Speaking Security: Leadership, Language, and Learning to Pivot

Show Notes

Security fails when it’s written for auditors instead of humans. Jess Vachon sits down with cybersecurity and privacy leader Ash Mohanaprakas to unpack how the best security programs feel practical, lightweight, and deeply aligned to the mission, even under pressure. Ash shares how she helps organizations turn security from a cost center into a strategic advantage that supports enterprise deals, customer trust, and acquisition readiness.

Ash’s story is anything but linear: an Oxford-trained linguist, a first-generation immigrant, and one of the only undergraduate student parents during her time there. We talk about how language and identity shape the way people interpret risk, why “translation” is an underrated security leadership skill, and how her early governance, risk, and compliance work at a huge university taught her to design controls that researchers can actually live with. The conversation also gets candid about imposter syndrome, early-career salary constraints, and the confidence that comes from learning hard frameworks by doing real work.

From ISO 27001 to SOC 2, we dig into what companies get wrong when they overbuild compliance with endless policies, and what to do instead when you need scalable security with minimal friction. We also tackle AI security and AI governance: why “AI-first” is not a differentiator, how to think about agentic workflows, and where AI can genuinely reduce repetitive GRC tasks so humans can focus on complex risk decisions and culture.

If you care about cybersecurity leadership, pragmatic compliance, risk management, board communication, and building security programs that scale, this one will land. Subscribe, share this with a security leader who’s drowning in documentation, and leave a review with the most “unread policy” moment you’ve seen.

https://www.vigilantviolet.com/
www.linkedin.com/in/jessvachon1

Chapters

• 0:03: Welcome And Show Setup
• 0:34: Meet Ash And Her Approach
• 3:10: Pragmatism Built At Oxford GRC
• 6:30: Language Learning And Identity
• 10:55: Translation Skills Applied To Security
• 12:44: Student Parent Life And Resilience
• 19:28: The GDPR Pivot Into Cyber
• 25:09: Imposter Syndrome And Pay Realities
• 29:52: ISO Versus SOC 2 Perspective
• 32:10: AI Workflows And Security Layers
• 39:38: Security As Competitive Advantage
• 43:07: What Boards Need On Risk
• 46:33: Automating The Boring GRC Work
• 52:56: Leadership As A Woman In Cyber
• 57:13: Final Thanks And Listener Request

Transcript

Jess Vachon: 00:34

Hey, hello everyone. Welcome back to the show. Today's guest is a cybersecurity and privacy leader who helps organizations turn security from a cost center into a strategic advantage. With 13 plus years across Medtech, SaaS, and the public sector. Please help me welcome Ash Mohanaprakas. She has built the security functions from the ground up, led organizations through ISO 27000 and SOC2. Supported enterprise deal wins and guided companies through acquisition readiness without friction. An Oxford trained linguist and one of the only undergraduate student parents during her time there. Ash brings resilience, clarity, and a translator's mindset to modern security leadership. Ash, welcome.

Ash Mohanaprakas: 01:20

Thank you. And what a lovely intro you've done as well. I appreciate that.

Jess Vachon: 01:25

Yeah, pretty easy to do the intro because you have just an amazing background. So, let's dive into that a little bit. I highlighted your background, but it's not a straight-line career path. It's really like a power curve to get to where you are today. So, let's start there. When people hear your CV or read your CV, they see credentials. When you look at your journey, what do you see?

Ash Mohanaprakas: 01:51

Do you know what I see myself as a lot more? I and I went through this in the last kind of six months to a year in terms of looking back and seeing who I am, right? Because I know I've spent my career working in both kind of public sector as well as private and in consulting. And when you are there, I find that you need to have certain certs to you know flash around so you can get the job done. But ultimately, when it comes down to it, I think what I am is a very pragmatic human who's very easy to work with, who understands and gets the leadership kind of challenges where they're like, right, this is the objective of the company, this is the mission, this is what we want to do. And I try and see where security can fit in. And ultimately, that's all I've done, which has got me where I am, which is really nice as well.

Jess Vachon: 02:43

That pragmatism is so important. And I'm going to ask you, share my opinion, then I'll ask you your opinion. So, I find probably half of the people in our profession are not pragmatic because they've studied what's supposed to be the perfect security or governance uh setup for their organization, but that's not reality. What is what are your thoughts on that?

 

Ash Mohanaprakas: 03:10

I completely agree. I've got to say, I started my career in cybersecurity at a really large organization, you know, University of Oxford. I graduated, stuck around, and kind of found myself in this governance risk and compliance officer role where I was learning as an underfill what cybersecurity was and is. But what I was recruited to do was solve a very real challenge of researchers not being able to access research data from the NHS Digital in the UK, who are national data custodians, because the researchers themselves, you know, there's thousands of research groups that's being funded by the University of Oxford every year, and they don't all have the capacity or the resources or the specialism or understanding to demonstrate that, hey, how we're doing our data management, it actually meets the requirements for data security and protection toolkit and NHS digital. And I was brought in to solve that particular challenge in terms of saying, hey, what are you doing at the research side? Let's figure out how you're storing the data, let's understand the data flows and demonstrate to the university and the national data custodian how this is actually secure enough and what you you're doing is actually really valuable. So that was what I was brought in to do, and I really enjoyed that and I managed to set this up and it's kind of one of my most like biggest accomplishments, I think, because if you've if anybody's worked in a company with like 10,000 people doing anything is quite challenging. And to do it within you know a year and a half, two years while also picking up what cybersecurity is all about was actually probably one of the toughest things I've done. But you know, not as tough as being a student parent. So, there is that.

