Interview with Former White House CIO Theresa Payton

Tuesday, March 23, 2010

Anthony M. Freed



I recently had the pleasure of making the acquaintance of the illustrious Theresa Payton, who's long and vibrant career has spanned multiple industry sectors and government service at the highest levels.

Theresa is currently the Chief Advisor and CEO of Fortalice, LLC, a firm offering security, risk, and fraud consulting services to private and public sector organizations. 

She holds a Top Secret-SCI Clearance.  In addition to working with key clients in the private and public sector, Theresa is also Emeritus Faculty for the Security Executive Council, and hosts a weekly segment for consumers on Charlotte, North Carolina's CBS station, WBTV, called "Protecting Your Cyberturf".

From May 2006 until September 2008, Theresa worked for the Bush Administration as the White House Chief Information Officer (CIO). She was the first woman to hold this position, and her team served the President, his staff and the 3,000+ members of the Executive Office of the President (EOP).

Theresa earned her Bachelor Degree in 1989, cum laude, with a Bachelor of Arts in Economics and Business Administration from Immaculata University.  She also earned her certification in Computer Administration before she went onto Charlottesville, VA to work on her Master's Degree.   She completed her Master of Science in Management Information Systems (MIS), University of Virginia in 1990. 

Theresa is a graduate of a 3 year program in Banking Studies earned from the Graduate School of Banking at LSU. She is also a Black Belt in Six Sigma.

Theresa started her career in Banking Technology in 1990.  She's worked at Barnett (Now Bank of America), First Union (Now Wells Fargo), and  for Bank of America.  Her career in banking has been diverse, including key leadership roles in strategic planning, mergers and acquisitions, hurricane recovery response, technology and operations for brick-and-mortar and self service delivery channels, data warehouses, executive information systems, marketing, finance, retail, small business, commercial, marketing, finance, dealer financial services, fraud, and risk.   

Q:  What do you see as the single greatest risk to information security in 2010?

Anthony, this is a complex question to answer and I know my answer may surprise some of your readers.

The media has highlighted several areas of concern - organized crime, international espionage, international players hanging out in our electric grid, and military movements coinciding with cyber events. 

I am greatly concerned about the security of our infrastructure.  Many people do not realize that 85% of the nation's critical IT infrastructure is controlled by the private sector - which means everyone plays a role but nobody is really in charge.

There is no doubt in my mind that the criminal and international elements will play a central role in breaches and other major disruptions that could impact transportation, the flow of money, the economy, energy, and overall confidence in our infrastructure.

However, if you ask me to name the single greatest risk?  I would say it is each individual.  We will keep our citizens, our nation, and our companies safe one person at a time.  We are the best weapon in the arsenal to defend against what is coming our way.

Type in "missing laptop" or "missing data" into a search engine with the name of a government agency or company and you will probably find a hit. Ponemon Institute did a study on business travelers.  A shocking statistic:   airport personnel find about 12,255 laptops left behind each week across U.S. airports.

Technology is sometimes the easy part of security; you can patch and harden your defenses and tweak your security appliances and alerts to give you better defenses and early warning.  Training the human factor - your staff - is so much harder to do. 

Q:  So the biggest threat to security is from the insider threat?

This conversation about the insider threat is on the non-sexy side of security, but it is the cause some of the greatest chinks in the armor.  The "insider threat" is often like carbon monoxide poisoning:  silent and hard to detect. 

I break the threat down into three character profiles:

  • First up - Intentional: Robert Hanssen was a former U.S. FBI agent who turned over information to Russian intelligence services for cash and diamonds. It is also suspected he did it because he wanted to prove something to himself and others. This employee-type knowingly wants to cause harm either because they want to make a buck or because they feel it is their version of payback time.
  • Second is Unintentional Public Disclosure: Eve from the movie Wall-E is on a mission and she wears that mission on her chest. She's after plant life and she does not care who she broadcasts that mission to. She cannot keep a secret and she is overjoyed and beams when she finds plant life. The generation joining the workforce now and for the next 10-15 years is a lot like Eve. When they experience emotions, they will wear them openly via cyber space. That openness may also include blogging, tweeting, and Facebooking posts about the latest project they are working on.

As an example, recently, an overly exuberant Microsoft employee was caught talking about the virtues of Windows 8.    His posts have since been removed, but before they were, we did manage to learn that the next version will be "unlike anything users expect of the operating system," and that they are moving to 128-bit - a tough blow for their competitors, and for bad guys that want to be ready to hack the new version the moment it arrives. 

