Threat Vector: Securing the Modern Workforce – Lessons from Medallia’s CISO

Podcast: Threat Vector by Palo Alto Networks
Host: David Moulton (B)
Guest: Jafun Sapati (A), SVP & CISO, Medallia
Release Date: December 4, 2025

Episode Overview

This episode dives into modern workforce cybersecurity, focusing on strategies to secure hybrid and remote workers, best practices around browser-based workflows, the challenges and risks of generative AI (GenAI) adoption, and how to balance security with user experience. Medallia’s CISO, Jafun Sapati, shares actionable lessons from the frontlines of defending a global, cloud-first workforce, including insights on secure browsers, SASE, and organizational approaches to persistent threats like phishing and credential theft.

Key Discussion Points & Insights

1. Setting Security Priorities: “Business Needs and Risk Drive Everything”

Timestamps: 02:27–04:35

• First Principles: Medallia’s security mission starts by enabling business to function safely, not just to “block threats.”
• Dual Focus:
  • Business Objectives: What products/services customers need, what productivity tools employees want.
  • Risk Factors: Which risks are most critical? Prioritize accordingly.
• Example: When adopting or building new AI apps, priorities shift to scrutinizing these for compliance and security ("…if we are building AI apps and services for external customers, we want to make sure this is going through the right scrutiny, meeting the right security guidelines…" – A, 03:20).

2. Securing the Hybrid & Remote Workforce

Timestamps: 04:53–06:48

• Medallia’s Context: Remote-first for years; 2,000 employees globally.
• Security Posture:
  • Equip all employees with managed laptops (“Medallia laptops”).
  • Protect endpoints, regardless of work location.
  • Adopt tools like Prisma Access browser for added security, especially with employees who handle customer data.
  • Quote: “Working backward from our employees' needs, their location, their current situation… what's their role… High privilege users versus regular users… business need and security risks will drive our current posture.” – A, 05:41

3. Bring Your Own Device (BYOD): Pragmatism over Prohibition

Timestamps: 07:35–09:47

• Policy, Not Blanket Ban:
  • Restrict BYOD for sensitive systems (like GitHub or production environments).
  • Allow BYOD for less critical tasks (e.g., accessing Slack, documentation), with stricter controls and monitoring.
  • Quote: “Instead of… saying all your bring-your-own devices are not allowed, that would be a major hindrance to productivity. A good solid 70 to 80% of their time is spent on SaaS or browser specific apps…” – A, 08:21

4. Securing the Browser – The Real Endpoint

Timestamps: 10:45–14:42

• Enterprise Browsers: Top recommendation is to enforce use of managed, enterprise browsers (not fully enforced yet at Medallia, but in progress).
• Why It Matters: Browsers are the primary interface for most work; managing, patching, and centrally controlling browsers is as critical as endpoint security.
• Best Practices Include:
  1. Enforce enterprise browser use for sensitive workflows.
  2. Control which “consumer” browsers (Chrome, Safari) are allowed.
  3. Manage and restrict extensions.
  4. Enforce single sign-on (SSO) and zero trust policies.
  • Quote: “85% of employee time is spent on the browser. We need to treat that browser as a completely separate endpoint and manage it effectively.” – A, 21:05

5. Generative AI: Shifting Threat Landscape

Timestamps: 14:42–17:12, 28:34–30:02

• Pace of Change: New AI/GenAI capabilities & use cases appear almost weekly, making risk management a moving target.
• Key Risks:
  • Accidental exposure of sensitive (customer/employee) data through AI tools.
  • Difficulty staying ahead of “unknown unknowns.”
• Visibility Challenges: Security teams must play catch-up; solutions like Prisma Access browser and SASE help, but journey is ongoing.
  • Quote: “Security teams are still playing catch up… getting visibility of their activity… we are still early in that journey.” – A, 16:51

6. SASE and Secure Browsing: A Complementary Duo

Timestamps: 17:12–19:29

• How They Work Together:
  • Secure browser = the user interface & first line of defense.
  • SASE = backend intelligence, aggregating data, driving adaptive policy (geo-based controls, contingent worker policies, endpoint health checks).
  • Quote: “These are extremely complementary for controlled environments while not disrupting user experience.” – A, 19:21