Jess Vachon: 04:57

Yeah, we're going to cover all that. But having done security work for universities in my past, no one screams louder than researchers who can't get the data. They don't like restrictions to begin with, but if they can't absolutely get to the data, they can't accomplish what they're paid to do or what they're setting out to do. And I'm sure you had a lot of pressure that went along with making that happen for them. And uh I'm going to guess that you get a lot of kudos after the fact for making it possible.

Ash Mohanaprakas: 05:29

Luckily, yes. And it is, you know, the university had at the time about 260 million pounds in annual research income, you know, a significant percentage of which was not getting spent in a timely manner because the researchers were struggling for 10, 12 months on how to fill out what looks like an Excel spreadsheet, which is actually underpinned by so many other things, and to have to demonstrate, like, yes, this is a unified university application because that's obviously the level that they would recognize. And it's kind of packaging in all of this good work into a very cut and paste kind of format of you know NHS digital data, which was originally designed for hospitals and opticians, and you know, podiatrists and so on who are handling health data in a different way.

Jess Vachon: 06:20

So, when we're talking about pragmatism, right, we have to be pragmatic about how we present security controls to the people who have to work through them. A great example of your pragmatism right there. Yeah, so you studied linguistics at Oxford. What drew you to language in particular?

Ash Mohanaprakas: 06:42

I have to say I'm a first-generation immigrant to the UK. So, I moved to the UK with my family because my mom was a nurse and she used to work abroad and then she worked here, and I grew up in India until then. So, coming to the UK in a you know, small little corner of East London, which has very multicultural population, it is uh compiled with, you know, Cockney accent and loads of different people saying lots of different things. I felt quite overwhelmed my first year, but you know, somehow while figuring out how to do English beyond, you know, you can read and write, but it's not the same as hearing a person speak at different speeds and with different words and trying to, you know, decode that. So while I was doing that, I also decided to apply the same framework to learning Spanish, no, French and German, which people realized by year eight I'd gotten to the same level of fluency in English as well as French, and they kind of put me onto GCSE French, and I did German and Spanish GCSE as well, which is you know, your kind of year 16 in education, kind of high school education. And I didn't do anything for A-levels because again, I was a 16-year-old, you know, trying to figure out float floating through life, kind of going where things take me. And I happened to attend a gifted and talented session at the sixth form where I went. And there was an academic from the University of Oxford there, and he was like, “Well, looking at your kind of profile, why did you not do any A-level languages?” And I felt like, well, nobody really told me I had to. So, I just picked the subjects that I thought, you know, my friends were doing or ones that I thought looked interesting. So, then he that kind of turned me back into looking at languages, and I was like, okay, great. I do have an interest in linguistics. I know I can't necessarily do university level languages because the expectations are different, but I can very easily hopefully pick up another language. And so, I did Portuguese from scratch again, and also linguistics, which I loved, and I do not regret it at all because I fell in love with more of the literature than linguistics by the end of the degree, I've got to say.

Jess Vachon: 09:02

Yeah, I'm sure. So that's what six, seven languages you speak?

Ash Mohanaprakas: 09:07

Six, I would say. I'm I I've forgotten most of my German, but you know still that's an amazing accomplishment as someone who only speaks one language, I and has been challenged to learn another language. 

Jess Vachon: 09:015

Six is just amazing, truly amazing. Do you think that your love of language have to do a little bit with power and/or your ability to communicate more broadly to other people? And did you feel that was a way you were establishing yourself, like your presence among others?

Ash Mohanaprakas: 09:42

It's an interesting one, and I know I was very conscious growing up about where I belonged, what my identity was, how I was perceived, and more than anything, I really had a like uh because I could understand as a second English, as a second language speaker, I could understand the difference in how I was able to connect with a person when they spoke to me in English back in 2003 or whenever, versus when they spoke to me in my native language, and I just reversed that and thought about the person on the other side, and I was like, well, if I'm able to pick up some more languages, I can connect with that individual on a different level by speaking their language than I would if we just spoke a common language that was neither of our first language, and that kind of set me off. And I'm like more than anything, I'm really curious about how we build connections, how we, you know, we are who we are because we think the way we do, and the way we think is defined in some part by the language that we use and how we frame ourselves, and it kind of gets a little bit philosophical. But I thought at the very least, I can try and endeavor to understand more people using the skills I've got to learn the languages, right?

Jess Vachon: 11:02

That's such an important piece, and I think we'll get to it a little later in our conversation. But having that skill and more importantly, that understanding of context based upon how someone is bringing their lived experiences forward is it's crucial to be a good public citizen. But how much power that brings to you as an information security professional, I just have to think that's incredible, especially if you're working in support of global organizations, right?

Ash Mohanaprakas: 11:35

Yeah, yeah. 100%. I think it's been one of my most valuable skills to just be able to drop in something. It helps me build connection at the very least. And I love being able to, you know, that helps me be a culturally aware, context-aware person who can understand some of the frustrations that people who are outside of what majority tend to, you know, consider as the normal think, feel and do. And, you know, I've got to say that's probably what got me into cyber in a more detailed way, because I was like, well, you're applying the same concepts, but in the context of technology and cybersecurity, and everything is it's like a different language, and you're speaking all these words, but at the bottom of it, it's about how you're kind of doing the CIA, right? Confidentiality, integrity, and availability, and it's about teasing all of that information out in the ways that work for the people that I'm speaking to.

