Security is most effective when it fades into the background: when teams can move quickly, customers are protected, and nothing “interesting” happens. CISO Diaries was created to explore how that kind of security leadership actually works in practice. Through candid conversations with CISOs around the world, the series looks beyond tools and incidents to understand how security leaders think, prioritize, and operate day to day. From routines and mental load to hard-earned lessons and long-term bets, CISO Diaries captures the reality of modern security leadership, where success is measured not by visibility but by resilience, trust, and momentum.
About the Interviewee: Raz Karmi
Raz Karmi is a cybersecurity and IT leader with more than 20 years of experience securing global information systems across complex, distributed environments. Currently serving as CISO at Eleos Health, Raz leads the company’s security strategy with a focus on protecting sensitive data while enabling rapid innovation. His background spans enterprise architecture, hybrid and multi-cloud environments, SaaS platforms, and large-scale security program development, with deep expertise in risk identification, assessment, and remediation. Known for his pragmatic, business-first approach, Raz believes the role of security is not to slow teams down, but to build guardrails that allow organizations to move fast, safely, confidently, and without surprises.
How do you usually explain what you do to someone outside of cybersecurity?
At a high-level, think of me as part bodyguard, part risk manager, part firefighter. I try to prevent problems, catch them early, and make sure one mistake doesn’t take the whole company down. If nothing bad happens, I’m doing my job perfectly, and no one notices. More specifically, I decide what the biggest risks are to the business, protect our customers’ data, put guardrails in place so sensitive data doesn’t leak by accident, and make sure security doesn’t slow the business down.
Basically, I help the company move fast without getting involved in a cybersecurity incident.
What does a “routine” workday look like for you, if such a thing exists?
On a good day, I’m reviewing risks, tweaking security guardrails, and making sure customers’ data stays where it belongs while the business keeps moving fast. I spend a lot of time translating between engineers, product, legal, and reality.
In the background, I’m watching for anything weird, planning for disasters I hope never happen. If the company ships fast, stays safe, and no one calls me at 2 a.m., it was a very successful day.
What part of your role takes the most mental energy right now?
Keeping up with the pace of the risk landscape that changes constantly. New attacks, new regulations, new vendors, new and more demanding customers, and now AI throwing curveballs every week. Most of my energy goes into figuring out which risks are real right now and relevant to the business, which ones are overhyped, and how to put guardrails around AI so it’s useful without accidentally leaking sensitive data or making bad decisions at scale.
It’s like playing whack-a-mole where the moles keep learning new tricks. The job isn’t stopping every bad thing; it’s making sure the important bad things don’t happen while the business keeps moving.
What’s one security habit or routine you personally never skip?
I never skip staying curious and talking to people. I make a point of regularly chatting with colleagues to hear what they’re worried about or seeing that I might have missed, because blind spots are where problems hide. I also read a lot of security and tech blogs because the world changes fast, and I don’t like being surprised.
What does your own personal security setup look like?
Top of the range EDR, password manager, VPN, Zero Trust access, Device manager, Ongoing monitoring, and more.
What book, podcast, or resource has influenced how you think about leadership or security?
I listen to various podcasts on a permanent basis, such as:
- Moonshots with Peter Diamandis – Tracking the future of technology and how it impacts humanity.
- The diary of a CEO – interviews with the world’s most successful entrepreneurs
- Zero Signal – A high-energy podcast for cybersecurity leaders
- Invest Like The Best – Conversations with the best investors and business leaders in the world.
- And many others
What’s a lesson you learned the hard way in your career
Early in my career, I thought my job was to stop people from doing risky things. What I learned the hard way is that if you slow people down or make their lives harder, they won’t stop; they’ll just work around you, and that’s when real problems happen.
The lesson was realizing my job isn’t to say ‘no’; it’s to make the safe choice the easy choice. If security fits naturally into how people already work, everyone wins, and you don’t end up cleaning up messes at a later stage.
What keeps you up at night right now, from a security perspective?
It’s normal chaos, one ‘oops’ with sensitive data, one vendor incident, or one ransomware hit that turns into downtime. And now AI adds a whole new way for people to accidentally do the wrong thing at scale.
How do you measure whether your security program is actually working?
If security is working, most people don’t notice it, and nothing exciting happens. More concretely, I look for a few simple signals such as:
- Fewer surprises – Issues get caught early, not discovered because a customer or journalist calls.
- Small problems stay small – Things still go wrong, but they don’t turn into outages, breaches, or all-hands emergencies.
- The business keeps moving – Teams ship, sell, and support customers without security becoming a bottleneck.
- People come to me early – If engineers, product, or ops loop me in before launching something risky, that’s a huge sign the program is trusted and embedded.
What advice would you give to someone stepping into their first CISO role today?
Start by listening, not locking things down. Spend your first weeks understanding how the business actually works, where the real risks are, and what keeps other leaders up at night. If you try to “secure everything” on day one, you’ll lose trust fast. Your job isn’t to eliminate risk; it’s to help the business take the right risks without ending up on the front page.
What do you think will matter less in security five to ten years from now?
Predicting the future is a fool’s errand, but if we follow the current trajectory of autonomous systems, identity decentralization, and the collapse of the traditional network, here is a partial list of what I believe will matter significantly less in five to ten years.
- Firewalls, VPNs, and network segmentation based on physical or virtual “zones”
- Length of passwords, rotation policies, and SMS-based 2FA
- Headcount in the Security Operations Center dedicated to monitoring.
- Trying to “block” unapproved software or websites
- Annual audits, manual evidence collection, and “check-the-box” compliance
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Security teams will spend far less time reacting and far more time shaping systems and decisions upstream. Security teams will spend much more time designing constraints into systems before they exist. Security teams become part AI risk governance, part safety engineering, part ethics-by-design. Security teams will spend time continuously modeling risk as systems, vendors, and models evolve. Security teams will spend significant time on preventing runaway automation, privilege creep, and unintended delegation