Photo Courtesy of Briana McDougall

From Computer Support To The White House: How Theresa Payton Became One Of Cyber's Leading Experts


Theresa Payton caught the technology bug while still in high school during a stint in computer support at the Quantico Marines Corps Exchange. After graduate school, she held executive roles in banking technology at Bank of America and Wells Fargo.

She founded the cyber-security company Fortalice Solutions, where she's the CEO, a company that provides expertise to government and private sector organizations to help them improve their information technology systems, and is now one of the 50 top influencers in security and fire.

Digital data collection and surveillance has grown increasingly invasive, and a majority of people (myself included) do not know the full extent to which data is collected, stored and used. Should we be concerned, and if not then why not?

Everyone is collecting data on you at every moment -- your phone when it talked to WiFi and cell towers is telling the phone company where you are. When you use apps, the apps know where you are even when you turn location data off -- it knows where you are because it knows the cell phone tower you're talking to. For the most part, the reason behind this is mostly positive. They're trying to understand your behaviors to offer you coupons and deals, and providing Amber Alerts and weather alerts to keep you safe. All of this collection is done for a good purpose.

However, we're still working out the social norms, like what constitutes whether our privacy is being invaded in the digital world. We also haven't spent enough time thinking about the fact that everything is hackable. My team hasn't found a database that they couldn't crack into. We must change the conversation to, “If you're going to collect the data to help me, how are you going to protect that data when you eventually get breached?"

Have privacy laws been able to keep pace with digital technology? As an example, if I'm grilling fish in my backyard can a neighbor “observe" my actions, via a camera drone, without breaking the law?

In my opinion, privacy laws have not been able to keep up with the digital age. Technology, specifically drones, have been a great tool for law enforcement in spotting potential victims and helping rescue those who need help in dangerous conditions. But with the popularity of domestic drones, this is a discussion that as a society we need to have. It's common knowledge that it's not polite to peep through people's windows -- it's illegal. But do we have any laws protecting us from our neighbors protecting us from flying a drone over our backyard? We don't -- at least not yet.

You served as the first female Chief Information Officer at the White House, overseeing IT operations for President George W. Bush and his staff. What was that like?

I thought from my previous work experience that I'd seen it all -- but when I got to the White House, I realized that wasn't the case. The pivotal moment for me that shifted how I design a security strategy started on my first day. It came down to the people who served at 1600 Pennsylvania and across the entire 3000+ person Executive Office of the President. We knew we had to address the hearts and minds of the staff if we wanted to protect their privacy and security.

After all, if solving cybersecurity and privacy issues were as simple as following security best practices, we would all be safe. It's not that simple. Two key questions came to me the first 90 days at the White House that I had to answer or we would have had a major calamity:

  1. Why, in spite of talented security teams and investments on security, do breaches still happen?
  2. Why is it, that despite hours and hours of boring computer based training and security campaigns, we still make mistakes and click on links?

This made me realize that we must critically reexamine how we assess our security technology, procedures, and methodology to fully understand the full scope of risk we bear daily and to determine the best course of action to mitigate this risk.

Theresa Payton speaking at Microsoft CISO. Photo Courtesy of Briana McDougall

What is the future of biometric data? Are we headed toward voice-activated email access, eliminating the need for keystroke passwords?

Biometric data is becoming much bigger because of the collection methods, like cameras, voice recognition and other methods capturing your image and the measurements of your physical form. Law enforcement can use it for identification purposes, and businesses can use it in their favor, as well. For example, banks like to know their customers are who they say they are, which ultimately protects their customers better.

We need to think of biometrics on a continuum -- on one hand, you can take things like your face or your voice which are physical things that we offer. These are very public biometrics. There are also more private biometrics, like how we walk, our hand geometry or the measurement of our eyes. As we move further down the line, it becomes more disconcerting of what people are taking, as they're all biometric measurements that can be made.

As an extension of the previous question, what might happen if this (potentially) promising technology falls into the wrong hands, like cybercriminals, fascists and military dictators?

We've actually already seen this technology fall into the wrong hands. In my book, Privacy in the Age of Big Data, I give the example that cybercriminals can use gummy bears to copy people's fingerprints and machines recognize them as legitimate. Gummy bears! The reality is that this already happens and we must continue to design security systems for the human psyche and continually evolve best practices to stay ahead of cybercriminals.

How can we “adjust" or better manage our digital behaviors in order to safeguard our privacy?

Most people think free wifi is harmless, but would you use a free toothbrush that was just lying on the floor? Of course not -- because you can't guarantee the hygiene of the toothbrush. Similarly, you shouldn't use free wifi because you can't guarantee its hygiene either. Never use free wifi when conducting sensitive and confidential transactions. The alternative is to use a portable hotspot or to use your cell phone as your own WiFi connection.

