From Computer Support To The White House: How Theresa Payton Became One Of Cyber's Leading Experts


Theresa Payton caught the technology bug while still in high school during a stint in computer support at the Quantico Marines Corps Exchange. After graduate school, she held executive roles in banking technology at Bank of America and Wells Fargo.

She founded the cyber-security company Fortalice Solutions, where she's the CEO, a company that provides expertise to government and private sector organizations to help them improve their information technology systems, and is now one of the 50 top influencers in security and fire.

Digital data collection and surveillance has grown increasingly invasive, and a majority of people (myself included) do not know the full extent to which data is collected, stored and used. Should we be concerned, and if not then why not?

Everyone is collecting data on you at every moment -- your phone when it talked to WiFi and cell towers is telling the phone company where you are. When you use apps, the apps know where you are even when you turn location data off -- it knows where you are because it knows the cell phone tower you're talking to. For the most part, the reason behind this is mostly positive. They're trying to understand your behaviors to offer you coupons and deals, and providing Amber Alerts and weather alerts to keep you safe. All of this collection is done for a good purpose.

However, we're still working out the social norms, like what constitutes whether our privacy is being invaded in the digital world. We also haven't spent enough time thinking about the fact that everything is hackable. My team hasn't found a database that they couldn't crack into. We must change the conversation to, “If you're going to collect the data to help me, how are you going to protect that data when you eventually get breached?"

Have privacy laws been able to keep pace with digital technology? As an example, if I'm grilling fish in my backyard can a neighbor “observe" my actions, via a camera drone, without breaking the law?

In my opinion, privacy laws have not been able to keep up with the digital age. Technology, specifically drones, have been a great tool for law enforcement in spotting potential victims and helping rescue those who need help in dangerous conditions. But with the popularity of domestic drones, this is a discussion that as a society we need to have. It's common knowledge that it's not polite to peep through people's windows -- it's illegal. But do we have any laws protecting us from our neighbors protecting us from flying a drone over our backyard? We don't -- at least not yet.

You served as the first female Chief Information Officer at the White House, overseeing IT operations for President George W. Bush and his staff. What was that like?

I thought from my previous work experience that I'd seen it all -- but when I got to the White House, I realized that wasn't the case. The pivotal moment for me that shifted how I design a security strategy started on my first day. It came down to the people who served at 1600 Pennsylvania and across the entire 3000+ person Executive Office of the President. We knew we had to address the hearts and minds of the staff if we wanted to protect their privacy and security.

After all, if solving cybersecurity and privacy issues were as simple as following security best practices, we would all be safe. It's not that simple. Two key questions came to me the first 90 days at the White House that I had to answer or we would have had a major calamity:

  1. Why, in spite of talented security teams and investments on security, do breaches still happen?
  2. Why is it, that despite hours and hours of boring computer based training and security campaigns, we still make mistakes and click on links?

This made me realize that we must critically reexamine how we assess our security technology, procedures, and methodology to fully understand the full scope of risk we bear daily and to determine the best course of action to mitigate this risk.

Theresa Payton speaking at Microsoft CISO. Photo Courtesy of Briana McDougall

What is the future of biometric data? Are we headed toward voice-activated email access, eliminating the need for keystroke passwords?

Biometric data is becoming much bigger because of the collection methods, like cameras, voice recognition and other methods capturing your image and the measurements of your physical form. Law enforcement can use it for identification purposes, and businesses can use it in their favor, as well. For example, banks like to know their customers are who they say they are, which ultimately protects their customers better.

We need to think of biometrics on a continuum -- on one hand, you can take things like your face or your voice which are physical things that we offer. These are very public biometrics. There are also more private biometrics, like how we walk, our hand geometry or the measurement of our eyes. As we move further down the line, it becomes more disconcerting of what people are taking, as they're all biometric measurements that can be made.

As an extension of the previous question, what might happen if this (potentially) promising technology falls into the wrong hands, like cybercriminals, fascists and military dictators?

We've actually already seen this technology fall into the wrong hands. In my book, Privacy in the Age of Big Data, I give the example that cybercriminals can use gummy bears to copy people's fingerprints and machines recognize them as legitimate. Gummy bears! The reality is that this already happens and we must continue to design security systems for the human psyche and continually evolve best practices to stay ahead of cybercriminals.