  • Third is when "Mr. Incredible" Breaks Your Defenses: I tell organizations that their biggest threat may actually be their "Mr. Incredible" employees. These are the people that will do whatever it takes to work for you: days, nights, weekends, and holidays. They are the fearless defenders of creating the latest report or implementing the last technology for your company. If that means downloading tons of information to a portable device so they can work on their vacation, they will. If it means throwing the laptop in the car on the way to pick up their kids with a stop at the grocery store and the laptop is left unattended...whoops! They do not mean to put the company at risk, but their drive to get the job done exposes company data.

As an example, a model employee was working on VA business at home and their home was burglarized.  A VA laptop was among the stolen goods and had the Social Security numbers of 26.5MM active duty military and veterans on it.  The VA has agreed to pay $20MM to settle a class action lawsuit.  In a true miracle mix of skills and luck, the FBI managed to recover the stolen laptop and it is believed the data was not used by the criminals. 

I recommend that all organizations take a serious look at their education and awareness programs and develop a carrot-stick approach to incenting the appropriate behaviors.

 If your organization is still using the class or CBT approach with emails, you need to step up your game.  You are not winning mindshare of your employees.  They will not remember all that stuff when they leave your organization's laptop unattended at home or in the car.

Q:  How is the role of government changing with the increased security demands of the cyber age?

The role of government and the private sector needs to evolve to collectively ensure security.  I can illustrate it best by using a quote from James Lewis, who is the senior fellow at the Center for Strategic and International Studies:  "We do not expect airlines to defend our airspace against enemy fighter planes, and we should not expect private companies to defend cyberspace against foreign governments".

Government plays a role in protecting our Nation's interests.  In the pre-cyber age, this was a little easier to define - protect land, stand up to those that wish to do, and defend and protect the constitution and the citizens of our country. 

In the cyber age this is much harder to define; here are just a few of the open questions I see that we need to define and answer regarding the role of the Government:

  • In the cyber age, what constitutes a National border?
  • If a criminal or another nation steals intellectual property from a company, is this crime to be handled by local law enforcement, or should the Government should get involved?
  • Is "hacktivism" okay if we use it to take the enemy offline, and give our troops the advantage?
  • How do we develop a system of collective security across individuals, companies, and government organizations without giving up individuality, competitive data, and our freedoms?

The only way we can protect our citizens and our Nation's interests in the cyber age is through collective security.  This has to be a collective effort across Government, Private Sector, and each individual.  It also needs to extend across our shores to our allies.

Q:  Does that mean you feel Government should take the lead in cyber security?

I believe the Governments should pursue a framework that allows for vigorous debate and discussion regarding what cyber age freedoms citizens are willing to give up in the name of staying safe. 

A neighbor said to me he did not like the idea of the Government scanning social network posts or emails for "key words".  I asked him that if the Government saw key words that averted a terrorist attempt to kill people where his kids were working and going to college were okay, he replied, "Yes, of course!".  This is the cyber age conundrum.

Although more heavy lifting is ahead, the Government works very hard to develop forums for collaboration so the public and private sector can share critical information and best practices to improve our overall security. 

We need to see the private sector make a way to remove the obstacles so they can work with the government.  Their economic livelihood depends upon it.  Unfortunately, the private sector may not see the "value" in working with government until the worst happens. 

Case in point, Google is working with the NSA after accounts and intellectual property were compromised.  This illustrates that it is possible for private sector companies to work with the U.S. Government for the greater good of our Nation. 

Our individual computers and our employer's networks and computers are all part of a larger virtual community.  Once each individual sees themselves as critical to our Nation's security, we will have more collaborative and collective security that will be better than anything the Government or Private Sector can do on their own.  This truly is the Power of One - each individual will make the difference.

Q:  Do you feel the solutions to information security problems will be derived from regulatory and compliance efforts, or do you favor incentivising free market solutions?

This is a great question.  I prefer and favor free market solutions.  The free market can drive incredible innovations that will push security further.  I believe there are several factors that drive solutions to security problems and the buying decisions.  I see a variety of drivers that push an organization to make investments:

  • Fear of the bear: This is that drive to secure your organization so the event that happened someplace else does not hit you. Many executives believe they don't have to outrun the bear, but that they just have to outrun someone else. I disagree with this philosophy, if we all banded together, we would not have to sacrifice the slowest among us to the bear.
  • Reactive: All too often, this creates the teachable moment, the aftermath that crashes upon an executive following an event. It is amazing how organizations seem to find the money and the priority to make investments once they are breached.
  • Innovative: Leaders who see security as a differentiator find new and creative ways to protect their organization and their customers.

When word of a new regulation or compliance requirement comes out, organizations make the time to incorporate changes.  There can be a dangerous sense, among executives and individuals, that all is well just because an organization is in compliance. 

