.svg)
CIO News spoke with Aysha Khan, CIO and CISO of Treasure Data, about transforming the perception of cybersecurity from a defensive role to an enabler of innovation.
Khan challenged the traditional "Martyr CISO" model, promoting security as a business enabler rather than a fear-based tactic.
Khan's discussed her strategy for creating a safe lane for AI experimentation, addressing new hybrid opportunity/threats like AI coding.
Somewhere along the relatively brief timeline of need-it-yesterday enterprise AI adoption, the role of CIOs and CISOs was forced to silently evolve. The biggest emerging threat to company health isn't just a foreign adversary or sophisticated new exploit. Those are table stakes. The new undeniable risk is a lack of AI innovation.
For CISOs specifically, cybersecurity has traditionally been sold from a defensive crouch, with leaders using fear, uncertainty, and doubt as leverage for budget and influence. But this approach has turned many security departments into roadblocks to progress, stifling the very innovation they are meant to enable.
Aysha Khan, the dual CIO and CISO at AI-driven customer data platform Treasure Data, spoke with us to discuss her hybrid role as enabler and protector. Recognized as the Cybersecurity Leader of the Year, Khan has spent over two decades challenging the industry's default posture. Her mission, forged by watching many leadership styles she vowed never to emulate, is to transform security into a function of pure enablement. For Khan, the path to unlocking growth in the AI era begins with a radical reframing of security’s entire purpose.
Security as acceleration: Khan’s philosophy is built on a simple but powerful formula that turns the traditional model on its head. It’s a vision she believes is the only way forward in an age where speed is paramount. "Security to me equals acceleration with equal parts velocity and trust," Khan said. "And trust directly feeds into revenue and business resiliency."
The martyr CISO: This philosophy was born from a career spent pushing back against what she calls the "Martyr CISO"—a leader who isolates their function and creates a bottleneck. "A lot of the CISOs act like martyrs," she explained. "They take all the responsibility and make unilateral decisions because they don't tell the business the real value or why it matters to them. So they make cybersecurity a technology problem, not a business problem." This martyrdom, she argues, is rooted in a flawed approach to influence. "Many cybersecurity leaders sell security as a fear tactic," Khan said. "I didn't wanna be that leader."
Just as this new model of security-as-enabler takes hold, the world has been upended by AI. Yet where many see only risk, Khan sees opportunity, feeling like a "kid in a candy store" facing immense possibilities. The key, she argues, is to stop treating security and innovation as separate pursuits. "We're not going to talk about innovation and security separately," she declared. "We're going to talk about secure innovation day in, day out."
Pursuers vs. game-changers: Executing on "secure innovation" begins with a foundational question she poses to every leadership team: "What is your AI ambition?" The goal is to get everyone "singing from the same song sheet" before a single tool is deployed. From there, Khan framed the strategy as a choice: will the company be "Productivity Pursuers," using AI for internal efficiency, or "Game-Changers," building AI into the core product?
Treasure Data’s answer was to be both. This is proven not in theory, but in practice, whether it’s proactively approaching the GTM leader to "unlock" the regulated life sciences market with HIPAA compliance or boiling down over 160 use cases into tangible value, like increasing an engineer's "code velocity."
Creating the safe compound: Of course, enablement creates new challenges. Khan identifies "AI coding" as a "new category of threat," where tools like Lovable and Cursor allow anyone in the company to become a developer, creating a governance nightmare. Her solution is a "safe compound" for experimentation, built on a three-layer framework of administrative, operational, and team-based controls.
Outside the box: Khan's system is designed to ask practical questions, such as, "Will this application reside within Lovable? Or are you thinking of bringing it into our AWS? Because those are now two different conversations." This pragmatic approach acknowledges the limits of the technology. After all, she noted, "AI is not an answer to everything."
Our conversation shifted to IPO-readiness in an era when AI threats and innovative potential imply volatility. As large high-growth companies like Treasure Data look toward public markets, security and acceleration cannot be a trade-off. Khan demystified the challenge of securing AI at scale with a clever analogy. "There's an S before SDLC," she explained, referring to the Secure Software Development Lifecycle. "That S was there for cloud computing. That S was there for mobile app proliferation. That S is still there for AI. So it hasn't changed. We are not reinventing the wheel." The playbook doesn't need to be rewritten, just updated.
