People 12 October 2017
Theresa Payton caught the technology bug while still in high school during a stint in computer support at the Quantico Marines Corps Exchange. After graduate school, she held executive roles in banking technology at Bank of America and Wells Fargo.
She founded the cyber-security company Fortalice Solutions, where she's the CEO, a company that provides expertise to government and private sector organizations to help them improve their information technology systems, and is now one of the 50 top influencers in security and fire.
Digital data collection and surveillance has grown increasingly invasive, and a majority of people (myself included) do not know the full extent to which data is collected, stored and used. Should we be concerned, and if not then why not?
Everyone is collecting data on you at every moment -- your phone when it talked to WiFi and cell towers is telling the phone company where you are. When you use apps, the apps know where you are even when you turn location data off -- it knows where you are because it knows the cell phone tower you're talking to. For the most part, the reason behind this is mostly positive. They're trying to understand your behaviors to offer you coupons and deals, and providing Amber Alerts and weather alerts to keep you safe. All of this collection is done for a good purpose.
However, we're still working out the social norms, like what constitutes whether our privacy is being invaded in the digital world. We also haven't spent enough time thinking about the fact that everything is hackable. My team hasn't found a database that they couldn't crack into. We must change the conversation to, “If you're going to collect the data to help me, how are you going to protect that data when you eventually get breached?"
Have privacy laws been able to keep pace with digital technology? As an example, if I'm grilling fish in my backyard can a neighbor “observe" my actions, via a camera drone, without breaking the law?
In my opinion, privacy laws have not been able to keep up with the digital age. Technology, specifically drones, have been a great tool for law enforcement in spotting potential victims and helping rescue those who need help in dangerous conditions. But with the popularity of domestic drones, this is a discussion that as a society we need to have. It's common knowledge that it's not polite to peep through people's windows -- it's illegal. But do we have any laws protecting us from our neighbors protecting us from flying a drone over our backyard? We don't -- at least not yet.
You served as the first female Chief Information Officer at the White House, overseeing IT operations for President George W. Bush and his staff. What was that like?
I thought from my previous work experience that I'd seen it all -- but when I got to the White House, I realized that wasn't the case. The pivotal moment for me that shifted how I design a security strategy started on my first day. It came down to the people who served at 1600 Pennsylvania and across the entire 3000+ person Executive Office of the President. We knew we had to address the hearts and minds of the staff if we wanted to protect their privacy and security.
After all, if solving cybersecurity and privacy issues were as simple as following security best practices, we would all be safe. It's not that simple. Two key questions came to me the first 90 days at the White House that I had to answer or we would have had a major calamity:
- Why, in spite of talented security teams and investments on security, do breaches still happen?
- Why is it, that despite hours and hours of boring computer based training and security campaigns, we still make mistakes and click on links?
This made me realize that we must critically reexamine how we assess our security technology, procedures, and methodology to fully understand the full scope of risk we bear daily and to determine the best course of action to mitigate this risk.
Theresa Payton speaking at Microsoft CISO. Photo Courtesy of Briana McDougall
What is the future of biometric data? Are we headed toward voice-activated email access, eliminating the need for keystroke passwords?
Biometric data is becoming much bigger because of the collection methods, like cameras, voice recognition and other methods capturing your image and the measurements of your physical form. Law enforcement can use it for identification purposes, and businesses can use it in their favor, as well. For example, banks like to know their customers are who they say they are, which ultimately protects their customers better.
We need to think of biometrics on a continuum -- on one hand, you can take things like your face or your voice which are physical things that we offer. These are very public biometrics. There are also more private biometrics, like how we walk, our hand geometry or the measurement of our eyes. As we move further down the line, it becomes more disconcerting of what people are taking, as they're all biometric measurements that can be made.
As an extension of the previous question, what might happen if this (potentially) promising technology falls into the wrong hands, like cybercriminals, fascists and military dictators?
We've actually already seen this technology fall into the wrong hands. In my book, Privacy in the Age of Big Data, I give the example that cybercriminals can use gummy bears to copy people's fingerprints and machines recognize them as legitimate. Gummy bears! The reality is that this already happens and we must continue to design security systems for the human psyche and continually evolve best practices to stay ahead of cybercriminals.
How can we “adjust" or better manage our digital behaviors in order to safeguard our privacy?
