Today I’m thrilled to announce that Larry Trittschuh has joined us in an advisory role for Dazz, bringing 14+ years of board experience and 30+ years of leadership experience in mid- and large-cap companies in Financial Services, Technology, Healthcare, and Defense sectors.
Most recently, Larry was Executive Vice President, Chief Security Officer at HealthEquity, where he was responsible for overseeing the safety and security of all team members, technology, data, and physical assets; driving digital transformation initiatives such as the adoption of a cloud-first strategy and DevSecOps for the information technology and security teams; and leading major acquisitions.
His roster of experience is impressive! Larry served as CSO at Barclays, where he led a team of 500+ security and technology professionals and represented security and resilience capabilities to 40+ global regulatory agencies on a recurring basis. He was Senior Vice President of Threat & Vulnerability Management at Synchrony Financial where he met with key Congressional and White House leaders to influence the direction of cybersecurity across U.S. and international entities. And he spent eight years at GE in security operations leadership roles, including Executive Director of Global Information Security Operations, where he established joint processes in partnership with the U.S. Department of Homeland Security (DHS) and Department of Defense. He also served as Assistant Director of Operations / Chief Pilot in the U.S. Air Force.
I had the privilege to catch up with Larry this week and get his insights on cybersecurity and leadership, top trends to watch in 2024, and what excites him most about working with Dazz.
Julie: We couldn’t be happier to have you on the Dazz advisory board, Larry! I’d love to begin our conversation learning more about you and your path to leading cybersecurity at industry giants in aviation, financial services, and healthcare.
Larry: My career journey is both typical and atypical. On the typical side, there are a lot of us in security who have military backgrounds—I have a military background as a pilot in the Air Force. After the Air Force, I began my civilian career in consulting and then moved into security when I joined General Electric and started doing cyber intelligence and advanced persistent threat work.
I was at GE for eight years, where I had the opportunity to lead Cyber Intelligence, Security Programs, Cyber Relations, Business Engagement, and Security Awareness. From there, I moved to Synchrony Financial to lead the Threat & Vulnerability Management team during our IPO and separation from GE. Following Synchrony Financial, I went to Barclays to be the Chief Security Officer of the Americas and interim Chief Information Security Officer of Barclays International. And my latest role was at HealthEquity, where I was the Executive Vice President, Chief Security Officer for the past four and a half years.
From a specialty perspective, I guess you could say I grew up in the security operations side, then expanded to threat and vulnerability management, and then into the broader security roles that encompassed everything from information technology, information security, privacy, fraud prevention, facilities, and physical security.
Julie: And how about a fun fact about you that we wouldn’t know from reading your LinkedIn profile?
Larry: Well, I’ve been employed since I was ten years old. People talk about work / life balance (laughs) I’ve never had it. I’ve been taking time off since HealthEquity. To be honest, it has been a great time to step back and spend time with family and friends. I have five kids and a wonderful wife. I’ve been working on the life side of the equation during my time off. Now I’m stepping back into the work side. Other fun facts are that I was a pilot for ten years and I love cars.
Julie: How did you get connected with Dazz and what excites you most about the company?
Larry: You've got a great teammate at Dazz, with whom I worked previously, and he connected me with your CEO, Merav. I was immediately impressed with the vision, the team, and the problem set that you're addressing as a company. If you think about the biggest risk to a security leader, it's a breach—and the breach always starts with a vulnerability. As the security leader, you need to understand your vulnerabilities as quickly as possible, categorize and prioritize their risk to the business, and then remediate based on risk. That’s the problem Dazz is solving. The more automation that you can apply to threat and vulnerability management, the more you know, the more that technology that can assist you in remediation, the faster and better you will be at avoiding breaches.
Julie: Oftentimes we hear from security leaders that there's friction between security and engineering teams when it comes to remediation. Are there any lessons learned or tips that you have to share on fostering better collaboration between security and development teams?
Larry: Yes, first, it’s important to know that everyone is trying to do their job and do it well. We’re all on deadlines. The dev team has a deadline. Security requirements are always going to be competing with other functional requirements. Getting the C-suite aligned on overall risk appetite, posture, and pace is really important. Alignment of expectations is key. Then, you need to work 1:1 with your dev teams. They don’t just want a list of vulnerabilities. They want to understand the priorities—what they need to fix—not just the number of vulnerabilities. That’s where Dazz shines. Dazz helps teams organize and fix issues based on risk.
