Theresa Payton’s email password is more secure than yours. In fact, she probably knows yours. The founder and CEO of cybersecurity and intelligence consulting firm Fortalice Solutions, Payton is a globally recognized expert on security and intelligence operations. As the first woman to serve as White House Chief Information Officer, Payton oversaw IT operations for President Bush and his staff from 2006 to 2008. We spoke with her about the future of security, what companies can do to minimize risks, and what really happens on the Dark Web.
Founder & CEO,
How did you get interested in cybersecurity?
I come from a long line of U.S. military and law enforcement family members. In addition to my aunts and uncles, father, and grandfather, my husband and father-in-law are former U.S. Navy, so I’ve always been interested in helping people. I got an incredible opportunity to get a Master of Science in management information systems from the University of Virginia. After graduating, I followed my husband to Mayport, Florida, where he was stationed, and got a job working for Barnett Bank, which is now part of Bank of America. I ended up on the cutting edge of cybercrime, fraud, and money laundering working in banking. After 9/11, I worked with law enforce-ment because they needed logs to trace laundered money, and other access. It really changed my mindset and caused me to want to help create an experience that is secure and private.
And this helped you at the White House.
I thought I had seen a lot working in banking, but when I was called to work in the White House, I realized just how critical security technology will be for decades to come, and I’ve never looked back. I can’t imagine a place I’d rather be than protecting and defending companies, individuals, and the government and our allies.
Data manipulation is certainly one of the biggest threats to any nation. And I don’t just mean elections.
A lot has been said recently about how terror groups and others use the Dark Web. What is that, and how aware do companies need to be?
There is really the Deep Web and the Dark Web. The Deep Web is that unstructured part of the internet that search engines like Google don’t index. It makes up about 95 percent of the internet. It was developed by the U.S. Naval Observatory as a way for citizens, while physically in their country, to let the rest of the world know about human rights abuses happening in their country without being exposed. There were a lot of good, altruistic reasons for creating it, but as we know, tools meant for good can be taken advantage of by bad people, and that’s what happened with the Dark Web, which is a corner of the Deep Web. It has become a black market for very nefarious things that no teenager should ever play around with, and that I would hope most people wouldn’t have to be exposed to. You can’t unsee a lot of those things. Most companies, whether they realize it or not, already are on the Deep Web, through payment transactions or other communications that are anonymized for security reasons. Again, those are great reasons to be there. The black market is not.
Why do people still create security issues for companies by clicking on bad links that lead to malware?
It’s because we don’t design for the human. We set up arcane security rules that most people can’t follow, such as having a 12-character password of non-repeating numbers or letters, etc., that is actually designed to help the bad guys get in and keep the good guys out. We’ve worked hard to design security systems that act more as enablers and safety nets, rather than by rules that become restrictive for people to gain access to do their jobs.
Are there fundamental differences in how an individual, rather than a company, should approach security?
The first thing to admit is that you’re going to have a breach. At some point, the security will fail. I equate it to the lost car in the neighborhood syndrome. Some thieves go up and down the street looking for unlocked cars. They will only steal from the ones they can easily enter. Other thieves don’t care, and will smash a window in. The same is true of cybercrime. The strategy is to create the hardest possible way for thieves to enter, and maximize the recovery if things are taken. When you go on vacation, you don’t take every priceless heirloom you own with you, but perhaps you hide them or take them to a vault. With corporate or personal data, make sure you have regular backups and encryption services. It’s less about preventing crime, and more about minimizing the risk and damage.
It used to be that having the biggest army meant you ruled the world. Is today’s “biggest army” data security?
Data manipulation is certainly one of the biggest threats to any nation. And I don’t just mean elections. There are nightmare scenarios that we think about that have nothing to do with politics but could destroy a nation. For example, if there were a natural disaster or man-made disaster, and someone were to change blood types in a system, it would be catastrophic. That requires checks and balances to secure, just like intellectual property. Data manipulation as it relates to corporate or economic espionage has weighed heavily on the minds of cybersecurity experts for years.
What’s the best piece of advice you follow?
My parents are my heroes, and one thing they impressed on me early on was that my word is my brand and that success comes from a foundation of being an ethical, confident, and committed person that always delivers on your promises.