Jess Vachon: 12:32

Absolutely. It's beautiful the way we're going through this conversation because I'm seeing like all your building blocks leading up into cybersecurity, and it makes so much sense as you're telling your story.  So being one of the only undergraduate students at Oxford with a child, you’re a parent at that time, that's not a small experience. That's big, right? You're carrying so much that you're trying to do and you're responsible for so much, and on top of this, you have deadlines to deliver different things. How did that season of your life shape your resilience?

Ash Mohanaprakas: 13:09

I have to say, If I hadn't gone through what I did, I think I would have been a completely different person in that I'm generally, you know, I look back on and sometimes, you know, think I reminisce and I have a sort of not quite a malady. There was a uh there's a Portuguese word for it called saudades, which is essentially, you know, missing the past, but also not quite, you're kind of thinking about the good memories, but you also know you're in a place where you are, which is slightly different. And I'm very grateful that I met the love of my life when I did, and you know, also had my son when I did, because I feel like becoming a mother turned me into this person who I was like, well, now I'm not just responsible for my own life. I can't just float through life, and we are where we are. And I've got to try and, you know, I had a bit of a drive in the first 10 years where it was like, I had culturally, because I'm Asian, you know, my parents weren't necessarily happy. The community had a new sort of gossip because I don't, I was obviously this golden child in the community who went off to Oxford from, you know, the state schools and not very with not very great reputation at the time. So, when I got pregnant, everyone's like, why are you throwing your life away? And I was like, you know what? Look, let's, it's my life, and I will show you life happens the way it needs to. Maybe I just need to walk that path. And it was it was one of those things that drove me to actually go, look, I can't necessarily just float through life. And at all of every single stage when I was navigating my early career and also degree, it was kind of like I had to make those really, really harsh, but you know, needed choice around uh pragmatic choices around whether I would spend hours and hours in the library and try and go for a first, whether or whether I go, you know, two one is good enough. And that is what it will be and the max that I will get. But you know, what I'm not losing out on, whatever I'm whenever whatever time I don't spend in the library, essentially, is time that I get to spend with my son. And actually, raising him was one of the most important things I could do because raising a well-balanced, you know, human being is one of the ways we can like perpetuate goodness and make the world a better place. So, I had to balance those. And by the time I got to my you know, graduation and starting the work life, I was like, let me get any job, we'll make it work. I moved around like four different jobs in my first year at the university, and because it was a large enterprise, I was actually happy to spend three months here, three months there, do like two part-time gigs just so I get to see the same ERP or the CRM from two different angles, two different roles that kind of enhance my knowledge, made me really try and grasp the whole concept of relational databases, which is how I was like, okay, this is this works, this is a thing, and everything makes sense and everything's connected, and then there are like different layers to do with the technology. And, you know, I kind of went deep in on it and it was really great. But every time I would, you know, I had colleagues who would stay their whole career or spend a few years in a role, and I made the choice that, you know, like I can't afford to do that because I need to increase my income so that I can pay the child care fees, to be honest. And you know, you kind of have to keep pushing yourself. And every time it was like, “Yes, I am afraid, I might lose out on this, but at the same time, I've just got to go through it and see it as an experience”. And if I come out the other end, well, I am going further in my career. And that's yeah, got me a long way.

Jess Vachon: 17:05

I like that. I like how it when everyone was like, “What are you doing?” You're like, “hold my beer, I got this”. And then you just you just march forward. But not only that, I have to think that relatively early on you developed your resilience and you also developed your work-life balance because you had to, you didn't have a choice, you know. And then you mentioned that once you get it going on that pace, you realize, oh, you know what, I need to kind of keep going because I need to improve my living circumstances, not just for me, because now I have other people that are dependent on me. So, I can see also not just building up your skills as a parent but also starting to build your leadership skills and how to coach, enhance, and guide others in the work that they're doing. So the story so far as we've been into it is just amazing and it should be inspiring for anyone who is, you know, finds themselves in a similar circumstances and or is starting out in their career because you're talking about a path that is non-traditional but can still be successful to getting to where you want to be. And that's huge.

Ash Mohanaprakas: 18:12

Thank you, and I hope so too, because that was one of the reasons as well, you know, when I got pregnant, I looked around and I couldn't see anybody who had who looked like me, who was my age, who was having babies and actually having a successful career out of it. I knew nobody at the time. And everyone I did know from my childhood were, you know, being hairdressers or getting kicked out, you know, you kind of tangentially lose that. And I was like, oh, hold on. Like, I was very harsh and I was very judgmental at that time. I understand what it takes, and actually, like, I have huge respect for anybody who chooses to bring in. And I think it's all about having that choice. And a lot of the times people end up feeling like we've got no choice because of the circumstances around us, because of the people, the culture, the society, or whatever we perceive to be our career, you know, aims. And ultimately, like you only get one life, and you got to think about what is it that you'll regret more than anything. And you know, I think that's me.