Additionally, call your device manufacturer to ask them how to enable encryption and password protection. Consider implementing two-factor authentication for logins on your devices, and use it for all work and personal apps and email addresses as much as possible. If you have someone steal your credentials, unless they have your smartphone, they will not have that code to get into your accounts.

I, like many motorists, have an E-ZPass device. Can I be monitored beyond the toll area? I cannot help but to appreciate the irony: I'm always toting my smartphone everywhere I go. But I read something about the E-ZPass device being used to determine traffic patterns, primarily in heavily congested areas. Is there any truth to this?

A lot of times when using an E-ZPass, we expect them to know we went through a certain toll because they debit their accounts. But do you expect that when you get away from the toll booth? When you use an electronic toll collection system, like E-ZPass, you also open a door for possible government snooping. For instance, in New Jersey, law enforcement can and will access E-ZPass records for criminal cases, but can only do so with a court order.

But when you're not at the toll booth, transportation authorities can install readers that read the tag on your windshield anywhere and monitor your tag anytime you pass -- not just when you pay for the privilege of driving on the road.

In the San Francisco area, the Metropolitan Transportation Commission tracks and collects information from fast passes. If you know about tracking and want to opt out, they provide a bag of Mylar so you can block signals when you are not using the pass to pay a toll.

This doesn't mean you shouldn't use E-ZPass, you just need to determine where on the continuum you fall between risk and reward.

Does anti-drone clothing exist, and if it does, what is it?

Anti-drone clothing does exist. Even though a lot of the good guys use drones, the bad guys use drones, too. In trying to protect our military, just wearing desert camouflage wasn't doing it anymore, so there are anti-drone clothing, blankets and hoodies, which is also available to consumers, too. These will help blur a heat signature, as well as help blur facial recognition technology.

How safe is my digital information? Am I worse off, in some instances, if my email address is stolen versus my social security number?

We're often focused on protecting information like social security numbers, bank accounts and healthcare information, but as you mention, cybercriminals also steal email addresses, habits and demographic information just as, if not more often. I don't hear many concerns about protecting this data, but it could be more valuable than something like your social security number. Part of it is that adversaries are becoming much more sophisticated when it comes to technology, and they're starting to see more value in many of these other pieces of information about you; knowing where you're going and what you're doing.

Has digital privacy ended?

What people need to realize is that 'delete' is never really 'delete.' It's incredibly difficult to be digitally invisible, but it is possible. What I love about the privacy discussion is we are finally having one. I don't believe people really understand up until recently that every finger swipe, mouse click, ATM visit, etc. is being memorialized, correlated, and categorized for future use. On the surface, this data is collected to be "helpful", but that data in the wrong hands is actually not helpful at all. I do think privacy is a personal decision -- while someone may need to be wide open on social media to further their brand/career, a young teen needs more privacy and protection.

Smart homes technology may be all the rage, (Google purchased Nest for approximately $3 billion, a smoke detector and thermostat company), but what if the wrong people hacked into this technology: home security, might I return from vacation to see that I'd been robbed?

Smart home technology has a ton of components, meaning multiple companies participate in the supply chain of putting together that one item. As the systems become more prevalent, I specifically worry about the do-it-yourself kits making their way onto the market, where consumers merely pull a system out of the box and install it themselves without an expert. If you don't make security a priority, you could run into real trouble -- it's possible for hackers to figure out how to unlock your doors, break into video cameras and see inside your house, even control the thermostat if they truly wanted to. As a user, you must ask about the privacy policy of every system you use. If you're transmitting smart data to reduce costs or create safety, security or comfort, you need to know who else is looking at that data.

How did the Equifax hack occur?

Cybercriminals have nothing but time and motivation on their hands to carry out vicious cyber attacks, so Equifax (which houses hundreds of millions of people's sensitive data) is an understandable target for them. I can't comment on the exact specifics of how they achieved their attack as that information is still being investigated, I can say that data segregation is of utmost importance to any size business. We no longer live in a world where breaches are IFs - breaches are WHENs.

How might we make STEM careers more female-inclusive?

While I haven't been shy to talk about the lack of women in STEM careers, the real problem is the overall lack of diversity in STEM. We desperately need fresh ideas, different perspectives, and creative solutions to our problems and having a diverse, inclusive workforce allows for those ideas to flourish.


