, really limited oversight into how employees are interacting with the Gen AI tools. And I'm curious what risk do you see emerging from this lack of visibility?
Jiphun Satapathy: Yeah. I think one of the biggest challenges that we are facing with this Gen AI tools, first of all, the risk posture is constantly shifting because the capabilities or use cases that are coming is constantly evolving, right? You know, every month we see a new scenario, new use case with this Gen AI or AI tools, right? So the first thing, the challenges that we see is, in general, generic tools, or agentic AI, is now have the capability, even if human in the loop, to reason and also make decisions to call different tools, right, the tool calling that it can do. So the biggest risk that I see is -- some of the biggest risks that I see is, again, customer data or employee data being used by tools that it was not meant to be used. For example, if, let's say, we are using Google Workspace and we suddenly roll out Gemini, there are so many capabilities that come in Gemini every day or every week, every month. It is very difficult to stay on top of it. We might have only rated the use case where somebody just, you know, a Google Workspace and ask for summarization or email summarization. But what happens if there is a new Gen AI capability which generates video based on your campaigning email? And there you go. So this -- these are all the new use cases. So one of the biggest challenges is that the unknown or the new use cases that we are seeing, and security teams are still playing catch up in regards to how -- what should be the policy, what should be allowed, what should not be allowed. How do we get the visibility of their activity? So we have implemented certain mechanisms and Palo Alto Networks Prisma Access Browser is SASE solution is helping. So at least getting a visibility of what sort of those Gen AI apps or AI apps that our employees are using, what are some of the high-level activities that they are doing? But we are still early in that journey.
David Moulton: How do you see the convergence between a secure browsing environment and SASE helping organizations close some of those gaps that you're talking about?
Jiphun Satapathy: Yeah. I see these are very complementary. Browser, secure browser is more like the -- more like the endpoint or the interface between a user and browser-based apps and services. SASE I feel like is the more like the backend engine or the data layer, security data lake layer, which can comprehend data from multiple sources about an enterprise, especially about user activities; the systems; the access policies; the separation between let's say production and enterprise; crown jewel, non crown jewel. So you can use that data to set policies for users when they are operating in the browser. So, for example, if suddenly we get to see certain risks or breaches from certain environment or certain GEOs that SASE should be able to inform, and we can set certain policies, access policies within the browser; so maybe users using that browser from a certain location are prevented from downloading files versus copying files. Now let's say we're also using not just full-time employees but contingent workers, and we want separate policies for contingent workers because we don't provide them an laptop that they work on, right. Like, for example, if an endpoint detects malware or vulnerabilities on an endpoint, then we can set certain policies that, hey, this endpoint device where the browser is running doesn't meet the security part that we expect from our endpoint. So the policy changes, right? So you can enforce the employees to either patch, update, upgrade your browser, things like that. So I see these are extremely complementary in regards to implementing a, you know, controlled environment --
David Moulton: Right.
Jiphun Satapathy: -- while not disrupting user experience.
David Moulton: So let's talk about some of the persistent threats that are out there with Unit 42 where we're always reporting on things like phishing and malware, BC credential threat in our -- in our research and our threat articles, and I'm sure you're seeing some of the same problems. How do you protect your users from phishing, from credential theft, from malware that target the browser layer?