Most people think free wifi is harmless, but would you use a free toothbrush that was just lying on the floor? Of course not -- because you can't guarantee the hygiene of the toothbrush. Similarly, you shouldn't use free wifi because you can't guarantee its hygiene either. Never use free wifi when conducting sensitive and confidential transactions. The alternative is to use a portable hotspot or to use your cell phone as your own WiFi connection.
Additionally, call your device manufacturer to ask them how to enable encryption and password protection. Consider implementing two-factor authentication for logins on your devices, and use it for all work and personal apps and email addresses as much as possible. If you have someone steal your credentials, unless they have your smartphone, they will not have that code to get into your accounts.
I, like many motorists, have an E-ZPass device. Can I be monitored beyond the toll area? I cannot help but to appreciate the irony: I'm always toting my smartphone everywhere I go. But I read something about the E-ZPass device being used to determine traffic patterns, primarily in heavily congested areas. Is there any truth to this?
A lot of times when using an E-ZPass, we expect them to know we went through a certain toll because they debit their accounts. But do you expect that when you get away from the toll booth? When you use an electronic toll collection system, like E-ZPass, you also open a door for possible government snooping. For instance, in New Jersey, law enforcement can and will access E-ZPass records for criminal cases, but can only do so with a court order.
But when you're not at the toll booth, transportation authorities can install readers that read the tag on your windshield anywhere and monitor your tag anytime you pass -- not just when you pay for the privilege of driving on the road.
In the San Francisco area, the Metropolitan Transportation Commission tracks and collects information from fast passes. If you know about tracking and want to opt out, they provide a bag of Mylar so you can block signals when you are not using the pass to pay a toll.
This doesn't mean you shouldn't use E-ZPass, you just need to determine where on the continuum you fall between risk and reward.
Does anti-drone clothing exist, and if it does, what is it?
Anti-drone clothing does exist. Even though a lot of the good guys use drones, the bad guys use drones, too. In trying to protect our military, just wearing desert camouflage wasn't doing it anymore, so there are anti-drone clothing, blankets and hoodies, which is also available to consumers, too. These will help blur a heat signature, as well as help blur facial recognition technology.
How safe is my digital information? Am I worse off, in some instances, if my email address is stolen versus my social security number?
We're often focused on protecting information like social security numbers, bank accounts and healthcare information, but as you mention, cybercriminals also steal email addresses, habits and demographic information just as, if not more often. I don't hear many concerns about protecting this data, but it could be more valuable than something like your social security number. Part of it is that adversaries are becoming much more sophisticated when it comes to technology, and they're starting to see more value in many of these other pieces of information about you; knowing where you're going and what you're doing.
Has digital privacy ended?
What people need to realize is that 'delete' is never really 'delete.' It's incredibly difficult to be digitally invisible, but it is possible. What I love about the privacy discussion is we are finally having one. I don't believe people really understand up until recently that every finger swipe, mouse click, ATM visit, etc. is being memorialized, correlated, and categorized for future use. On the surface, this data is collected to be "helpful", but that data in the wrong hands is actually not helpful at all. I do think privacy is a personal decision -- while someone may need to be wide open on social media to further their brand/career, a young teen needs more privacy and protection.
Smart homes technology may be all the rage, (Google purchased Nest for approximately $3 billion, a smoke detector and thermostat company), but what if the wrong people hacked into this technology: home security, might I return from vacation to see that I'd been robbed?
How did the Equifax hack occur?
Cybercriminals have nothing but time and motivation on their hands to carry out vicious cyber attacks, so Equifax (which houses hundreds of millions of people's sensitive data) is an understandable target for them. I can't comment on the exact specifics of how they achieved their attack as that information is still being investigated, I can say that data segregation is of utmost importance to any size business. We no longer live in a world where breaches are IFs - breaches are WHENs.
How might we make STEM careers more female-inclusive?
While I haven't been shy to talk about the lack of women in STEM careers, the real problem is the overall lack of diversity in STEM. We desperately need fresh ideas, different perspectives, and creative solutions to our problems and having a diverse, inclusive workforce allows for those ideas to flourish.
Women in the workplace have always experienced a certain degree of discrimination from male colleagues, and according to new studies, it appears that it is becoming even more difficult for women to get acclimated to modern day work environments, in wake of the #MeToo Movement.
In a recent study conducted by LeanIn.org, in partnership with SurveyMonkey, 60% of male managers confessed to feeling uncomfortable engaging in social situations with women in and outside of the workplace. This includes interactions such as mentorships, meetings, and basic work activities. This statistic comes as a shocking 32% rise from 2018.
