Bengaluru, 9th September 2025: In today’s fast-evolving digital landscape, the role of a CISO goes far beyond ticking compliance checklists, it’s about building resilience, anticipating risks, and enabling business growth without friction. From navigating mandates like IRDAI guidelines to implementing proactive measures such as Attack Surface Management, our guest brings a unique perspective shaped by years of experience across network engineering, risk management, and cybersecurity leadership.
Join Mr. Ashok Kumar G, Chief Information Security Officer at Acko in an engaging conversation with Mr. Marquis Fernandes who spearheads the India Business at Quantic India. Mr. Ashok shares candid insights on balancing compliance with real security, how AI is transforming cyber defense, making third-party risk scalable, and the lessons that shaped his journey from engineer to CISO.
You’ve worked on both compliance-driven mandates like IRDAI guidelines and proactive measures like Attack Surface Management. How do you balance ticking the compliance checklist with building a truly resilient security posture?
Compliance gives you structure, but resilience comes from staying a step ahead. I treat frameworks like IRDAI as the baseline. They help formalize controls, but real security is about proactively reducing risk, not just passing audits. That’s where things like Attack Surface Management come in. While compliance asks “Do you have a policy?” ASM asks “What could be exploited right now?” I try to overlap the two; using compliance cycles to tighten controls, and using security work to make compliance easier. It’s not either/or; the sweet spot is when both support each other.
With AI-driven cybersecurity gaining momentum, what are the most promising real-world use cases you’ve seen where AI tangibly reduces cyber risk?
AI is making a real impact in cybersecurity beyond just buzzwords. Phishing detection has become far more effective with AI models analysing content, sender patterns, and URLs in real time. Behavioural anomaly detection is another strong use case flagging unusual user or system behaviour well before incidents escalate.AI is also helping with smarter vulnerability triage, prioritizing based on exploitability and business impact rather than flooding teams with CVE lists. Attack surface discovery has improved too, with AI tools spotting exposed cloud assets or APIs that traditional scans might miss.
Some tools now even claim to understand business logic within applications, making automated pen testing smarter by simulating real-world user behaviour. While still evolving, it shows promise in reducing manual testing effort early in the lifecycle. Overall, AI is helping cut noise, reduce detection time, and make response cycles much sharper.
Third-party risk is a growing concern, especially in financial ecosystems. What’s your blueprint for making TPRM both scalable and effective without slowing down business partnerships?
Third-party risk in financial ecosystems needs structure without becoming a bottleneck. The most effective approach starts with risk-based tiering, treating vendors differently based on their data access, integration level, and regulatory impact. This allows deeper scrutiny where it matters most, while keeping the process lightweight for lower-risk partners.
A planned assessment calendar goes a long way in making the process scalable. Instead of reacting to audits, evaluations are scheduled and predictable, helping track vendor health continuously, not just once at sign-up.
Relying on industry certifications like ISO or SOC 2 as accelerators can streamline the due diligence effort, especially when backed by structured questionnaires and evidence collection.
Ultimately, the goal is to embed trust without adding friction, enabling fast partnerships while maintaining a clear line of defense. When third-party governance becomes part of the process instead of sitting beside it, both security and speed can coexist.
From the start of your journey till now, it has been a long way. What’s one behind-the-scenes or funny moment from that journey that people wouldn’t expect?
One of the most surprising parts of my journey in security has been realizing how much of the job is about communication. Back in 2010, I thought security was all about tools and terminals. But over time, I’ve learned that explaining risk in simple, relatable terms is just as critical.
Whether it’s helping teams understand why a misconfiguration matters or aligning with business priorities, the real challenge often lies in storytelling and trust-building. That shift from being a gatekeeper to becoming a collaborator has turned out to be one of the most rewarding and unexpected aspects of the role.
In your career, you’ve moved from network engineering to CISO. If you could give your younger self one “security patch” of advice, what would it be?
If I could give my younger self one “security patch,” it would be: don’t just focus on the technical depth; start building your communication and business skills early.
Coming from a network engineering background, I was deep into configs, packets, and uptime. But as I grew into security leadership, I realized that being effective means translating risk into language the business understands, building trust across teams, and influencing decisions without always being the loudest voice in the room.
So, that patch would be: learn to zoom out, understand the “why” behind the “what,” and treat security as a business enabler, not just a technical control layer. The sooner you start doing that, the smoother the upgrade path to leadership becomes.
Do you actively follow any leader/influencer who evolves you in any way in your day-to-day life? Tell us more
Yes, definitely. I’ve been fortunate to have worked closely with some incredibly inspiring leaders and mentors throughout my journey and what makes it even more special is that I’ve been able to collaborate with them directly in a professional setting over the past decade. What I truly admire about them is how effortlessly they balance vision with clarity, and how they lead not just through decisions, but through humility, resilience, and empathy. Their approach has not only shaped how I think about leadership and security, but also how I show up every day; whether it’s solving a technical problem, mentoring someone, or navigating challenges. Even though I don’t usually quote or name them publicly, their influence continues to evolve me, both personally and professionally.
As the conversation with Mr. Ashok Kumar G reveals, the modern CISO’s role is as much about foresight and communication as it is about technology. From aligning compliance with real-world resilience, to leveraging AI for sharper defenses, and embedding security seamlessly into partnerships, his journey underscores a powerful truth, cybersecurity is not just a safeguard but a business enabler. By blending technical depth with empathy, clarity, and leadership, Mr. Ashok exemplifies what it means to build trust in a digital-first world, leaving valuable lessons for the next generation of security leaders.
