Jess Vachon is a three time CISO, the founder of Vigilant Violet LLC, and the host of the Voices of the Vigilant Podcast. With a career spanning manufacturing, defense, robotics, software, healthcare, and global financial services, Jess brings a uniquely broad perspective to cybersecurity leadership. Her journey reflects a deep commitment to building security programs that balance technical rigor with human centered leadership. Across every role, Jess has focused on developing resilient teams, pragmatic security strategies, and leaders who understand both risk and responsibility.
Jess Vachon explains how her path to becoming a CISO was shaped by working across multiple industries and building security programs from the ground up. She shares how creating a full security program at a defense manufacturer helped confirm that security leadership was where she could make the greatest impact. That experience also reinforced her belief that hard problems with visible outcomes are the most rewarding.
The conversation explores the role of AI in modern security, with Jess emphasizing that productivity gains should not come at the expense of people. She challenges the idea that AI should simply replace staff and instead argues for using it to increase effectiveness, retain institutional knowledge, and reduce unnecessary friction for employees. Her perspective reframes AI as a tool that supports humans rather than one that sidelines them.
Jess and Matthew also discuss why security tools must be purpose built rather than bolted on with buzzwords. Using real world examples, she explains how machine learning can quietly protect users by understanding behavior and stopping threats before employees even see them. This approach reduces blame, improves trust, and shifts security closer to being invisible but effective.
The episode closes with a powerful leadership discussion shaped by Jess’s Marine Corps experience. She shares how military service taught her to lead under pressure, maintain perspective during crises, and focus on outcomes without losing sight of people. That mindset continues to inform how she views risk, response, and the responsibility of modern security leaders.
Resources mentioned in this episode
Matthew Connor on LinkedIn
This episode is brought to you by CyberLynx.com
CyberL-Y-N-X.com.
CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.
The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.
Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied.
To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.
Balancing AI, Privacy, and Risk at a Public University with Malcolm Blow
Matthew: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Jess Vachon, three-time CISO and host of the Voices of the Vigilant Podcast. Jess, welcome to the show.
Jess: Thank you, Matthew. Happy to be here and happy to share some of the wisdom I've gained over the years.
Matthew: We're happy to have you and can't wait to hear it. Before we get too far in, a quick word from our sponsors.
[SPONSOR READ: This episode is brought to you by CyberLynx.com. Do you know if a hacker is in your system? Most people and most companies don't — until it's too late and the hacker has already done damage. A hacker's job is to bypass your security, so companies need a way of knowing when someone has gotten past their defenses. That's where CyberLynx comes in. We've partnered with the best cybersecurity companies in the world to provide our clients with the best solutions at the best prices — whether it's managed SIEM, SOC, EDR, MDR, or XDR. We'll help you find the right solution at the right price. Find out more at CyberLynx.com.]
And now back to our show. Jess, for those who aren't familiar, can you tell us about your journey to CISO at a global financial services firm?
Jess: Sure. It's been an evolution. My early career was as an individual contributor — working in healthcare, manufacturing, and doing some security consulting. But at a certain point, leading IT organizations, I found I was spending half my time on security. I enjoyed it, so I thought: why not just do this full time? There's clearly a need for security professionals at the executive level. So I pivoted.
My first dedicated information security role was at Sig Sauer, a firearms manufacturer out of New Hampshire. I was brought in to build their entire program from scratch — and the reason they needed it was to compete for government contracts. Anyone in the defense space knows how rigorous those requirements are. It took me three years to build the program, build the team, and successfully compete for and win those contracts. That really fed my soul and confirmed I was in the right area. I enjoy doing something extremely hard and seeing the payoff from it.
From there I moved into a robotics company serving the semiconductor industry, then into software, and then financial services. Some people say I'm a jack of all trades — and given how many industries I've worked in, that may be fair.
Matthew: I think the beauty of that is you come in with fresh eyes — like a consultant who can say, "In other industries we've done it this way, and maybe a hybrid approach makes sense here." That's a huge advantage over someone who's only ever known one industry.
Jess: I agree. And that diversity has become core to who I am — not just in how I approach my work, but in how I staff my teams. I look for individuals who've worked in different industries and had different lived experiences, because they can look at a problem from multiple angles and think of multiple potential solutions. Instead of "we've always done it this way," they can say, "I see how you're doing it, here's how I've done it, and here are three or four other ideas — let's find what works best for this organization."