Jess Vachon: 19:21

So, we've talked about your linguistic background, we've talked about a little bit about cybersecurity, but where was that transition point? Like, what was that day that you said, ah, this is what I want to do?

Ash Mohanaprakas: 19:36

So, come 2016, I was still doing this enterprise CRM kind of different roles as moved on from help desk to training and then progressed to a senior training and development officer at like, I don't know, 23 or 24. And I was like trying to dress myself and behave in a way that exuded, you know, more maturity than I probably, you know, came off in in terms of how I looked and spoke and everything, so that I could, because I was training really senior fundraisers and others in the university who are using these tools, and I was like, okay, let me try and do this. But I also came across a lot of challenges in terms of work-life balance and trying to see where this could go. And I knew fundraising was probably not the thing for me. I wanted to be the person who's able to donate a huge sum of money when I earn my millions, you know. And I knew that was probably the way I would have more of an impact. And I then started thinking about what are those, you know, careers that can be highly impactful in out in the world. And I got involved in a GDPR project, bringing in consent into this tool that did everything and financial processing and fundraising. And I had a lot of fun doing a BA for that, but also, I read the GDPR end-to-end and had a lot of thoughts around consent and really lived and breathed it. And I was like, well, actually, like this is great. I've read Gibbons, I've read like really complicated texts in the past. And at 16, I had no idea what these meant. But every time I crack what they actually meant, even if it if the text was in English, you'd get a little high off of it. And I just loved learning, you know, such a huge nerd. And so, once I cracked GDP, I was like, okay, this makes a lot of sense. And these are some of the ways we can bring it into our work practices and processes. And then when the internal role for infosec came, I was like, okay, let me go for it. Because I applied for a project manager role or a BA role, and I didn't get it. And my policy is always that if somebody rejects me for that job, then I'm meant for something else, and I won't go back and look because that's just a deviation, the path that I shouldn't be taking. And so, I just Come hot off of a rejection, and I was like, right, I still need to get another job in the next few months. And when this came up, I was like, let me go for it. What can I lose? And it was a fair amount of pay upgrade. And it would have been, you know. And I was like, “I really don't think I'm qualified. I barely know beyond, you know, application and database layer. But let's go for it because I'm great at communication”. I understand the context. And I also understood the stakeholders who were facing these challenges. So, I was like, great, let's do this. And they got me in. And it and they were very surprised and shocked, my old bosses. I'm still in touch for them. They're really great. But they were like, would you really want to do this? You know, it's going to be boring. There's going to be a lot of really boring contracts that you'll have to review. And it will, it just won't be that fun. And I was like, yeah, I'm not here for fun. You know, I love a challenge. And I also had been reading quite a lot about, you know, Harvard Business Review publications and so on. I followed quite a lot of literature around how to make a lasting impact, how to make change in 10 years. There are really great articles on like, what's the quickest path to being CEO? Not that I want to be, but I think it's great to like to understand how you can demonstrate impact in a large organization and bring it to anywhere you work. And so I was, yeah, it is great.

Jess Vachon: 23:30

I love this. So, people who don't watch the video ,who only listen to the podcast, won't see how hard I was laughing while you were speaking because I love that you called yourself a nerd, I think is what you used. But because I think of myself as one too, and I read really odd things that people wouldn't read. But you know, of all the people I've had on the podcast, and part of this podcast is like, I want to have rebels in. And you have the most rebel of a rebel attitude, I think, that I've had on the podcast so far. Because you just every time someone says it's boring or you really don’t want to do that, you're like, “Yes, I'm going to do it.” Or if they say no, you're like, “Yes, there is no “no”, there's only yes”. So, you know, and we're not even all the way through this this recording yet. And I see inspiration that is just oozing forth from you for people, and it is amazing. And I really hope that when someone comes to listen to this episode, they don't just stop and they go back and they listen to a section again because there's so much that you're sharing that builds a path for people to be successful. It's really important that they hear your story. I'm going to move us on and stop fawning over you, but it's just it's incredible what you're sharing with people, and it's truly moving. It truly is. You mentioned something a little earlier about how you dressed for the roles or you tried to make it,I don't know, you're more of a higher level professional than maybe you were. Did you suffer from a lot of imposter syndrome when you were going through this? It doesn't sound like it, but you kind of hinted at it.

Ash Mohanaprakas: 25:15

Yes. I my thoughts on imposter syndrome have kind of changed over the years, but especially if I put myself back in, you know, 2017, 2018, 2019, I was surrounded, you know, I was one of the youngest people doing my role. I was one of the youngest people in the department of like 500 people. And I was one of the youngest people who was also part of the team who was new, who didn't know anything about cyber. And I had people who were sat opposite me who had done a traditional IT job or did coding before, or you know, had a technical background of some sort, who then came into cyber because it was an easier transition. They can code and they can do write scripts and stuff. That used to bug me quite a lot because it I felt like this was a skill that I didn't have at the time. And I also felt a bit like, well, is this really the measure of what makes a good security professional? Because again, like coming into again large organization, if you started from the bottom, you know, from a low basic pay grade, the entire internal hiring system can see what your current salary is. There's not a lot of bandwidth for you to negotiate upwards. And that was something I had to grasp. Every new job that I got, I would try and reframe my you know salary propositions and the negotiation conversations I was learning. And I was like, oh no, that didn't work. Can I have some more money? And somebody turned around and they were like, really great for you to ask, but no. And I was like, oh, okay. You know, so learning all of those things, it was it was one of those things, and I was like, well, this is high enough that even if they put me on the bottom of the pay scale, that it's still worth it. And it's still, you know, I can try and I knew the conditions or thought I could. And they gave me a year to complete like CISMP and get up to speed with the things. And I also sat in and did a bunch of the courses with the apprentice that we had on board at the time, the technical apprentice. And so, I was like, great, I'll do that. And then I did it in six months, and I was like, Can I have my pain grain? And they were like, this is really awkward, but we only do these annually, and we've not really had anybody do this in six months, and so it was, you know, you kind of live and you learn, and I had a lot of impulsive syndrome, and which is why I kind of left the university eventually and went out into the world, because I knew I didn't know a world outside of the university, and I knew I didn't want to be institutionalized, as they call it. Uh and I knew I had to like to go out and explore the world before I kind of come back or get back in there because it's just one of those things, right? Like you become a better person by doing the things, and then the doing the things give you confidence to do more and be more, I think.

