From Air Force pilot to CISO: How this security leader landed the top job
Get expert advice from a top CISO on what cybersecurity hiring managers look for in candidates—from key skills to signs of leadership potential.
Aug 30, 2024 • 11 Minute Read
Larry Trittschuh is a seasoned CISO, CSO, and executive leader with over 25 years of experience spanning technology, operations, and services. He began his cybersecurity career in 2006 and, as Managing Director and Chief Security Officer for Barclays Americas, led a 500-member team overseeing cybersecurity, physical security, and resilience. A USAF veteran and Boardroom Certified Qualified Technology Expert, he has built and realigned security programs in pre- and post-breach scenarios, including state-sponsored attacks and ransomware.
When I mentor my direct reports, and they mention wanting to become a Chief Information Security Officer (CISO), one of the first things I ask is why they really want it. The reason is simple: many of us are taught to believe success is a ladder, and CISO is the final rung we need to achieve to be happy.
The truth is, success isn’t a ladder—think of it as a menu. You’ve got to pick the item that appeals to you and personalize your success. For you, success might mean a high wage, a great title, loving the company or person you work for, spending lots of time with your family, or enjoying a low-stress job. After all, it would be absurd to suggest one meal suits everyone’s tastes.
Consider this article a taster, offering insights into my path to becoming a CISO and helping you determine if this role pairs with your own idea of success.
How I got into cybersecurity
For me, getting into cybersecurity was completely accidental, and this is true of a lot of people in the profession. I actually wanted to be a pilot from a very early age, and so I went to the Air Force Academy and was a pilot for a decade. I certainly didn’t grow up writing code or working in a hands-on technical role.
In 2003, I was interested in making the shift from the military to civilian sector, and because it was right after 9/11 it wasn’t a great time to work for the commercial airlines. So, I reached out to my network for opportunities, found work as a consultant, and later worked for GE’s Military Systems IT Team. While I’d studied engineering in my education and had a technical role as a pilot, it was more of an adjacency to technology than anything else.
At the time, the Air Force sent a note to our CIO and said “Send a representative to a meeting. There’s a thing called Advanced Persistent Threats (APT), and you should care about it.” GE basically looked at me and said “Hey, new guy, you were in the Air Force and don’t have much work to do. Go to that meeting!”
At the time, nobody was prepared for this new kind of threat, and I found it really interesting. Starting out in the military, you’re very mission-driven, and you have a desire to protect people. In the military that’s people physically, but in cybersecurity it’s things like people’s technology and data security. For me, cybersecurity was a natural fit, and it became my passion and career.
Making the shift from individual contributor to cybersecurity leadership
Leadership was nothing new to me, having been an officer in the military. When I went into the consulting world, I actually took a step back in that regard, moving from being in charge of a program to being an individual contributor, then having to move back up into leadership again.
I often talk about the book and business fable “Who Moved My Cheese?” because it’s honestly the best advice I can give for someone trying to move from an IC role to leadership. You want to be the person who is executing and delivering, whose “say and do” ratio is really high—both of these things get you promoted.
For me, my first cybersecurity leadership role came about because I was working on trying to build out a cybersecurity program and build up support for that. When we were drawing up this organization on a whiteboard, I raised my hand and said, “I’ll take that organization if you want me to.”
When you become a manager, your success is suddenly through others executing instead of doing it yourself. You’ve got to align and motivate others, and hold them accountable—it’s a completely different ball game. If you’re an individual contributor or someone who’s striving to be a leader, you want to develop those skills ahead of time because someone is going to be hiring for those.
A lot of people in IT use contractors, managed service providers, or consultants. Getting experience in that type of leading is beneficial to getting that first time managerial or leader role. Demonstrate your ability to influence others across an organization or outside of it, because it’s certainly much harder to lead someone who’s not a direct report than someone who is.
Achieving success as a manager
Having been in the Air Force and then in General Electric, it felt like everyone was stamped with a particular brand of leadership. However, I think you need to be ready to adjust your leadership style for different followers. To be a successful manager, you need to understand the follower aspect of leadership—having empathy and adjusting accordingly—rather than just focusing on the leading component.
If I could go back in time and develop one skill at the start of my career as a leader, it would be empathy. Some of us are more empathetic than others, and my first reaction is never one of empathy. It’s very easy to fall into a pattern where you’re like “Hey IT, just patch this thing” or “Hey engineers, just develop code securely.” When you walk in their shoes and see what’s driving them, it makes a huge difference.
How I got my first role as a CISO
The first time I had the official title was at Barclays. It was an open role, and the reason I knew about it was through my network, which was an invaluable resource. I knew the global CSO for the organization who was hiring, and this helped me in preparing to apply for it.
For a lot of people, you’ve got to work that network of peers, friends, and recruiters. I strongly recommend people take a Business Information Security Officer (BISO) role at a larger company. I think learning alongside other people in a BISO role while following a big CISO is a great way to get experience.