Look at Heartland Payments for example.  Their CEO felt they should not be treated punitively because they had made a best faith effort to protect data and audits rated them as PCI compliant.  Compliance does not translate into 100% fail proof security. 

Q:  Google threatened retaliation and announced cooperation with the NSA, while China claims to be a victim - who do you feel is primarily responsible for mitigation of sovereign threats, enterprise or government?

Collective security is the responsibility of the private sector and the Government.  We will not be able to protect our national security and economic interests without partnership and collaboration.

Q:  Military retaliation to coordinated cyber attacks, up to and including nuclear options, are all on the table - how likely is a cyber event to trigger military action on any scale?

This is a real scenario.  Estonia and Georgia are prime examples.  Both had near simultaneous cyber attacks along with military movements.  There are lessons to be learned, regardless of what you believe happened during those events.  The Wall Street Journal pointed at the Russian Business network as the potential cyber culprit.

Cyber events can be the trigger for coordinated response with military action. 

I believe that just as global nations came together to define the rules of engagement during war, how prisoners are to be treated, how treaties are to be negotiated, that this framework needs to be extended to cover cyber tactics.

For example, it will be hard to determine if a country is spoofing an attack so it looks like a different country originated the attacks.   It would be disastrous if a country retaliated against another country but they had the wrong party.

Q:  Do you feel an efficient cyber defense strategy must include provisions for a vigorous cyber offensive capability?

A cyber offensive capability is critical.  There have been several media announcements about military and intelligence agencies establishing cyber commands and capabilities.  All are a step in the right direction.

To protect a Nation's interests, one must build a bridge of collaboration between the Federal Government and the Private Sector.   

That bridge would include 3 core principles: 

(1)  Information Sharing:  Revise the current information sharing protocols to facilitate more effective and efficient communications of the threat picture between the U.S. Government and the Private Sector. 

(2) Governance:  Form an independent governance organization that includes members from the public and private sectors.

(3)  Innovation:  A key building block to building a vigorous cyber offensive capability is the need for a Public-Private partnership focused on fostering innovation to solve for the vision and strategic goals set forth in the Cyber strategy as developed by the White House.  For example, it will take innovation to create a trusted community space to transact business and report issues.  Innovation is key to develop a comprehensive and widely accepted identity management strategy.

Q:  SMB's, Education, Health Care and other sectors are experiencing dramatic increases in data security requirements and their associated costs, while the recession has reduced revenues - what strategies should be applied to the battle between budget, compliance, and common sense?

This is a great question because any CIO or CISO knows that 100% security is not achievable.  They have the unenviable role of asking for investments for an event they hope never happens, asking for dollars after an event happens, and trying to explain the business value of the investment to their C-level executives.

I tell CIOs and CISOs, use me as the bad guy and take in this quote, "No organization has the time, resources, or budget to block every hole and anticipate what's coming next.  It is a risk vs. reward tradeoff discussion."

The best way to tackle this is an honest and deep discussion that oulines the mission, vision, and goals of the organization.  Discuss risks in buckets:

1.   Reputation risk

2.   Regulatory risk / compliance risk

3.   Litigation risk

4.   Information asset risk

5.   Availability risk

Once you have an honest discussion about the risks for each bucket, you can prioritize where to spend your dollars and time.  As an executive team, you discuss where your gaps are, how to mitigate those gaps, and what your recovery plan is when a breach occurs.

I compare preparing your organization's risk and security plan to how you take care of your home. 

  • Maintenance: You do regular maintenance to keep the home looking nice and safe.
  • Priorities: But, you do not have money to do everything so you prioritize what is most important to you and your family.
  • Insurance: You also buy insurance policies in case of fire, theft, or natural disaster.
  • Recovery Plan: But, something bad can still happen and you need a recovery plan in the event that it does.

Q:  Cost controls and convenience have driven the increase in managed security and cloud-based services - do you see the trend in the sourcing of critical operations as the security model of the future?

I have moderated and participated on panels discussing the virtues and vices of cloud-based services.  With the right research and planning, this may be a fantastic option.  I expect this area of services to grow.

Small to medium sized businesses may find that the price point of cloud-based services gives them better security and business continuity then they can afford to provide with in-house resources and solutions.

An area I would encourage organizations to research first is whether or not your industry regulations stipulate controls about your data in motion and at rest.  If so, seek legal help to assist you in understanding what your responsibilities are so you will know if cloud-based services are right for your organization as well as what you need to include in the contract. 

For example, if you fall under HIPAA, it prohibits service providers from sharing medical records to anyone not involved in providing the health care, payment for, or related research.   Make sure your contract language protects this information or you will be in violation of HIPAA.