Jess Vachon: 28:13

Yeah, absolutely. I remember the first time I had to learn it's NIST 800-53, which has to do with the requirements for the Department of Defense in the US. And I had never, never done it before, and like you, I picked up the documentation, and I read all the documentation. People tell me still tell me I was crazy for doing that. But what it helped me to do was one, think in terms of what the Department of Defense was looking for, take frameworks I understood and map them, but also understand what it takes to build out the program for that, right? And I was successful, the company I was working for at the time was able to gain a multi-billion dollar contract because I was able to stand up the program for us, right? But I came out of that thinking, oh, I get it now, the GRC side of the house, why it is so important, why the frameworks are so important, because it helps us justify to the business, the other parts of the program that we're bringing forward. So I totally understand what you're talking about there, and that when you when you say I don't know that subject area, and I'm going to go learn that subject area, how you come out on the other side saying, Oh, now my skill set, I can feel it's broadened, and not only is it broader, but it's deep, and I can get in the room and I can hold my own in conversations. So, we talked about the linguistics part, we talked about you getting into information security. You mentioned a little bit about uh coding and scripting. Did you end up actually getting into coding and scripting? And if you did, did the linguistics background help with that?

Ash Mohanaprakas: 29:60

So, I decided at the time I didn't need to perhaps go down coding and scripting because I also had to take a look at myself and the effort it would probably take for me to get to a place where I was competent. I looked at the value that I would be producing by doing that versus by not doing that and focusing on my strengths, because that's another advice I got around the time they were like, look, focus on what you're good at. And you know, you're exceedingly good at building relationships and leading the teams and actually understanding the context and applying it. So, let's focus on that. And so, I dove in and I left the university and went on to build a team because I hadn't done any complex like frameworks at that time. Like I was still two years into cyber, only had CISMP, which I did in my first six months, and then a load of experience from implementing a framework, you know, not the mainly known ones, but a very niche one. And then I was like, okay, let me go and learn ISO. And I did that by going in as a head of information security at a medtech company who wanted to maintain ISO 2701. And so took it from the first completion to building it out, integrating it with ISO 3485, med tech quality one, and got a feel for that. And I was like, actually, then I went to do SOC 2, and now I know ISO and SOC 2, and I don't need to like be part of either of the crews who kind of go ISO is better than SOC 2, or SOC 2 is better. And I was like, they both fulfill a purpose, and that is really getting you more clients because they can trust that you're, you know, you've got the right controls in place. And now in the last year, I've been focusing quite a lot on learning AI and learning vibe coding with AI and building stuff, tangible things, and exploring whether I could, you know, do the agentic workflows, build security in. And I was like, I wanted to be that part of the bandwagon where I would not necessarily say only use coding, vibe coding and AI for prototyping, because you know, just like with cloud adoption and digital transformations, AWS was not deemed good enough at one point in time, but now look where we are, and AI similarly will go through the same transformation as it gets and reaches that critical mass point where it just does get really, really good. So, I wanted to go out there, understand pragmatically what goes on in agentic workflows and AI products and what that means, and practically how we can like build security at those different layers and what that looks like. So that's been a technical deviation that I kind of took in the last year, but I've not gone back and gone to do coding. I can read code fairly okay, but at the same time, I'm like, you know, there are there are people who are really good at this, and I don't need to.

Jess Vachon: 33:05

Yeah, I understand that. It's kind of I tried my hand way back in the day and said, no, this isn't for me. And to your point, there's people who enjoy this. I know just enough to be able to work with them, and that's okay. So, you made a point about AI, and I think it's valid, and I want to highlight it is that we're early. We're really still early. I know people say, well, AI has been out for three or four years now, but it's really just now coming into the business environment, and you use cloud as an example. And I could go back and I could pull up tons of examples over time about the evolution of technology and then the evolution of security that goes with it. And there is a long, there's still like a long draft behind it, right? So, most organizations are still struggling to figure out how to secure AI. And there's plenty of tools out there, but which one do you choose? Do you choose the one that has tokenization or do you choose the one that has more of an external guardrail approach? It's hard to say, and it's hard to even advise which tool should be used because as you've mentioned, it's continuing to change and evolve. I've used the example several times on the podcast recently that AI still can't do very simple tasks. So, rushing your business into using AI to do a complicated task is that's a high challenge to prove value in that. And it's an even higher challenge to push that product out the door and say it's secure.

