Transcend's Aimee Cardwell on Turning Security into a Growth Driver

Most security leaders position themselves as guardians against risk, but Aimee Cardwell, CISO in Residence at Transcend and Board Member at WEX, built her reputation on a different approach: balancing risk to accelerate business growth. Her unconventional path from Fortune 5 CIO to CISO of a 1,200-person security team at UnitedHealth Group showcases how technical leaders can become true business partners rather than obstacles.

Managing two company acquisitions every month, Aimee tells David how she developed a shifted-left security integration process that actually accelerated deal timelines while improving security outcomes. Her framework for risk appetite conversations moves executives beyond fear, uncertainty and doubt into productive discussions about cyber resilience, changing how organizations think about security investment and business enablement.

Topics discussed:

• How healthcare data regulations create complex compliance frameworks where companies must selectively forget customer information based on overlapping regulatory requirements.
• The transferable advantages CIOs bring to CISO roles, particularly in software development lifecycle security and communicating complex technical concepts to non-technical stakeholders.
• Shifting security strategy from risk prevention to intelligent risk balancing, enabling business growth while maintaining appropriate protection levels.
• Managing large-scale acquisition security integration through pre-closing requirements that accelerate post-acquisition security improvements.
• Establishing organizational risk appetite through worst-case scenario planning that moves leadership past emotional responses into rational decision-making frameworks.
• Developing cyber resilience strategies that assume incident occurrence and focus on recovery speed and impact minimization rather than just prevention.
• Scaling security controls based on business growth milestones, avoiding upfront overinvestment while ensuring appropriate protection as companies expand.
• Building consensus-driven risk acceptance frameworks while managing competing perspectives from multiple C-level executives and board members.

Key Takeaways: 

• Implement pre-closing security requirements for acquisitions, shifting security integration 45 days before deal completion to accelerate post-acquisition timelines.
• Frame risk conversations around worst-case scenario analysis, using real examples and stock performance data to move executives past emotional responses and build resiliency.
• Develop tiered security controls that scale with business growth, implementing basic protections early and adding complexity as revenue and user bases expand.
• Position regulatory compliance as a competitive advantage and trust-building mechanism rather than a business constraint.
• Create "how do we get to yes" frameworks that start with business objectives and work backward to appropriate risk mitigation strategies.
• Use customer trust metrics and retention data to demonstrate security's direct contribution to business growth and competitive positioning.
• Leverage software development lifecycle experience to integrate security into engineering processes rather than treating it as an external validation step.

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website