Q:  Many experts have conceded that there will never be absolute data loss protection - do you see security efforts shifting from a prevention focus to a detection, isolation, and resilience strategy?

The good news is that the industry has been making the shift to data loss prevention frameworks that provide the ability to monitor and protect data whenever it is stored and used.  It can even track the data when it is downloaded off of the main network.

The tough part is the implementation.  Many organizations have not outlined their data architecture to identify each asset they have responsibilities for.  I recommend that organizations spend the time to map their data assets.  For example:  if you house customer credit card or bank account information, map out that data, who uses it, where does that data "go" and then talk about strategies to protect the data.  Some solutions may be as low tech as making sure that employees know never to leave customer data sitting out on their desk. 

Organizations also need to remember that if you make it too tough on your employees, especially the Mr. Incredible, they will find a workaround so they can get the job done.  One organization I know locked down the ability to download data to thumbdrives.  Some innovative employees print what they need to review and take it with them.  I would rather track data then paper reports. 

Q:  As a former CIO, what are some of the challenges you see?

From my days in banking, and it is still true today, providing information to customers was king, 24x7x365 without intervention.

As a CIO, with any organization, I find that leveraging technology is only one of the many challenges. You have to be mindful of your language and talk in business terms, put the techie talk aside.

I use the example of Charlie Brown.  Do you remember what the adults sound like?  They say "wa-wa-wa" and nothing really intelligible. 

Ditch the techie talk and the PowerPoint slides and have real conversations with your executive management team, make them feel comfortable with the information you're sharing, and be respectful of their time and information absorption. It can be difficult.

As soon as you become a Power Point ranger and sending out memos and manuals you are going to lose the battle.  You get an A+ for documentation for compliance but, executives, even with the best intentions, just do not have the time to absorb every single threat or vulnerability that is out there. You have to respect their schedule and their other duties.

Q:  When it comes to technology security, how do you justify investments with decision makers?

It's hard to justify spending for something that hopefully won't happen. You are asking your organization to purchase catastrophic insurance if you think of it in personal terms.  It's pretty simple. The reality is people are going to get into your systems and you have to design around that. The argument is to show how real the threats are and to prepare your organization as best as possible. In the event, something does happen, having the proper recovery processes are also critical to restoring confidence and business continuity.

Q:  In conclusion, what are some of the greatest challenges currently facing a nation's economic security?

Two things really stick out to me:

  • Human Capital and Regulatory - First of all, the current regulatory environment poses a very complex challenge. We have a lot of regulations on the books, and I've been fortunate to work with some of the best and brightest in this area. But, some of the financial instruments being used are very complex and sophisticated. Many bright people coming out of school are going to work in the private sector because of the money they can make. Unless we can provide incentives so that more people choose the oversight and regulatory side of the public sector, we may create gaps in expertise that can pose challenges in enforcing regulations and oversight. We also need transparency; the volume of transactions will always outnumber the sheer human capacity to analyze them. A combination of innovation, technology, and human capital is needed to have better oversight and early warning. Until we find a way to appeal to the patriotic sense of duty to incent additional people, we are going to run into talent shortages.
  • Executive Engagement and Innovation - The basics are just not enough. There's a pay to play such as purchasing hardware, software, and installing firewalls that everyone needs to do. The bad guys know this too and will find ways to work around your technology. This is where the executive engagement and the innovation come into play.

Post Script

A special thanks to Theresa for her time, and for sharing her expertise with the Island community - we are truly fortunate to have her as an active member.

We will continue to spotlight industry thought leaders and innovators like Theresa as a regular feature here at Infosec Island.

Enterprise Security Security Awareness
Federal Military Municipal State/County
Post Rating I Like this!
Fred Williams Good article and I am glad you touched on cloud services as I am currently writing a research paper on this subject. One of the bigger problems that hosting in the cloud exposes is that you don't know where your data goes. Data may be dispersed across multiple data centers all over the world. In addition, multiple copies of the data can exist. In the case of HIPAA, what kind of issues can this bring up where medical records and copies of medical records could be on any server in any part of the world?
Theresa Payton Fred, thank you for your kind words. I would love to trade whitepapers with you. I'm working on security and risks in the technology supply chain, cloud as a component of that. Keep me posted on your findings. I will do the same.
Anthony M. Freed Lance Miller spotted a good article from the ABA on Cloud issues in the Legal community:
Fred Williams Ms. Payton,

I'm honored that you would consider exchanging ideas and I will take you up on that request! I'll send you a separate message on this site's email with my regular email. I plan on completing the paper near the beginning of May but I would like to float it by you earlier if you have time.

Thanks again!

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.