Ash Mohanaprakas: 34:46

Yeah, 100%. And you know, like I agree, AI has been when I joined the MedTech company in 2019, they were doing cutting-edge AI stuff. It just didn't look like what ChatGPT or OpenAI does. They were, you know, doing the training. You get to understand like what data goes in, how they control, what kind of model of training that they use. And they would lock it typically as a medical device that then goes and gets validated and stuff. This was like pre-open AI, chat GPT kind of approach to AI in different tools, which was highly regulated, especially depending on the context of the data that you're processing. But these days, you're absolutely right. Like people are expected, you know, the wider world who weren't necessarily aware of how AI was used in health tech or other areas, to essentially go, we need to now demonstrate myself ourselves as an AI-first company. And therefore, that means building AI into the product, even if it's not that great, because nobody else is doing an AI that great anyway. And it's hard because ultimately you don't necessarily want to, from a commercial point of view, what sells isn't AI. What actually sells is the user experience and what you're doing to take away the pain that people are experiencing. And if it gets if that pain is bad enough, and if AI or automated workflow or whatever else you know is the thing that's going to solve it, it's going to work out no matter what. It doesn't need to be a chat GPT type AI or a bot or whatever.

Jess Vachon: 36:27

Yeah, 100%. And here's the thing “news flash for companies,” everyone's going to have AI. And once everyone has AI, AI is no longer a differentiator for your business. Yeah, so don't just do the AI piece, remember to innovate alongside that. And that is not just saying, well, AI is our innovation because it's not any more of an innovation than going from onsite to the cloud is you know, yeah. So, all right. You've said that you're passionate about turning security from a cost center to a competitive advantage. What do so many organizations still get wrong about this? And how do you make that differentiation for companies you support?

Ash Mohanaprakas: 37:10

Yeah, perhaps I'm in a quite opportunistic way because a lot of the companies I think my ideal clients that I work with tend to be navigating a scaling journey, typically speaking. That being said, I have worked with this, I'm currently working with a super tiny client who are actually working towards the V1 of their launch of their app, which is really exciting because I've never been part of that journey before. But typically, they're scaling and they've done some sort of certification or they're considering it in the first sense. They might have had internal resource kind of trying to hack their way through it, and maybe they passed their stage one or two, and they're like, right now we need to actually just maintain it and you'll be okay. But what I often find when I look in is that everybody takes a heavy-handed approach. They're like, yes, let's be as comprehensive as we can so that, you know, it there is no doubt we can point to all the policies. Let's have 40 policies. It'll be great because it covers each of the areas or controls. And I think that's hard because then people are losing the trees for the forest. People are going to start changing their behaviors, nobody's going to have time to look through 40 policies. And even if you enforce it technically by saying you've got to click and accept it, or we won't give you access or whatever, they will find a way to kind of shortcut that, so they don't have to do it. And so, it's really important that the policies are actually translating the leadership intention and the organization's intent on how what good looks like. And I always say processes are you know how you do the thing that is right, and that once you get that balance right, it's actually like it doesn't need to be that complex. You don't need to have 15 policies. Yes, there are like niggly little wordings or phrasings that you might need to consider from a technical point of view, but actually that's only half the story. The other half is actually showing that it's implemented. And what I'm really, really good at is given like I spent all that time looking at CRMs and how all the different fields built together and stuff, I have somehow like, you know, I see ISO and I see the artifacts that you need for ISO 27001 as, you know, a relational database in a sense, all of these different artifacts link together and they all interact and they have a bigger purpose in terms of giving the organization a contextual and accurate view of the risks and opportunities and also what they need to do. And that's what I've done in companies where going in and actually going, what do the audiences need to see? They need to see that process in action, but it doesn't necessarily need to be a really long, boring thing. It could be a Slack channel message, especially as you're scaling, as long as you know, there are always good practices in great companies, you know, where the people want to do the right thing, they just don't know what that looks like, or they just need a little bit of guidance to say, actually, this is why you need to care about this. And that makes my life super easy because they come in and they're like, right, we didn't either know anything about it or know why we're doing it, or they've had somebody who's very strict, and I hate to say like some of our profession, very, very strict, very kind of pedantic. I tend to think of them as like prescriptive people, and I'm a descriptive person. So, ling in in terms of linguists, you have again prescriptive and descriptive linguists, and prescriptive linguists basically says, no, this is not how you say, you say whom instead of who, and you do never end in a preposition. Whereas descriptive linguists would go, oh, this is really interesting that in you know, certain circles in East London languages, people use certain words in slightly different ways because you're observing it and you're capturing that information. And that's how I think my style of InfoSec works, in that we're actually capturing what's going on down the ground and how that relates into the good practice and correcting those only where needed, where it's obviously not right, rather than you know, not aligned with the risk appetite essentially for the organization.

Jess Vachon: 41:32

Yeah, and I I'm hearing your pragmatism as you're speaking again, and but you get it, and I think especially if you're working with startups or scale-ups, you have to think of it that way. Like just what you need now, your company's two or three people, you don't need a thousand pages of ISO documentation and evidence and everything else. What are you doing? What is the minimum that you need to get this certification? Because once you get that certification, now you've got a marketing tool for your company, you've got a sales tool for your company, and you can come back. There's iterations, there's many more years of your successful business that you're going to have to expand this and mature the program, mature the policies. But if you strangle the company before it has a chance to really grow and breathe, then then we're not doing our jobs, right?