Matthew: I love that. And I think as AI becomes a more significant force in everyone's day-to-day work, there's going to be a natural pressure to focus purely on productivity — what can we accomplish with AI? But I think a lot of people are going to find it challenging not to lose sight of the human element. The robots and the AI have the productivity piece covered. What becomes truly valuable is people who can work well with a team, think creatively, and bring a diverse perspective. Part of the quiet quitting problem we see today is that managers aren't focused enough on the human side. And here's my hot take: AI might actually push managers at all levels to start focusing more on people. What do you think of that?
Jess: I think we should have been focusing on the humans all along. But if AI is what finally forces that conversation, good. Because some business leaders right now are looking at AI purely through the lens of staff reduction — they're only looking at the P&L and how it impacts the bottom line. Nobody is thinking about the displacement of labor and what happens to those workers, or who is going to be buying the products we're creating if people aren't employed.
AI is valuable to organizations and important for revenue generation — but it's equally important to figure out how we use it alongside people who still have lives to live on this planet. The increase in productivity matters, but you can keep the staff you have and use AI to make them more productive, which drives higher profits and higher revenue. In information security especially, we've been trying to keep up with threat actors for years. Artificial intelligence is going to give us the ability to close that gap — to maybe be only a few steps behind instead of miles behind — if we use it wisely. We want to retain experienced staff, train them on AI tools, and demonstrate how that investment benefits the business. We can keep people employed, make them more productive, defend organizations more effectively, and make companies more profitable. But we have to think in that full context. You can't separate the people from the AI from the business. When you do, the social agreement starts to fall apart.
Matthew: I couldn't agree more. And when it comes to AI in information security — that's where I get most excited. LLMs like ChatGPT, Grok, and Gemini are fun and genuinely useful, but they're not the end-all-be-all for security. In fact, in a security context, LLMs can bring more problems than they solve — prompt injection being a prime example. But that doesn't mean AI is out of the equation. I think AI might be the savior here. The bad guys are using LLMs, and eventually some will move into powerful machine learning-based attacks. But what gets me really excited are products like Darktrace. They've been doing AI for about 13 years — machine learning purpose-built for security, not bolted on. Take email security: it reads how you write, understands how you normally communicate with specific people, and can catch a malicious URL that passed all the standard filters because something just doesn't fit the pattern. That's the future of information security. Not legacy products slapping on an LLM and claiming they're "AI-powered." What's your take?
Jess: I completely agree. And I'd add another dimension. We've spent years training staff not to click on links in emails. Now imagine a tool that knows how the individual uses email, knows what messages to expect, and analyzes every link before the user even sees the email — and if something's off, it's already neutralized the threat. So do we still have to run phishing simulation tests? We might not have to. And that matters, because phishing tests are a friction point. Nobody likes being tricked. It's demoralizing. That's a perfect example of how AI can help us — making security more invisible, pushing it further away from the end user, and making it faster and more proactive.
Matthew: That's brilliant. You look at the traditional email gateway approach — quarantine everything, then Joe in accounting still has to go digging through the quarantine folder anyway. What was the point? You have to get to where the machine learning is good enough to trust. And we're getting there. I compare it to self-driving cars — when Tesla first launched, it was like a drunk toddler behind the wheel. Then it became a teenager just learning, then a teenager who got their license, and now it's an adult who's doing a genuinely solid job — but you're still watching. That same trajectory is happening with AI in security. And the question I want to ask is: what other advantages does this create for the end user as we implement more AI in information security?
Jess: Insider threat analysis is a great one — though I actually dislike the term "insider threat" because most of the time, people aren't acting with malicious intent. They're trying to get work done quickly, or they simply don't know the right path. Right now, tools do reporting, correlating, and alerting. But if we fold AI in, we can use it to actually redirect staff in the moment — "I see you're trying to do X. I think you want to do Y. Here's how, here are the tools, and if this doesn't meet your needs, click here and I'll connect you with someone who can help." We're making security invisible. We're making it proactive and human-centered. Artificial intelligence doesn't mean it can't respond to people in a respectful and understanding way.
Matthew: Spot on. Data loss prevention is another area where AI can be incredibly helpful. With traditional tools and methods — micro-segmentation, log analysis — it becomes more of a policy exercise in keeping the honest person honest rather than truly preventing accidental leakage. AI changes that equation meaningfully.
Now I'm curious — we've had a lot of CIOs and CISOs on the show, and no two have had the same origin story. What initially got you excited about technology?