Taking a cybersecurity number two role is also a great way to learn and step up into the CISO role. You would not believe the amount of recruiter calls that happen because there is not a suitable internal candidate. You can go on to become that internal CISO candidate just by being a really strong number two.
Why you should seize nonlinear opportunities where you can
Going back to what I said at the beginning, career advancement is not a ladder. Sometimes you get to a position and it’s about seizing opportunities laterally outside of what people think is the expected route of progression, just so you grow from the experience.
For example, at Barclays I was the Chief Security Officer of the Americas, and the CISO for Barclays International. We had a security team of 2000 people, and I had 500 people on the team. One day, I got a phone call from a recruiter to talk to HealthEquity. I had no idea who they were, but it was a post-breach role to come in and lead their security program. At the time, HealthEquity had only 1,200 staff and there were only 13 people in the cybersecurity team.
Now, most people would have looked at the revenue, the size of the company, and the prestige of Barclays compared to that particular role, and said, “Well, why would I take that?” (And I did have those thoughts.) But I was fascinated by the opportunity to learn, and coming off post-breach, you know there’s things you can make better right away.
I look back at the growth I had in that role, reporting directly to the CEO, and it was unbelievable. I convinced the CEO to adopt a converged security program, and I built out a second line program. We grew the company from $250 million in revenue to a billion in revenue in four and a half years, and the organization increased from 1,200 to 3,500 people. That was so much growth that was not part of the original assessment.
Actually achieving success in the role of CISO
Obviously, you don’t just become a CISO and call it a day. There’s no consistent day in the life of a CISO, and due to the nature of the role, so much of it is reactive and we strive for proactive. The threats are always changing and the business is as well. The role itself is incredibly fluid as well. It seems every CISO role is different – different reporting structures, small or large teams, enterprise or OT/product focus, or some sit in the first line and some in the second line of defense.
That said, executive leadership skills are the obvious must. In my opinion, these break down to three different components: people leadership, business leadership, and risk leadership.
1. People leadership
As mentioned earlier, being able to empathize with people is vital for success—understanding that follower aspect of leadership. Communication skills are extremely important and set you apart at a senior level. You need to be able to communicate technical information at a level people can understand, so you can bring the executive leadership team and board along with you. Active listening and self-awareness are also vital parts of this.
2. Business leadership
When I talk to companies now and look at CISO roles, the first research I do is see what’s in the news about the company. I read their 10-K, their 10-Q, their annual proxy statement, and try to understand the business and what they’re trying to achieve.
We all say “I want a seat at the table.” Well, there’s accountability and responsibility that comes with that seat. I often find myself in sessions where people ask how to get that seat, but when it comes to discussing breach response and making the decision whether to report it, whether to pay a ransom, the same people do not want that decision, and might say “Well, I’d leave that up to the general counsel.” Part of having a seat at the table is accountability and making those decisions, so I’d work on those skills.
3. Risk leadership
When it comes to risk, I think of my days as a pilot and tell people “If you don’t want to crash an airplane, you’ve got to keep it in the hangar.” You can imagine whether it’s the Air Force or a commercial airline, that’s not going to work—you wouldn’t complete the mission, or you wouldn’t make any money.
It’s the same thing in cybersecurity, since it’s not about whether you’re secure or not. It’s all about risk management and understanding the risk appetite of the company, the board, and of leadership. You’ve got to align your program to that and communicate the status and needs in terms of risk they can understand. There’s no program of 100% security.
Hiring to fill your gaps is crucial
Another bit of advice I’d give to leaders at any level—which contributes to your success and the company’s as well—is to hire to cover your blind spots. Diversity in hiring is crucial, because as a leader you tend to look at your strengths, but not so much your weaknesses. We know diversity works, and there’s been studies that show non-homogeneous teams are simply smarter, because you’re being challenged by people who think differently than you to sharpen performance and consider other approaches.
Hire people who have a very different background from you—diversity in race, religion, economic background, skill set, the size of companies they’ve worked for. To use a sports metaphor, imagine an entire football team full of quarterbacks. That team would be terrible.
You need to be deliberate in hiring this way, or it doesn’t happen. If you only hire people who look like you, you’re not going to fill your blind spots, and that’s going to be a huge failure of leadership on your part.
Conclusion
If you feel that CISO aligns with your own personal definition of success, then go for it. Build up your network and skills, seek new opportunities, and put yourself out there. It’s good to go for the job that scares you.
If it doesn’t sound right, then it’s certainly not the end of your success ladder. You’ll be able to find success in many different ways, whether or not that’s as an individual contributor, a manager role, as a consultant, or perhaps another path entirely. No matter what path you choose for your cybersecurity journey, I wish you the best of luck.
Interested in contributing to the Pluralsight community?
If you’ve got an article you want to write, we want to hear from you! Visit our community contribution page and register your interest.