Ash Mohanaprakas: 42:22

Because we're on a company to protect it, right?

Jess Vachon: 42:26

Right, right. We're along for the ride. We are unless you are a company that is providing security services, then security is a business enabler. It should not be detracting from the business. And if you're going to lead or advise in those areas, as you've given us the example of, you have to be very careful about how you're doing that and be a supporter of the business. Great story to back that up. I want to move on to leadership and scaling with clarity. So, you've worked with boards and founders and CISOs and public sector leaders. What does a board actually need to hear about risk?

Ash Mohanaprakas: 43:08

So, I think it's an interesting one because I'm also part of an Academy's trust education board, essentially. It's a nonprofit, so we call them trusts and so on. And I think what they want to do is the right thing, right? Boards are meant to be governance execs, like they're here as kind of people quietly observing, kind of steering people if we really need to, but really getting a sense of what the company is up to, what their biggest risks are, and able to give directions to the leadership team in terms of navigating things a certain way. Because everyone who's part of a board in a typical organization, they've they come with specific areas of expertise and expectations for, you know, they know what good should look like. Stage, which is why they're brought in to give that guidance and direction. So, they don't necessarily need threat dashboards, they don't need to know the intimate details. What they need to know is your security story and where the focus areas are. And I've written board papers where you know it kind of chains up in a larger organization. You might start with very niche; minute details of exactly how much training is being done in a department and how that links into your risk analysis and how that colour codes and it becomes a heat map that you know shows the company's risk landscape in a heat map way. But you've got to ask yourself, you know, for a company, what is it that's necessary for them to know? And they need to know risks that are above the appetite, risk appetite and tolerance level for the organization as defined earlier in the risk management policy. And they need to know what we're doing about it or what we need to do about it, especially if we need to have significant investment in order to further it. Any reports that you, as the CISO or the senior InfoSec person, does it you're providing the CEO the narrative and the story to leverage as they do the meeting, as they go through what's actually going on down the ground and how that fits in commercially. So yeah, I think that's what it is. They don't need all the details, they don't need fancy dashboards, they need to know like it's been as simple as like a slide deck with like you know bullet points and stuff, because in some cases that's all they need to know, right?

Jess Vachon: 45:43

Yeah, absolutely. And uh here's a trick for anyone who hasn't used it, you can also have an appendix, right? Because usually the boards get their packets early on, so you can put all the details in the appendix, and then if they choose to dig, you're giving them the information. But you know, I think most people who are presenting the boards realize you get a very limited amount of time to the point. And I like that you use the idea of a story. What is the story in terms of risk appetite and what do we you need from the board? Because if you're not asking for something from the board or you're not advising them about a risk that they may become liable for, and it's not something that's relevant to that five or ten minutes you get to talk to them. You said that your goal is to automate yourself out. That's a bold statement. Why is that important?

Ash Mohanaprakas: 46:39

It's really important because I think it's one of those. I started it as a joke, right? Because a few months ago, after my last you know, client startup got acquired by an enterprise client, I was like, right, I need to rethink where I am. Let me see what's going on out. Because if anyone's gone through the startup acquisition journey, it is hectic. It's intense, and you come out of it feeling a little bit burnt out. You might come across, you know, you might have lots of late nights and stuff. So I was, you know, really kind of trying to find to where I am, where who I am, and where I sit in the wider context of what's going on out in the world, outside of the deals and everything. And I realized, like, oh, you know, there are one of the main things about AI as I go into it is like you can it can do the boring parts really well. And if you know what you're doing, and if you've got a certain number of years of experience in the field and you're good enough to actually go, I know what a right answer looks like versus a wrong answer, you know, then you've got a real ability to try and see what are those things that boring, repeatable tasks that you can take out of your life. And me, like, I know I work in GRC and compliance as well quite heavily, but I hate documentation for documentation's sake. And I'm dyslexic, so I'm not a big fan of referring to Kappa's by numbers or anything. I'm very much contextual and understanding those problems. So, I would much rather spend that time working through the complex problems or understanding how we can solve a challenge or a risk than going, yes, now I need to update all of my kappa lists and update, you know, the effectiveness review or whatever. So, I always think doing the thing is more important than documenting the thing. And I thought documenting the thing potentially can be automated. And then I was like, well, what else can we automate? Because there are quite a lot of other things that are very GRC heavy, which doesn't almost like doesn't necessarily need a human to do it. And so that's kind of set me as a focus point as I explored AI because I you always find that if you have a use case, a real live use case that you actually want to solve in terms of problem, you get a lot more out of your learning journey because you're going into it with a question to say, okay, how can I solve that challenge? And how does this bit of information help me solve that challenge? And you're kind of working through these slowly. So, I was like, this is my use case and scenario. I did have a few others because I was also looking for meaning. So I was like, can I turn the Ikigai, you know, concepts of Ikigai and Kaizen into a GPT that can help me, you know, work through that question without me having to pay for a career coach or you know, spend that time with an actual person doing it or doing it on a workbook or you know, on the actual book. So, I did that. There is a project live on the public project because I thought it was actually really good. But I found limitations, and that was like my first level into learning it. And the limitations is that you've got to do it one in one go because there's no context memory because we're not saving that. And so, anyone can go and use that GPT, but I know that's not you know quite fair because I was building that for myself and then for my sister who's you know got ADHD, she's neurodivergent. It's really hard to get her to try and complete things. So, I was like, I really want to make it. If she like can stay through and complete it, that's probably a good sign. So, I've then pivoted and gone in to try and build it as an app, and I've been asking people for help. And so, it's one of those like pet projects where we're like, what information do I need? What information does the AI need in order to make those decisions? How can I automate the engagements in different stages to actually stage it, so it works well? I've done several other things. Once I had a panic about my son maybe not doing as much like wider reading as he should, because he goes to a state school, which is, you know, the free government-funded schools. And I'm a big believer that if you're if you have focus, you'll survive anywhere. But I also wanted him to explore like things other than games. So, I built him a GPT, which was supposed to be interrogating him in what was it, like morality theory, philosophical concepts and stuff. So, half an hour, you know, and I turned on voice mode. So, I have it on voice mode, and then like, okay, kick off this session, and then they talk about things like the trolley problem and all of that, like, which, you know, as a 13-year-old, he hasn't come across before. So that was really interesting, sparked quite a lot of conversations between him and me and like getting to know how that works and stuff. So, there's a lot of like different ideas you can actually now. There's less barrier to getting that live and getting going from an idea to actually seeing at least part of it done, and you kind of go, does this have an opportunity to be built into something bigger? Does it need to be? Or is it doing its function just as well as it need to? And I think that there's also power in knowing that because you don't necessarily want to be bringing in too many things if one little part of it does the job because it also overarchingly minimizes the risks from having things connected and a lot more information about you gathered from different points, right? So yeah.