How can we “adjust" or better manage our digital behaviors in order to safeguard our privacy?

Most people think free wifi is harmless, but would you use a free toothbrush that was just lying on the floor? Of course not -- because you can't guarantee the hygiene of the toothbrush. Similarly, you shouldn't use free wifi because you can't guarantee its hygiene either. Never use free wifi when conducting sensitive and confidential transactions. The alternative is to use a portable hotspot or to use your cell phone as your own WiFi connection.

Additionally, call your device manufacturer to ask them how to enable encryption and password protection. Consider implementing two-factor authentication for logins on your devices, and use it for all work and personal apps and email addresses as much as possible. If you have someone steal your credentials, unless they have your smartphone, they will not have that code to get into your accounts.

I, like many motorists, have an E-ZPass device. Can I be monitored beyond the toll area? I cannot help but to appreciate the irony: I'm always toting my smartphone everywhere I go. But I read something about the E-ZPass device being used to determine traffic patterns, primarily in heavily congested areas. Is there any truth to this?

A lot of times when using an E-ZPass, we expect them to know we went through a certain toll because they debit their accounts. But do you expect that when you get away from the toll booth? When you use an electronic toll collection system, like E-ZPass, you also open a door for possible government snooping. For instance, in New Jersey, law enforcement can and will access E-ZPass records for criminal cases, but can only do so with a court order.

But when you're not at the toll booth, transportation authorities can install readers that read the tag on your windshield anywhere and monitor your tag anytime you pass -- not just when you pay for the privilege of driving on the road.

In the San Francisco area, the Metropolitan Transportation Commission tracks and collects information from fast passes. If you know about tracking and want to opt out, they provide a bag of Mylar so you can block signals when you are not using the pass to pay a toll.

This doesn't mean you shouldn't use E-ZPass, you just need to determine where on the continuum you fall between risk and reward.

Does anti-drone clothing exist, and if it does, what is it?

Anti-drone clothing does exist. Even though a lot of the good guys use drones, the bad guys use drones, too. In trying to protect our military, just wearing desert camouflage wasn't doing it anymore, so there are anti-drone clothing, blankets and hoodies, which is also available to consumers, too. These will help blur a heat signature, as well as help blur facial recognition technology.

How safe is my digital information? Am I worse off, in some instances, if my email address is stolen versus my social security number?

We're often focused on protecting information like social security numbers, bank accounts and healthcare information, but as you mention, cybercriminals also steal email addresses, habits and demographic information just as, if not more often. I don't hear many concerns about protecting this data, but it could be more valuable than something like your social security number. Part of it is that adversaries are becoming much more sophisticated when it comes to technology, and they're starting to see more value in many of these other pieces of information about you; knowing where you're going and what you're doing.

Has digital privacy ended?

What people need to realize is that 'delete' is never really 'delete.' It's incredibly difficult to be digitally invisible, but it is possible. What I love about the privacy discussion is we are finally having one. I don't believe people really understand up until recently that every finger swipe, mouse click, ATM visit, etc. is being memorialized, correlated, and categorized for future use. On the surface, this data is collected to be "helpful", but that data in the wrong hands is actually not helpful at all. I do think privacy is a personal decision -- while someone may need to be wide open on social media to further their brand/career, a young teen needs more privacy and protection.

Smart homes technology may be all the rage, (Google purchased Nest for approximately $3 billion, a smoke detector and thermostat company), but what if the wrong people hacked into this technology: home security, might I return from vacation to see that I'd been robbed?

Smart home technology has a ton of components, meaning multiple companies participate in the supply chain of putting together that one item. As the systems become more prevalent, I specifically worry about the do-it-yourself kits making their way onto the market, where consumers merely pull a system out of the box and install it themselves without an expert. If you don't make security a priority, you could run into real trouble -- it's possible for hackers to figure out how to unlock your doors, break into video cameras and see inside your house, even control the thermostat if they truly wanted to. As a user, you must ask about the privacy policy of every system you use. If you're transmitting smart data to reduce costs or create safety, security or comfort, you need to know who else is looking at that data.

How did the Equifax hack occur?

Cybercriminals have nothing but time and motivation on their hands to carry out vicious cyber attacks, so Equifax (which houses hundreds of millions of people's sensitive data) is an understandable target for them. I can't comment on the exact specifics of how they achieved their attack as that information is still being investigated, I can say that data segregation is of utmost importance to any size business. We no longer live in a world where breaches are IFs - breaches are WHENs.