7. Persistent Threats: Phishing, Credential Theft, Malware

Timestamps: 19:29–22:46

• Breaches Still Start with Basics: Even modern attacks often root back to credential compromise, phishing, or unpatched endpoints.
• Defenses:
  • Enforce strong MFA (preferably FIDO2/biometric – not just push notifications).
  • Treat browser as a managed endpoint.
  • Control browser extensions.
  • Run internal phishing and readiness campaigns, plus continuous training.
  • Example: “If you look at the npm breach… root cause… was an account compromise through a phishing attack.” – A, 20:17

8. Balancing Security with User Experience

Timestamps: 22:46–27:46

• User Experience is Not Optional: Security should start by asking, "How does this tool enhance user experience?" If it doesn’t, adoption will fail.
• Strategy:
  • Present security changes as usability improvements (“…a new way to do MFA where you wouldn’t need a second device…”).
  • Reduce, not add, burdens for users (auto-patching, familiar interfaces with new browsers, passwordless logins).
  • Quote: "You highlight user experience… You will not succeed otherwise." – A, 27:24

9. Future Challenges: Shadow IT, Shadow AI… Now Shadow Agents

Timestamps: 27:46–30:02

• Persistent Problems: Credential leaks, vulnerabilities, and phishing remain foundational issues.
• Emerging Threat: Proliferation of AI agents and workflow automations are accelerating faster than defensive tools.
  • Key Question: “When you go into agentic AI… someone has enabled multiple agents on a platform like Salesforce. That person leaves the company—who owns them? How do we know that this agent is making the right decision?” – A, 28:38
• Outpacing Defenses: Innovation in AI/agents is moving faster than security tools and policies can adapt.

10. Final Advice for Security Leaders: Rethink Your Legacy Processes

Timestamps: 30:02–31:36

• Call for Change: Regularly question whether traditional processes fit the speed and complexity of the AI/agent-enabled future.
• Quote: "We need to take a step back and see the existing processes. How do we either not do it or do it completely differently?... I would heavily lean on the new innovation, especially in the AI space." – A, 30:24

Notable Quotes & Moments

• “The way we prioritize is by basically going back to some ground rules or first principles...” – A, 02:27
• “Instead of… saying all your bring-your-own devices are not allowed, that would be a major hindrance to productivity…” – A, 08:21
• “85% of your employees' time is spent on the browser. We need to treat that browser as a completely separate endpoint…” – A, 21:05
• “The challenge here is… at least with shadow IT there’s a human involved… But with agentic AI, who owns those agents after someone leaves the company? How do we know that agents are making the right decision?” – A, 28:38
• “We need to absolutely highlight the user experience benefits… My ask is it should enhance user experience.” – A, 23:59

Important Timestamps

| Segment | Timestamp | | ----------------------------------------------------- | ------------- | | Medallia’s security priorities | 02:27–04:35 | | Adapting security model for remote/hybrid workforce | 04:53–06:48 | | Pragmatic BYOD security approach | 07:35–09:47 | | Managing browsers and browser-based workflows | 10:45–14:42 | | Risks in GenAI/agent use and lack of visibility | 14:42–17:12 | | SASE and secure browser integration | 17:12–19:29 | | Defending against phishing, credential theft, malware | 19:29–22:46 | | Balancing security and user experience | 22:46–27:46 | | Anticipated future challenges with agent-based tools | 27:46–30:02 | | Advice for security leaders on adapting processes | 30:02–31:36 |

Summary

This episode provides a comprehensive look at how security leaders like Medallia’s CISO are rebuilding their playbooks for the realities of remote/hybrid work, SaaS-first workflows, and a GenAI-enabled world. Key themes include managing and securing browsers as primary endpoints, enabling flexibility without losing control, adapting to perpetual change in AI, and putting user experience front and center in all security initiatives. The conversation closes with an urgent call for security teams to ruthlessly rethink legacy processes to keep pace with the scale and speed of change.