Jess Vachon: 52:13

That's really brilliant. I love how you're approaching AI. I think more of us could take your example of using it as a tool to supplement uh the human element of life, and that's what I heard, you know. You didn't say, “Hey, I'm doing this so that it can parent my child”. You said, “I'm doing this to prompt my child to think, think a little more deeply, and then we're having a conversation about it”. So, you know, your son gets to think deeply, and then you get to have a conversation, so you're connecting that human connection piece is put in there. That's a brilliant way to look at it. Hopefully, more people are looking at it the same way. I know we're getting short on time. I want to ask one last question of you. Hopefully, it's okay. As a woman in cybersecurity leadership, what have you had to navigate that others may not see? And how did intersectionality factor into that, if at all? And I know you recently had a post that alluded to this on LinkedIn for International Women's Day. Can you talk a little bit about that?

Ash Mohanaprakas: 53:17

Yeah, and I suppose I should talk about uh it was a post that uh kind of came from the heart because as you know, like I've been going through quite a lot of careers and different jobs and different managers. And one thing that I experienced quite early in my career was, you know, because I was young, there's a lot of preconceptions that get thrown about. When I disclose that I'm a mother, I get way more, you know, preconceptions thrown about and go, you know, even women in leadership roles going, unfortunately, going, well, I've been there. I know I had kids; I know what it's like. You're definitely not going to get any work done. So don't work from home. You come into the office. And I always thought, like, why are we misusing our power and influence to hold others back? Because unfortunately, that's something that we see around us all the time. My husband, as somebody who's like explored so many more careers than I have in completely different parts, because he's also got a very wide range of interests and skill set. He quit some of those industries. Because, again, in medical fields as well, there's a lot of like stigma and relational problems around you know, people who came, who struggled, who navigated a whole bunch of problems, getting to a leadership position or a senior position and turning it around and giving them the same treatment that they did. And I saw that in family members where, you know, again, culturally, in Indian culture, if you ever like sit switch on an Indian drama, I don't watch those. But it's always full of like mother-in-laws and daughter-in-laws having problems because a mother-in-law believes that you know they are entitled to a lot more, or they navigated a lot of problems, and therefore I deserve to be put through some of these as well, like a bit of a hazing kind of attitude. And I thought, like, well, I see this behavior, and once I saw it, I couldn't unsee it everywhere I went. And I was like, “Well, that is definitely not the type of parent I'll be, not the type of leader I'll be”. And I had to, you know, consciously go, right, this isn't right. It's not the environment for me. I'm not going to sit there and take it. I will just find myself another role with somebody else who understands. And if I can't change that person, like it's sad, but where I can, I would try and influence and I would try and demonstrate you can actually build really great culture by actually just seeing human beings as human beings, by giving way to people, actually going, you know, rather than seeing people as titles or their years of experience or what they look like, actually going, look, you know, you could be going through a whole mountain of problems that I don't know about. But if I don't ever take the time to actually get to know you, I won't know. And if I don't give that grace to you but expect it for me from everybody else, that's not fair on me either. And so that's kind of where I landed. And so, I really wish and hope that men and women will consider this when they look at their team and look at their peers and actually go, what can I do once if there's one thing I can do to actually help somebody who's even six months behind where I am? What could I do? Like, let me do it for free, expect nothing back, and hopefully, like, you know, it will come back as good karma down the line. To not maybe you, but somebody else who needs it.

Jess Vachon: 56:53

And that's perfect. On that note, thank you, Ash, for visiting the show, talking about translating risk into growth and proving that unconventional past built the strongest leaders, and we're talking about you. And thank you for being one of the Voices of the Vigilant. Until next time, everyone. Bye. Bye.