top of page

Episode #


Leading Security and Managing Risk with Humana's CISO Aman Raheja

Show Notes

In this episode, David speaks to Aman Raheja, Chief Information Security Officer & Head of IT Operations at Humana. During the episode, they discuss what life and leadership is like for a CISO at a Fortune 500 healthcare company, the necessity of risk management and having a risk appetite statement, and what lies ahead for the future of cybersecurity.

Topics discussed:

  • A day in the life of a modern CISO at a Fortune 500 healthcare company, and the biggest challenges of moving from a hands-on role to an executive leadership role, including understanding business strategy, communicating a vision, and trusting his team.

  • What a risk appetite statement is and why it's crucial that all companies have one to measure their risk and articulate their metrics, trade-offs, and compromises.

  • What most CISOs get wrong, including prioritization, focusing too much on technology and not enough on capability, and having a disconnect between where the company is going and where the security team is going.

  • What makes an effective cyber risk management program, and how to measure its effectiveness through KPIs, thresholds, and pressure testing.

  • How a CISO interacts with their board, how a board should give oversight and guidance to cybersecurity, and the benefits of board members with backgrounds in technology.

  • The future of cybersecurity, including the reevaluation of cloud and the increase of automation.

  • Why building a high-performing team involves having an engineering mindset to creatively solve problems.

Quotes from Episode


"That is really the biggest item on any thesis list right now: Have we assembled the right teams? Because even though I might have my own experiences, do we have all the right people, in the right spots, making decisions every day? That's actually one of the biggest things from my perspective for CISOs." (5:50)


"Does the business have a risk appetite statement? And that is the first enterprise level thing where everyone should start with and making sure there's a risk appetite statement at a business level. Now, the different components — from a financial risk to credit risk to cyber risk to data risk — there are variations that people could have more nuanced risk appetite statements. But there should be something at a corporate level." (14:37)


"An engineering mindset is going to be extremely important ... thinking about solving problems differently, creatively, coming up with ideas. How can you implement automation or engineer solutions, which are not extremely manual? Those will become really, really important. Actually, they already are. The talent that's hardest to find right now in the market is security engineers and security architects." (39:27)

bottom of page