A conversation with Larry Trittschuh, chief security officer of HealthEquity. One of a series of security leadership profiles prepared by Cybersecurity Collaborative in conjunction with SC Media. Cybersecurity Collaborative is a membership community for cybersecurity leaders to work together in a trusted environment. Find out more here.
About Larry Trittschuh: Trittschuh leads HealthEquity's information, security, privacy, fraud prevention, incident response, physical security teams, compliance, as well as the enterprise risk department. He has served in security roles at Barclays Americas, Synchrony Financial and General Electric. Trittschuh has been an active participant in shaping cybersecurity partnership strategies in industry and government. He was a founding board member of the Defense Security Information Exchange, and was a member of the Internet Security Alliance board of directors. Trittschuh was a pilot in the U.S. Air Force and earned a bachelor's degree in political science from the U.S. Air Force Academy.
What makes a successful security leader?
I think the challenge for leaders in security right now (both CSO and CISO) is that no two organizations look alike. As a result, companies and organizations are on a path towards maturity and there are frequent examples of recruiters looking to replace the existing leader with someone who is ready for C-suite and board-level interactions. So the first thing I think is important is executive presence — the ability to communicate clearly and concisely in business terms upwards and outwards from the security function. With this comes the second need: the ability to look at security in terms of business risk. There is no secure/not secure framework — it’s about managing risk throughout the organization, prioritized with other business needs and opportunities. Lastly, leading a security team is about talent. As leaders, recruiting, retaining, and developing the right talent is key to an individual’s and team’s success.
What internal and external priorities should today’s security leaders focus on?
Internally, I think it’s important to understand the organization’s security culture and risk appetite. Is it a tech-forward role, a compliance-oriented function, or some other approach that will lead to success within the company? In security, we focus too much on FUD — fear, uncertainty, and doubt — to sell our program and investments; primarily because it is very hard to make a sound business case and tradeoff assessment relative to other business needs. I have found that documenting the organization’s risk appetite for security, and then using one of the many security frameworks in the context of threats to the organization is a very helpful strategy in aligning the C-suite and communicating to the board. Using one of the widely accepted frameworks such as NIST or ISO also helps when describing your capabilities externally to customers or clients during the never-ending security audits we experience. Cross-functional support is also critical to the success of the team — aligning on common goals and objectives for the year with peers is extremely helpful in accomplishing the many priorities you will have to mature a security program. To accomplish this, taking the time to explain technology security initiatives as a feature that is value-added for clients and customers, not a security requirement that is “extra work” for the technology team is also helpful to a security team’s success. And people — they are the key to having a strong security capability.
Externally, strong relationships with peers is a priority. The best way to keep up with the rapidly changing landscape and ensure you’re focused on the right priorities is to network and benchmark with other security leaders and teams you respect. That partnership is beneficial when it comes to the audits you will have with each other and also for the inevitable security incidents you will experience throughout your career. If you can establish trust with a strong set of peers, that trust bleeds over into the vendor and client relationships. I have participated in many industry and government-sponsored partnerships such as ISACs, InfraGard, and the Cybersecurity Collaborative throughout my career, and I often lean on my relationships to be a more successful leader.
How can cyber leaders work with corporate peers to win buy-in from C-suites and boards of directors?
The questions I hear most often from my boss, my peers, and the board are, “What are other companies doing?” and, “How do we compare to our peers?” Different industry sectors and sizes/types of companies have different threats facing them and different expectations for their security programs. Understanding and aligning to those standards has helped me communicate a growth strategy that aligns with the needs of the business as well as the expectations of clients, customers, and regulators. I’ve also found that every CISO’s/CSO’s approach with the board and C-suite is different. Sharing our metrics, board briefings, frameworks and strategies with each other is extremely helpful. Seeing how others are approaching the same problems prevents us from recreating something that has already been developed or trying something that has proven ineffective elsewhere.
What kinds of non-technology training do security leaders need to be successful in large and/or global enterprises?
IANS has developed an executive competency framework that I find quite useful. It shows the growth from a technical-focused security leader with functional competencies to the agile security executive with developed leadership competencies such as communication, culture & collaboration, executive presence, and leadership agility. I have found that those four areas are the key competencies needed to be successful in C-suite leadership roles where there is frequent CEO and board interaction. It also tends to be the areas we each need to work on daily — so training in communications (non-technical), leadership style, etc., really helps. Large, global companies are also more challenging because influence and relationships become even more important — our success is dependent on so many people and functions, that without developed skills in these areas, you can’t be successful.
Why did you join Cybersecurity Collaborative?
Most of my experience to date has been in the Midwest and East Coast. When I took my current role, I realized my network out West was not nearly as strong. It’s a different approach to security out West and on the West Coast — and as I said earlier, relationships with peers are critically important. I found that I wasn’t as successful in my benchmarking and understanding of the local security community without these relationships. That’s when I discovered the collaborative. It has helped me grow my network significantly beyond what I had previously.
What is most valuable about your membership with the Cybersecurity Collaborative?
Relationships. Meeting others in similar situations and hearing about their experiences, their companies, and their approach to security. We are all trying to solve similar problems and having that broader understanding can be a true force multiplier for the team.