Jiphun Satapathy: Yeah. I think you talk -- those three are the top three reasons for any breaches. I mean, we talk about Gen AI specific risk, all the modern threat vectors that we are seeing. But many times, if you look at the breaches or recent major issues, like just talk about NPM. That happened two days ago, right? If you look at it, the root cause of that is actually an account compromised through a phishing attack, right? Yes. Somebody got into that account, and that resulted in introducing malware, but not necessarily there was any bug in NPM, right? So we are still dealing with those basic issues in regards to having a strong phishing resistant system, managing credentials, and fixing vulnerabilities. So specifically in the context of browser, what we have done is, first of all, enforcing strong MFA and strong authentication, right? So you definitely want to have MFA in place but not just any MFA. Want to have some sort of to strong MFA in place, which reduces -- reduces your man in the middle of phishing attack vector quite a bit. That is one. So you want to make sure that that's happening through the browser. First thing that we do. Secondly, managing browsers, as I said. Whether it is enterprise browser or non-enterprise browser, you need to manage that. And we know for a fact that we somehow take managing endpoint is more important than managing browsers. But 85% of your employees' time is spent on the browser. So we need to treat that browser as a completely separate endpoint and manage it effectively. What does that mean? It is patched. It is updated. Extension are fully controlled. You don't want people willy nilly add any number of extension that you want. Extension are another major source of introducing malware into the system, right? And, lastly, credential. Manage your credentials. Have the right credential or -- yeah, credential detection tools in place which would help detect them in the first place. So these are some of the preventive controls that we have in place, in addition to, obviously, threat intel or detection capabilities to, you know, see what's out there in the dark web in regards to, for example, credentials and things like that. That is just controls. In addition to that, we run campaigns internally to detect how prepared our workforce is, for example --
David Moulton: Okay.
Jiphun Satapathy: -- about phishing or any sort of attack. And, lastly, training. I would say continuous training is something that we have done.
David Moulton: Let's talk about how to balance security and user experience. You know, at the beginning of our conversation, I asked you, if looking back you're realizing the solutions you built were maybe a headache for the folks in security. And that's a bit of a confession, right, because I look back and think about the times that I leaned into building software or experiences that would delight someone. And a lot of times it was removing friction at any cost and not necessarily thinking through, like, well, it might delight you the first time. But, when it's immediately hacked, or it's a type of experience that makes it easy to get into your bank account for anyone, that's not a great experience in the totality of things. So I want to get into this area. I'm personally interested in it, and I'm curious what your criteria is when you're evaluating tools that aim to secure work but not degrade productivity or that overall user experience.
Jiphun Satapathy: Yeah. That's extremely important. In fact, I would say security teams need to start there. And, believe it or not, in general, that's the case. But we fail to highlight that point. We only talk about the security language we means the -- I'm talking about, in general, security teams and cybersecurity teams like to sell with the angle of risk and how their proposal or how their solutions or the tools can solve that risk, which in general, is not very exciting for everybody in the company, right? So I think we need to absolutely highlight the user experience benefits that we will get. And anytime I am talking to a tool or a vendor, a tool owner or a vendor, that is one of the key element, like, how does it enhance. I'm not even saying it should not degrade. My ask is it should enhance user experience. Secondly, operational overhead or the productivity hit that it's going to have both on the team who is going to own it, manage it; and both on the teams of the users who are going to use it. Let me give you an example. Like, you know, we talk about strong authentication or strong MFA. So one of the things I've done in the past is enforcing some sort of FIDO2-based or biometrics based multifactor authentication, right? So, in general, companies do have MFA in place; but that's more like a push-based notification. Right. So you need your phone. You get a something like an Okta Verify or something. Then you go do that, but you completely replace that with something which is biometrics-based. These days, all the laptops, Macs or Windows, they do come up with -- come with hardware already installed in it. So why not leverage that? So, when you go and tell that story to the user base, saying, Hey. We are introducing a new way to do MFA where you would not need that second device. All you need is the same device. And you don't need to change your password 90 days for six months. Rather, we will let you rotate it every year or maybe never because we are going passwordless. And, in return, you ask for them to go through that activation one more time. I don't think they will push back. They said, Okay. This is really helping. But you are presenting to them where you are saying not it's -- they don't need to know why you are introducing it. From the security side, I'm introducing that because I want to reduce the man in the middle likelihood attack vector or the phishing. I want to build phishing-resistant system. They don't need to know that, right? They are basically more interested in how their UX is getting better. So they will support that. Same thing on when you are talking about enterprise browser. I think I have done that now a couple of times, so I know some of the challenges that you're going to face. Forget about just rolling it out. When you enforce, you tell the world that, hey. You must use this new enterprise browser for all your work-related activities. Immediate question comes, why do we need to do that because there are already consumer browsers like Chrome and others, which are used by billions of users. So how do you convince them to move from that to something which is completely new, right? So you highlight what are some of the challenges, and you reduce the burden on them. Today, if somebody is using a Chrome browser or Firefox or Safari, unless IT is managing that effectively, we rely on users to update that batch that and things like that, right? You take that completely away from them, as in you don't have to do anything about it. And your experience with browser -- browser doesn't change because this is built on the same, you know, Chrome engine or something like that. So you're basically highlighting user experience. So user experience is extremely important. You will not succeed. And user experience or developer experience, similarly, if you're introducing new tools and development, too, right? So user experience, developer experience is extremely important if you want to succeed in changing process mechanism, behavior practices by introducing new tools.