What appears the be the crux of the matter is that men are afraid of being accused of sexual harassment. While it is impossible to discredit this fear as incidents of wrongful accusations have taken place, the extent to which it has burgeoned is unacceptable. The #MeToo movement was never a movement against men, but an empowering opportunity for women to speak up about their experiences as victims of sexual harassment. Not only were women supporting one another in sharing to the public that these incidents do occur, and are often swept under the rug, but offered men insight into behaviors and conversations that are typically deemed unwelcomed and unwarranted.
Restricting interaction with women in the workplace is not a solution, but a mere attempt at deflecting from the core issue. Resorting to isolation and exclusion relays the message that if men can't treat women how they want, then they rather not deal with them at all. Educating both men and women on what behaviors are unacceptable while also creating a work environment where men and women are held accountable for their actions would be the ideal scenario. However, the impact of denying women opportunities of mentorship and productive one-on-one meetings hinders growth within their careers and professional networks.
Women, particularly women of color, have always had far fewer opportunities for mentorship which makes it impossible to achieve growth within their careers without them. If women are given limited opportunities to network in and outside of a work environment, then men must limit those opportunities amongst each other, as well. At the most basic level, men should be approaching female colleagues as they would approach their male colleagues. Striving to achieve gender equality within the workplace is essential towards creating a safer environment.
While restricted communication and interaction may diminish the possibility of men being wrongfully accused of sexual harassment, it creates a hostile
environment that perpetuates women-shaming and victim-blaming. Creating distance between men and women only prompts women to believe that male colleagues who avoid them will look away from or entirely discredit sexual harassment they experience from other men in the workplace. This creates an unsafe working environment for both parties where the problem at hand is not solved, but overlooked.
According to LeanIn's study, only 85% of women said they feel safe on the job, a 5% drop from 2018. In the report, Jillesa Gebhardt wrote, "Media coverage that is intended to hold aggressors accountable also seems to create a sense of threat, and people don't seem to feel like aggressors are held accountable." Unfortunately, only 16% of workers believed that harassers holding high positions are held accountable for their actions which inevitably puts victims in difficult, and quite possibly dangerous, situations. 50% of workers also believe that there are more repercussions for the victims than harassers when speaking up.
In a research poll conducted by Edison Research in 2018, 30% of women agreed that their employers did not handle harassment situations properly while 53% percent of men agreed that they did. Often times, male harassers hold a significant amount of power within their careers that gives them a sense of security and freedom to go forward with sexual misconduct. This can be seen in cases such as that of Harvey Weinstein, Bill Cosby and R. Kelly. Men in power seemingly have little to no fear that they will face punishment for their actions.
Source-Alex Brandon, AP
Sheryl Sandberg, Facebook executive and founder of LeanIn.org., believes that in order for there to be positive changes within work environments, more women should be in higher positions. In an interview with CNBC's Julia Boorstin, Sandberg stated, "you know where the least sexual harassment is? Organizations that have more women in senior leadership roles. And so, we need to mentor women, we need to sponsor women, we need to have one-on-one conversations with them that get them promoted." Fortunately, the number of women in leadership positions are slowly increasing which means the prospect of gender equality and safer work environments are looking up.
Despite these concerning statistics, Sandberg does not believe that movements such as the Times Up and Me Too movements, have been responsible for the hardship women have been experiencing in the workplace. "I don't believe they've had negative implications. I believe they're overwhelmingly positive. Because half of women have been sexually harassed. But the thing is it is not enough. It is really important not to harass anyone. But that's pretty basic. We also need to not be ignored," she stated. While men may be feeling uncomfortable, putting an unrealistic amount of distance between themselves and female coworkers is more harmful to all parties than it is beneficial. Men cannot avoid working with women and vice versa. Creating such a hostile environment is also detrimental to any business as productivity and communication will significantly decrease.
The fear or being wrongfully accused of sexual harassment is a legitimate fear that deserves recognition and understanding. However, restricting interactions with women in the workplace is not a sensible solution as it can have negatively impact a woman's career. Companies are in need of proper training and resources to help both men and women understand what is appropriate workplace behavior. Refraining from physical interactions, commenting on physical appearance, making lewd or sexist jokes and inquiring about personal information are also beneficial steps towards respecting your colleagues' personal space. There is still much work to be done in order to create safe work environments, but with more and more women speaking up and taking on higher positions, women can feel safer and hopefully have less contributions to make to the #MeToo movement.