CVS Health CISO: ‘A good day for me is when the phone doesn’t ring’

For CVS Health CISO Alan Rosa, a boring day is a beautiful one.

“The last thing you want as a cybersecurity leader—or technical operations leader, for that matter—is a phone call that says, ‘Something is wrong,’” Rosa told IT Brew. “A good day for me is when the phone doesn’t ring…That’s a boring day. That’s a beautiful day.”

A walk down memory lane. Though Rosa prefers a dull workday, his career in the industry has been anything but. In an RSAC interview, he told IT Brew his first gig of many in the industry wasn’t your traditional SOC analyst or help desk role.

“I was a watch guard in the Navy. So, that’s just my first time I was tasked with protecting something,” Rosa, who is also an SVP of infrastructure and operations at CVS Health, said. “And then after college, I was in Boeing [Defense, Space & Security] and so I was more of a general technologist.”

Rosa said it took a decade into his career to obtain his first official role in security. Since then, he has held leadership stints at NBCUniversal, Madison Square Garden Entertainment, and Disney. One of his most memorable roles, he said, was his time as the CISO of Twitter (now X), which coincided with its 2022 acquisition by Elon Musk, because of the “vibrant” culture within the company and the associated learning opportunities.

“I learned a lot. This is the way the law works. This is the way the FTC thinks, and this is the way this is put together,” Rosa said. “Now, you know how to deal with these challenges that are very unique.”

Health check. In 2023, Rosa made his debut at CVS Health, which he described as a “very complex company.”

“You can think about it as three Fortune 50s put together,” he said, referring to the company’s retail pharmacy and consumer wellness business; the company’s pharmacy benefit manager, Caremark; and its health insurance arm, Aetna.

Upon joining, Rosa was tasked with making sure the company maintained a “state of operational stability.”

“We had to make sure systems were working and they were up and we were serving our members, our patients, and our customers,” Rosa said. These days, his focus is on modernizing CVS Health’s cybersecurity program and thinking about what it means to “build out a comprehensive enterprise AI program.”

“It’s also ensuring that our colleagues are training on the most modern tech, and they’re up to speed,” Rosa added. Another element is modernizing the company’s applications.

Rosa believes his vast career across multiple industries has granted him the ability to approach problems with a unique perspective: “You carry that diversity of thought with you,” he said. “When I meet a new challenge, it helps me think about a problem from different aspects.”

That advantage is very apparent to some CVS staffers.

“He’s able to glean a lot and break it down into the common components, regardless of what industry [he’s] in,” Al Sassoon, VP of infrastructure operations and service delivery at CVS Health, told us. He added Rosa is able to break down problems and engage employees on projects—useful skills when working at a company with gigantic scale.

“He understands the theory tied to the objective that we’re trying to solve for,” Sassoon said. “And by doing that, I believe that scale becomes something that we need to address, but at the same time, it also becomes somewhat manageable, because a lot of it ends up being just rinsing and repeating to address the sheer size of it.”

To all the budding CISOs. Rosa advises security professionals to roll with the punches in the evolving industry in the era of AI.

“Keep up. You have to. We’re going to be running faster than ever,” Rosa said. “Change is both exciting from an innovation perspective, but it’s risky, and so we have to be prepared for anything.”