Cybersecurity is no longer just a technical function; it’s a continuous exercise in judgment, prioritization, and business alignment. In CISO Diaries, we go beyond surface-level discussions to understand how today’s security leaders actually operate: how they navigate constant context switching, manage overwhelming volumes of risk signals, and make decisions that directly impact business resilience.
This series explores the habits, pressures, and philosophies that define modern CISOs. From translating technical vulnerabilities into business terms to maintaining credibility at the executive level, the role has evolved into one that demands not only technical depth, but clarity, influence, and discipline. Through these conversations, CISO Diaries highlights what it really takes to lead security in an environment where the stakes and the noise have never been higher.
About Aman Sood
Aman Sood is a forward-thinking cybersecurity leader with extensive experience driving strategic change across complex, high-scale, and highly regulated environments. Known for his ability to bridge the gap between technical risk and business decision-making, Aman focuses on helping organizations understand their true exposure and align security priorities with commercial outcomes.
His leadership style emphasizes clarity over complexity, credibility over fear, and prioritization over volume, ensuring that security programs remain focused on what truly matters. With a strong perspective on the evolving role of AI, automation, and governance, Aman brings a pragmatic, business-first approach to modern cybersecurity leadership, helping organizations build resilience while sustaining growth.
How do you usually explain what you do to someone outside of cybersecurity?
Cybersecurity has this very mystical perception for those outside the industry. I simply explain that I help businesses manage risk, and I do that by understanding where we are exposed, translating that risk into business terms, and ensuring my leadership can make informed, balanced decisions. It’s a lot easier said than done!
What does a “routine” workday look like for you, if such a thing exists?
As a security leader, there is rarely a routine where two days look the same. If I’m not context-switching between technical depth and board-level framing, something is probably wrong. The role is not for the faint of heart, but for me, that intensity is part of the appeal.
What part of your role takes the most mental energy right now?
Prioritisation. The volume of vulnerabilities, tools, the tsunami of regulatory requirements, and “urgent” issues can become very overwhelming. The real skill is distinguishing noise from existential risk and aligning finite resources to what truly matters.
What’s one security habit or routine you personally never skip? (Work or personal.)
I never bypass MFA, even when it’s a bit inconvenient. Culture starts with behaviour. If leaders look for shortcuts, everyone else will too. I also lead a very active lifestyle and enjoy maintaining my personal health and fitness.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
It’s built on the fundamentals. At a high level: I use a password manager, MFA wherever possible, encrypt my devices, backups, and manage software patches. I tend to treat my personal digital life with the same discipline I’d expect in an enterprise environment, just scaled down.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
I thoroughly enjoy the work of Tony Robbins and Simon Sinek; they are exemplary leaders. Within the security industry, I’ll give a big shout-out to Gary Hayslip for his continued contributions to the space. I also enjoy listening to the CISO Series podcast hosted by the ever-engaging David Spark; it’s very cool, community-driven, and always good fun!
What’s a lesson you learned the hard way in your career?
Being “technically” right is not enough, and sometimes it can even be counterproductive. If you cannot communicate cyber risk in commercial terms and demonstrate business acumen, you’ll lose the room pretty quickly. Security is a credibility game, and credibility comes from alignment, not fear.
What keeps you up at night right now, from a security perspective?
Complacency. So many organisations have all the tools, dashboards, and metrics, but often lack clarity on their true risk exposure and their actual ability to manage real incidents. The illusion of control is more dangerous than visible risk.
How do you measure whether your security program is actually working?
The empirical measures include both risk reduction and response capability; a measurable decline in exploitable exposure, and the time it takes to address an incident. Anecdotally, the more secure your organisation is, the more viable it is, and the more viable it is, the more profitable it will be.
What advice would you give to someone stepping into their first CISO role today?
Build relationships before you build controls. The CISO is effectively the CEO of the Security programme, which means you must have a deep understanding of the business. Sit with Finance, sit with Product, sit with Operations. Spend time building these relationships and developing an understanding of what these teams do. If you do not understand how your company makes money, you simply cannot protect it properly.
What do you think will matter less in security five to ten years from now?
Manual control execution and spreadsheet-based reporting. Automation and Gen AI-assisted workflows will dramatically reduce the human overhead of basic hygiene.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Validating autonomous systems and AI-driven decision-making. As organisations continue to embed Gen-AI into operations, security teams will need to focus more on model integrity, data lineage and governance, not just traditional infrastructure protection. The real inflection point will be moving from securing Gen AI, to also using the technology as a competitive security capability, in its own right.