Jiphun Satapathy has built and scaled security organizations at AWS, Snowflake, and now Medallia. In this episode, he joins our host Raj to explore the evolving role of CISOs as strategic business leaders. They discuss the importance of treating security as a service organization, how to handle vendor noise, and why insider risk is often overlooked. You’ll hear practical advice for security and GRC leaders working in AI-first, high-growth environments—and how to maintain trust across engineering, compliance, and executive teams.

Key Takeaways

• Security as a Service Function: Security should empower—not block—the business. Jiphun shares how his team supports product, engineering, and sales.
• Vendor Engagement Matters: CISOs who ignore vendors miss out on innovation. But filtering the noise is key.
• Insider Risk is Real: Not rogue employees, but everyday developer behavior is a top source of risk.
• Modern GRC Requires Technical Fluency: Especially in AI-first companies, GRC teams must understand the tech stack to stay relevant.
• Earn Trust Through Action: Metrics matter, but culture and execution are what build credibility with boards, customers, and engineers.

What You’ll Learn

• How to build a risk-based security roadmap that keeps pace with rapid development
• The role of security in shaping culture across a global org
• How startups can engage CISOs without falling into FUD tactics

This episode is brought to you by ComplianceCow — the smarter way to automate compliance and monitor controls.

-- Learn more at compliancecow.com
-- Connect with Jiphun on Linkedin: linkedin.com/in/jiphunsatapathy

🎧 Rate, review, and share if you enjoyed the show!
🎙 Subscribe to Security & GRC Decoded wherever you get your podcasts:

Spotify and Apple Podcasts

(Approximate) Timestamps:

• [00:01:48] Jiphun challenges CISO aversion to vendor engagement
• [00:03:25] Filtering vendors based on prioritized security needs
• [00:06:24] Empowering teams with bottom-up decision-making
• [00:08:15] Driving culture change and making security a productivity enabler
• [00:11:33] MFA example showing how to improve both security and UX
• [00:15:25] Treating internal stakeholders as customers
• [00:21:02] Measuring risk with frameworks and metrics
• [00:30:22] Using automation to align security cadence with CI/CD pipelines
• [00:32:47] Insider risk and why it belongs on board slides
• [00:42:33] Empowering devs by reducing vulnerability noise
• [00:51:22] Why healthy paranoia is essential in AI adoption
• [00:56:51] Why GRC teams must be technical in AI-first environments
• [01:03:15] Advice to security startups: stop with the FUD
• [01:07:02] Coping strategies for CISO stress and burnout
• [01:09:60] Books and mentors that shaped Jiphun’s leadership journey