Julie: What about tips for aligning with business stakeholders?
Larry: You'll never hear me refer to “the business” without security being part of the conversation. Security is just as much a part of the business as the sales team, as the engineering team, as marketing. We're all in it together. When you talk about getting alignment, if the security professionals are thinking about business priorities like, “who are the customers?” “What do they want?” it’s much easier to be on the same page. Working together, you have an opportunity to make security a differentiator. If you work in a bank, what do your customers want? They want their money secure. In healthcare? They want their personal and health data secure. All customers are looking for security, built into whatever it is they're buying, whether in B2B or B2C. Shareholders, too. They want to know their investments are secure and the companies they are investing in are taking security seriously.
Julie: You've led technology and security strategies across multiple industries as we mentioned before — from aviation to financial services to healthcare. Are there different security needs and pain points or do you see common ground?
Larry: Risk appetites differ across industries. If you're working in something sensitive, like aviation or defense or financial services, something that's highly regulated, the risk appetite of the company and your strategy will be a bit different. But ultimately, it's all the same foundation. It's protecting. It's your ability to respond quickly and set expectations around business risk. The overarching cybersecurity strategy is the same, but how it’s executed and the priorities may be different.
Julie: What is your take on the new SEC disclosure rule? What do security leaders need to do next?
Larry: We have to keep doing our job. The intent of the rule is great. I’m supportive. We can always argue what the timeline should be for notification and what constitutes materiality. The concept of driving the C-suite and board to prioritize security is the right objective. I think the push to discuss the vulnerabilities more specifically is misdirected. We don’t want to publicize a roadmap on how to exploit individual companies based on their specific risks.
Also, while the SEC is trying to drive the right behavior, the actions seem heavy handed toward the CISO community. The entire leadership team should be accountable together — CIO, CTO, CEO, CFO, General Counsel, and CISO. If it’s just the CISO’s name on the line, it’s misguided.
Lastly, a big piece of this for the security community is professional development. The role has continued to elevate and we have to grow as the role grows. We need to stay current on technology, regulations, influencing skills, and the business perspective. Being able to think about and talk about security in terms of business risk is crucial to being successful.
Julie: What are some of the important trends you expect to see in 2024?
Larry: Budgets will be slightly up or flat and that will be challenging. The macro-economic climate will continue to keep budgets tight. ChatGPT and other generative AI capabilities are here to stay. We’ll continue to see more cloud and hybrid cloud strategies, as well as hybrid workforces. In general, we’ll see more of what we saw at the end of last year with acceleration on the AI front.
Julie: You are early in your advisory role with us, but what do you expect Dazz and the concept of unified remediation to look like a year from now?
Larry: Because of budget challenges and the macro-economic climate, we need to be better— more efficient as an industry. We need to be able to succinctly describe risk posture. Anything that we can automate is beneficial to security teams. Ideally, we will move towards the concept of a self-healing network, self-healing endpoints, and code. Dazz and the whole area of unified remediation is going to continue to gain traction.
Julie: We’ve had a lot of conversations with enterprise teams lately about building versus buying? What are your thoughts?
Larry: If no one is doing what you need, then yes, building in house can be successful. But, if there is already a company delivering it, making it better, then I believe you should always buy. Why? Because that company is solely focused on the technology, executing it, keeping it current, evolving it. Conversely, when you build in house and there is a competing external solution, lifecycle support of the in house solution will suffer. People will get tired of or bored with the custom product. Turnover complicates lifecycle management. Once it gets into maintenance mode and the last half of the lifecycle, companies just don’t support custom the way a commercial product is supported. If you can buy, you should always buy. That’s my experience.
Julie: Any last thoughts you’d like to share?
Larry: One thought and piece of advice. I've always been at large companies where working with startups and new technology can be challenging. Until my break, I wasn’t very connected with the venture world and the startup world. There is so much to learn, so many talented people, so many innovative technology solutions out there. I encourage more people in security to work that part of the network. There is a lot of new thinking that you can bring back into your day job and propel your career.