David Moulton: Let's look to the future a little bit. What's the biggest cybersecurity challenge in securing the modern workforce that you see over, say, the next year or two?
Jiphun Satapathy: Yeah. I think some of the basics unfortunately continue to stay the same. So I'll not go through that, like, credentials continue to get leaked. Vulnerabilities continue to remain in our environment. Phishing continues to be one of the top reasons for breaches. So we're all evolving there. That's a journey, depending on companies' maturity. Depends on their ability to defend against those threat vectors. But I think the biggest one that I see right now is basically the adoption of agents, or AI agents, or workflows, both in corporate and -- sorry, enterprise, as well as products that we are building. The challenge here is -- one angle is, again, one can question that why is it any different than shadow IT? We have not solved that problem. Then we came to shadow AI. We have not solved that problem. But with shadow IT, at least there is one angle is there is at least a human involved, where that person was either using unapproved apps or downloading something that you have a way to manage or hold that person accountable. But, when you go into agent equality, if somebody now has gone and enabled, let's say, multiple agents on a platform like Salesforce, that person leaves the company, how do I know those agents are -- who owns them after that?
David Moulton: That's a great question.
Jiphun Satapathy: Who owns them? And how do we know that this agent is making the right decision? I know many frameworks are coming up, many tools are coming up to content. But I feel like the use cases or the innovation that is happening in that space or what these agents can do is far outpacing than what tools we're building to defend against those threat vectors. So that's, to me, is going to get worse, as I see, at least in the short-term, before we figure out how to contain it.
David Moulton: If you could speak directly to your counterparts in roles like yours, what's the one shift in thinking that security needs to make in preparing for what's next?
Jiphun Satapathy: Yeah. I think we need to take a step back at times and question some of the existing processes that we have built. Is this scaling to new world of AI, or adoption of it, is what I would say. Look at your current vendor risk assessment process. So is it scaling? Is it moving fast enough? Are we looking at the right things? We probably need to drop or stop doing certain things. Like, you know, when we talk about, let's say, application development, we say we want to put the right SSCLC in place. But the processes are extremely slow in comparison to what teams are building. Right. If you're -- 60% of your code is getting generated by GitHub Copilot and you are doing a threat modeling exercise, it's just too slow. There is no way you can do that, right? So the way I would say is we need to take a step back and see the existing processes. How do we either not do it or do it completely differently? And I would heavily lean on the new innovation, especially in the AI space that is happening, the tools that are coming to tackle that challenge. So that's the shift that all of us need to do is what I would -- I would call.
David Moulton: I think that's really well put. We're not looking at a marginal or percent change as we look at this, especially the agent space. It's going to be significantly different. And to think that we can just move faster and follow the same policies, follow the same thinking and not innovate alongside some of the innovation that's going on in the AI space is wild thinking to me. So great advice. Jiphun, thanks for the conversation today. I really appreciate you sharing some of your insights on secure browsers and then digging into what it looks like to have a great user experience from those that you spend your time protecting and thinking about, you know, how do you keep us from clicking on the wrong thing, opening up the wrong thing, putting the business or their customers at risk. You know, it's really important work to secure the modern workforce.
Jiphun Satapathy: Yeah, absolutely. Thank you, David, for this conversation. It was fun.
David Moulton: That's it for today. If you like what you've heard, please subscribe wherever you listen; and leave us a review on Apple Podcast or Spotify. If you want to reach out to me about the show, email me at threatvector@ paloaltonetworks.com. I want to thank our executive producer, Michael Heller; our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Original music and mix by Elliott Peltzman. We'll be back next week. Until then, stay secure. Stay vigilant. Goodbye for now.