Jess: This goes way back. I was barely a teenager when I first saw a Commodore VIC-20. I watched someone type in a program, record it to a tape, play it back, and play Pong. And back then, you could buy a magazine at a corner store that had code in it, go home, type it all in, compile it, run it, and play a game. It took hours and hours — but I was hooked. As a kid, the idea that you could create something and then use it was incredible.
After that it faded for a while — I didn't have regular access to a computer. Then in college came the computer labs and limited internet access, and my introduction to the Microsoft suite. I saw what Excel could do, how Word worked as a text editor, and I thought: this is amazing. I'm so much more productive. Then I went into the Marine Corps, where they trained me in basic electronics — motherboards, PCBs, logic gates. It was feeding a very technical, mechanical side of my brain.
In my early twenties I bought my first computer, immediately took it apart, put it back together, and figured out how to make things run faster. I was buying spare parts, salvaging discarded machines, figuring out how to get video cameras working over dial-up connections. One Christmas, my spouse and I were stationed in Japan with our young kids while the family was back in the US. I connected a video camera to the dial-up line and showed my in-laws the kids opening their presents. This was the mid-90s. For me, that was a miracle — making the world smaller and more accessible. That passion has never left. I still feel that same fire. And I think we're on the next doorstep of something really great — AI, quantum computing on the horizon in the next three to five years, household robotics within five to ten. We're moving quickly into the 21st century we all envisioned.
Matthew: We must be similar ages — the VIC-20 was the first computer in our house too. My dad was an electronics engineer, designed circuit boards — brilliant man, perhaps the world's worst businessman. But I owe him a lot, because everything I learned about business was essentially: what would Dad do? Do the opposite. Then the Commodore 64, then the IBM 8088 — that's where I really got into programming. And I have to ask — with that origin story, I would have expected you to go into game design. What happened there?
Jess: Two things: I'm not great at mathematics, and I'm not great at sitting still. Between those two, I attempted coding, quickly determined it wasn't for me, and was wise enough at a young age to redirect toward the engineering side — networks, firewalls, servers, building out data centers. And along the way, encountering good bosses and bad bosses made me think: I can do better than this. That belief is what drove my transition from individual contributor to management.
Matthew: I'm an old Army guy, so I always appreciate a Marine. What inspired that path, and do you find your military background contributes to how you lead today?
Jess: From a very young age, I felt I owed something to my country and that I needed a purpose — to shape the world, leave it better than I found it. My dad is a Vietnam veteran who served in the Navy. Marines, Navy — I wasn't keen on the Navy uniforms, but the Marine Corps ones are sharp.
At that point in my life, I was always gravitating toward the hardest available challenge. I figured if I could survive the Marines, I could do anything. I enlisted first, went to boot camp at Parris Island, and then midway through my service I went to Officer Candidate School — so I actually went to boot camp twice. I served six years total.
To your second question: yes, the Marine Corps was the point at which I truly learned what it means to be an adult, a leader, and to be responsible for producing results while taking care of others. At my most senior leadership position, I served as a Battalion Operations and Intelligence Officer in the Asia Pacific area — 1,200 Marines, in a very high-tension environment near Korea and China. It was a higher billet than my rank would normally carry. I learned to push myself, trust myself, plan in triplicate, and handle genuinely stressful situations. People ask me how I stay so calm as a CISO. Well, I've been in the real grinder. I know what actual life-and-death stress is. And that gives you perspective — in most cybersecurity situations, nobody is dying. It's urgent, it's serious, it needs to be handled. But we don't have to lose our minds over it.
Matthew: I was at Camp Zama for three years — I'm guessing you were in Okinawa?
Jess: Camp Kinser, yes.
Matthew: Great place. And that perspective is invaluable. Once you've actually been shot at, you walk into the civilian world and everyone's acting like the world is ending, but nobody's dying. Money's on the line, absolutely. It's important and urgent. But that context — nobody is dying — I think the military provides that to a lot of people. It doesn't take for everyone, but those who carry it out tend to be better leaders for it.
And speaking of things not being shameful — I think there's a real shift happening in how the security community views getting compromised. It used to feel like a badge of dishonor. Now it's feeling more like: it's going to happen, and what matters is how you respond. The more seasoned the CISO, the more hardened the environment — but no one prevents 100% of incidents. Are you seeing that same shift among your peers?
