The CPO and CISO: A critical partnership with Aimee Cardwell
November 24, 2025•3 min read
I recently spoke with Aimee Cardwell, Transcend’s first-ever CISO-in-Residence and former CISO at UnitedHealth Group, about the increasingly vital relationship between privacy and security leaders. You can watch the full Field Trips episode below, but here are my top takeaways.
There is an old adage in our industry: you can have security without privacy, but you can’t have privacy without security.
In the latest episode of Field Trips, I sat down with Aimee Cardwell to dive deep into the dynamic between our two roles. We explored where there is natural tension, but more importantly, where we unlock real value by working together.
“Always going in with the idea that you're on the same team is the first place to start,” Cardwell told me.
It’s that foundational trust that allows CPOs and CISOs to move beyond mere compliance and towards a robust, shared defense of company data.
On the power of partnership
Cardwell and I discussed the reality of our respective resources. Often, security organizations have larger budgets and more experience buying technology than their privacy counterparts. Cardwell views partnership not just as a nice-to-have, but as a strategic advantage for both sides.
“If we don't partner, we might be competing, trying to do the same thing with two different tools,” she explained. “If we do partner, we can probably both get what we want for less money for both of us.”
A shared view on risk
While we may approach problems from different angles (legal defensibility versus threat reduction) our end goals often align perfectly, especially regarding data minimization.
“I really think of data as a big target and the less of it we have the better,” Cardwell said. “I really want to clear out as much data as possible, both because it creates a smaller target for threat actors, but also because it creates a smaller target for litigation.”
Escaping the "Department of No"
Both privacy and security leaders often struggle with the reputation of being blockers. Cardwell shared how she actively reframes this, specifically when dealing with high-stakes situations like mergers and acquisitions. Instead of just highlighting risks to kill a deal, she pivots to enablement.
“I don't want the business to stop asking. I want them to start asking,” she said. “It's up to the business to make the decision as to whether or not they wanna buy the company. And all I can do is make sure that we're bringing them in as securely as possible.”
The future of AI governance
With AI governance inevitably landing on the desks of CPOs and CISOs, I asked Cardwell if our roles might eventually converge. Her take? The scope is already too big for one person.
“We've both got rich enough and full enough jobs. It'd be a tough role for one person,” she said.
In fact, for large enterprises, Cardwell believes AI requires its own dedicated leadership. “I would hire a single leader who was responsible for AI... just like we have a Chief Data Officer, for me, a Chief AI Officer is not an unusual role.”
Final thoughts
Our conversation reinforced what I’ve long believed: CPOs and CISOs are, as we joked during the episode, “two peas in a pod.” We may have distinct responsibilities, she can keep the threat hunting, I’ll take the regulatory discussions, but we are most effective when we stand shoulder to shoulder.
“The faster we can work together... the better off the company is going to be,” Cardwell summarized. “And frankly, the better we're both gonna look in the organization.”
You can also watch the interview directly on YouTube
By Ron De Jesus