It's Time We Ditch Over the Counter Period Care and Embrace the Power of CBD

Going through adolescence and puberty can take its toll. As we try and navigate the changes that are happening and settle into adulthood, it's easy to be unaware of something that might be a reason for concern, or we may rely on old traditional methods of support that aren't conducive to positive long-term health.

As a society, we have accepted popular over-the-counter medicines that are used for an isolated headache or migraine to be the only line of defense to treat period pain. We have allowed old treatments and information to remain stagnant and thus have failed to evolve with the times. In order for change to be possible, we need to modify our approach and take advantage of and source new information, products, and research while pushing the conversation forward to normalize discussions around menstruation to better support the health of people who menstruate.

As a society, we have accepted popular over-the-counter medicines that are used for an isolated headache or migraine to be the only line of defense to treat period pain.

Between growing up with three sisters and a dad who is a double-board certified OB/GYN and infertility specialist, vaginal wellness has always taken center stage in my house. Through this, I had a lens into a world that overtime became more obviously outdated and slow to establish new tools to help combat the unpleasantries that are associated with menstruation. In my own family, I was able to see how different getting your period could be, how diverse symptoms were, and the importance of quality female wellness.

One of my sisters had the unfortunate experience of dealing with an ulcer related to excessive use of over-the-counter medication. This medicine was the only available option to help ease the pain throughout her cycle, which is a direct example of just how damaging the lack of quality menstrual-pain products can be and the toll it takes on our bodies.

It was hard not to wonder why period companies weren't as equally diverse as its customers. Or perhaps another question is, where is the effort to even have open discussions about what more could be done? As you could imagine, growing up with a doctor in the family lends itself to immediate access to health information, but this is a luxury that most people do not have. So where are the resources to help educate women and other people with vaginas on their bodies or symptoms they should look out for to help maintain positive reproductive health?

Through these observations, it became apparent just how much more could be done to support, aid, and educate women or other people with vagins on reproductive wellness. As someone who took to the trend of CBD to help with my own menstrual cycle symptoms, it had dawned on me that I was already nurturing a solution. I had been sharing my experience with CBD for menstrual relief with my sisters and girlfriends, so why not the rest of our community?

Enter, Maxine + Morgan, the CBD based wellness brand dedicated to using natural ingredients to alleviate menstrual cycle symptoms that I created with my dad Dr. Allen Morgan. When my family and I learned that people who menstruate sacrifice approximately 23 days a year on average worth of productivity because of period-related symptoms, we knew our products could improve that. We created capsules that are GMO free, gluten free, and vegan; all of which are made up using only six ingredients. Turmeric, ginger, cramp bark, valerian root, and fennel coupled with the healing qualities of CBD make up our unique formula that has been scientifically shown to reduce PMS symptoms and cramping. In addition to our CBD-based products, we also have a wellness line of options that are CBD free, which are also undergoing a clinical study to determine overall effectiveness.

In my own family, I was able to see how different getting your period could be, how diverse symptoms were, and the importance of quality vaginal wellness.

We decided early on that we would focus on providing high-quality supplements that fostered an uninterrupted lifestyle while simultaneously investing time and resources to new research and information. Having only been established for a few years now, we have coordinated the first ever clinical study to compare the effectiveness of CBD to popular over-the-counter medicine. We have also created an initiative with the non-profit organization, Period.org to donate funds to help support their amazing cause.

As a program that prioritizes access to information, hygiene products, and resources, we couldn't think of a better group to join forces with to leverage change within the industry. Especially now in the pandemic era, there has been an influx of women who are facing the harsh reality of period poverty. This refers to women who need feminine hygiene products but cannot afford them, which often leads to using toilet paper, rags, socks, or not using anything at all. This is completely unacceptable. Maxine+Morgan is vowing to bring awareness to period poverty and sourcing solutions that help all women feel comfortable, healthy, and strong. Through strategic partnerships, influencing open conversations, and raising money for non-profit organizations we can create a new dynamic and standard.

Maxine+Morgan is vowing to bring awareness to period poverty and sourcing solutions that help all menstruating people feel comfortable, healthy, and strong.

We have set high standards for the quality and effectiveness of our products, but also for who we are as a company. We are dedicated to being allies to the female community in order to foster change, create support, and reinvent how we talk about period health. More times than not, we only discuss our experience around our period when we're forced to cancel plans because our cramps are too painful to leave the house. We have no problem talking about our new skincare routine but shy away from talking about our flow, or what's going on down there. Within the next five years, we're setting our sights on not only being readily available in all major retail platforms that carry your other female wellness products, but creating a new dialogue filled with updated information and dismantling the stigma behind open discussion on menstruation and painful period symptoms.

We're with you, we feel you, we are you.