Jess: Yes, and I agree with you. There's simply too much knowledge, too much change happening too fast for any one person to absorb it all — no matter how brilliant you are. The wiser CISOs are investing deeply in their teams and trusting those teams, because ten or twenty or thirty people are bringing ten or twenty or thirty minds to the problem. That's your real return on investment.
There's also the question of reasonableness. Has the company done everything reasonable given their budget, their risk appetite, their risk acceptance? Because nation states have billions of dollars and entire staffs whose sole purpose is to compromise your business. Organized crime rings are nearly as well-resourced. Expecting any organization to prevent all of that is not reasonable. You should be detecting and negating the majority of common attacks. But some of the newer AI-generated threats — like what we saw with the Chinese government's attempts to manipulate AI systems — are brand new. Expecting a CISO to have a defense ready for something that didn't exist six months ago is unreasonable. That conversation may look very different in two or three years when the right tools exist. But the landscape changes fast. The way we defended enterprises two years ago, five years ago, ten years ago is not the way we defend them today. And with post-quantum computing coming, it's going to be like throwing gasoline on a fire. If we think we're not running fast enough now — well.
Matthew: I don't want to call it scary — I think it's exciting. I may be a little weird, but I embrace change. I think it comes down to believing you can manage through it and come out successfully on the other side. If you're still clinging to Windows XP or writing dead languages, you're not going to make it. Change is coming. Embrace it. And the three-year plan, the five-year plan — those are gone. Nine months is the new planning horizon. And even that may soon be six months.
Jess: You're right. And that's why you have to do proof of concepts before purchasing anything. Run a month-long POC, make sure it actually works, and then make sure your procurement cycle and your implementation cycle are fast. Because if those drag on, you've already lost the value of whatever you're bringing in.
Matthew: Completely agree. And speaking of evaluating new tools — with the pace AI is moving, what does reasonable security even look like now? How do you approach implementing AI in a security program?
Jess: First piece of advice: don't rush out for AI tools if you aren't doing the basics well. If there are gaps in your fundamentals, nothing you do with AI is going to matter. If staff aren't trained on good security hygiene, all the tooling in the world doesn't help if they react the wrong way in a crisis. That truth holds in the age of AI just as it did before, and it will hold in the post-quantum era. Get the basics right first.
When it comes to actually leveraging AI, you have to be thoughtful about tooling selection. Is it enhancing what you already have? Is it giving you faster detection or faster response time? Does it fit your organization's risk profile? Don't implement something just because everyone else seems to be doing it. Smart, successful businesses take the time to analyze the problem, understand how it fits their business model, and then act. You don't have a year or two to make those decisions anymore — but you can take a month, maybe a little more, to have those conversations and determine whether something genuinely makes sense. And the organization has to be willing and able to pivot quickly. I used to be able to give clients a three-year plan. Then it became 18 months. Now if someone asks for a one-to-three year plan, I can give them one — but nothing past nine months is going to be accurate. The technology and the threat environment are changing too fast. The one thing you absolutely cannot afford is inflexibility. Our world is changing constantly, it will continue to change, and it will change faster and faster until human beings simply hit a ceiling and say: slow down, we're losing the point of being here. Build in the measured approach. And if you're not doing the basics, don't even start thinking about adding AI tools to your environment.
Matthew: Well said. And beyond the security side, there's the user side too — people want to leverage AI to do their jobs better and faster. Which then opens up data governance questions, policies and procedures to make sure people aren't feeding company secrets into a free LLM. All real challenges. But you can't be inflexible, and you're right — nine months is the new planning window. Proof of concept first, fast procurement, fast implementation. If the cycle drags, you've lost the value before you even get started.
Jess, this has been an absolute blast. Before we go, can you tell everyone where they can find out more about you?
Jess: Sure. I'm active on LinkedIn — that's the best starting point. Outside of LinkedIn, I have Vigilant Violet LLC, where I do consulting and coaching, and we're just starting to offer recruiting and placement services. What makes it different: candidates have been vetted or coached by me personally, and we want a long-term partnership. We'll continue to coach the staff you place and help them build a career path forward. When you need more people, come back to us.
And I have a podcast — Voices of the Vigilant, available on all streaming platforms. I don't know when I find time to do it, but I do it. Like you, I love meeting people, hearing different perspectives, and learning from them. It makes me a better person and a better CISO.
Matthew: We had such a great time that we barely scratched the surface on several topics — we'll have to do another episode. Jess, thank you so much for coming on. Until next time!
Jess: Thank you.