How might we make STEM careers more female-inclusive?

While I haven't been shy to talk about the lack of women in STEM careers, the real problem is the overall lack of diversity in STEM. We desperately need fresh ideas, different perspectives, and creative solutions to our problems and having a diverse, inclusive workforce allows for those ideas to flourish.

Our newsletter that womansplains the week
4 Min Read

How To Treat Yourself Like A Queen

Sometimes the person you have to stand up to is you! There I was, rewatching the Miss Universe 2019 competition. Which I do for inspiration from time to time. (No, seriously!) There is something about seeing women on stage, in full-on glam mode, and speaking with confident assuredness that really lights my fire!

I have seen this Zozibini Tunzi of South Africa win this crown so many times before, but something about this particular viewing, her delivery or her words, touched something inside me a little differently. At that moment, I truly believed, with complete conviction, that she lives what she speaks.

The announcement was made, the audience cheered, and the crown was awarded. The light was dazzling,, she looked stunning, almost blessed. The judges made the right call with 2019's queen.

Reflecting On Myself

Suddenly, the YouTube video ended. And I was left looking at a black screen. In the darkness of that screen, I saw my reflection and I began assessing what I saw, asking myself, "What have I been doing with my life?" It may seem like an overly dramatic question, but at that moment, I had to ask myself seriously… What have you done? The fact that I couldn't come up with a solid, confident answer gave my inner-cynic license to quickly spiral into self-criticism.

This went on for quite some time, until I got up. I stood up and walked to my mirror to have some serious one-on-one "Queen Talk." I needed to get out of that self-critical mindset, and I know that physical movement is something that help disrupt a way of thinking. I needed to remind myself of who I really was. The negative feelings I was experiencing at that moment were not reality.

Here are a few reminders for whenever you need some Queen Talk!

1.) Comparison is truly the thief of joy.

This saying feels like a cliché. That is, until it's applicable to you. At that moment, this "cliché, becomes self-evident. Comparing myself to someone on a stage with years of experience in an area I know nothing about is not only unfair but straight-up mean. A part of my comparison comes from me wondering, "Would I have the ability, if put in that position, to perform at such a level?" The answer is totally and without question, yes. I excel in the field I work in now, and I know that if I put that same energy towards something else, with practice, I could do just as well. No joy can come from comparing yourself to someone in a completely different field!

2.) Never forget the blessings that have been bestowed upon you.

Every single day, I am blessed to have the opportunity to wake up with all ten fingers and toes and choose to create the kind of life I want to live. There is so much power in that alone, but sometimes it's easy to take it for granted. Let us not forget those who are unable to make that same decision every day of their lives.

3.) Appreciate how far you have come!

I've been very intentional for some time to be kinder and gentler to myself. I need to realize that I am human. Being human means that I will not know everything, and I will continue to make mistakes.But I must let go of the need to always be right. I feel empowered when I can see the growth that I've made, regardless of the mistakes that may come in the future. I don't react to every little thing that bothers me, because I have learned boundaries when it comes to dealing with others and myself. I truly value my time and my energy, and, for that, I am proud.

4.) You Can Be Who You Want To Be

If you can see it in your mind, you can achieve it in reality. I saw myself when I looked at the women on stage, when she smiled, the way she talked, her elegant walk. For a moment, in my self-criticism spiral, I forgot that we are all connected. Debasish Mridha has said "I may not know you, but I don't see any difference between you and me. I see myself in you; we are one." I will not sit in the mentality of lack, there is more than enough opportunity and good fortune to go around for everyone. Her win was not a loss for me, but it can be a nudge from the universe for me to go ahead and dream big!

This Queen Talk was not easy. There may have been some tissues and tears involved but giving myself an honest yet compassionate talk is sometimes what I need to bring myself out of some bad head space. In these moments of doubt, you truly need to be your own best friend.When times get rough, criticism won't always come from outside sources. How you speak about yourself internally is crucial to how you see and feel about yourself. As Beyoncé once sang, "I've got Me, Myself, and I." We must put forth every effort to be there for ourselves. I look forward to more Queen Talks when some negative emotions arise. I am grateful for the person I am today, but I am excited to see the women I become.