3 Questions With Security Expert Theresa Payton
February 12, 2014
Theresa Payton, who served as CIO of the White House from May 2006 through September 2008, is now CEO and chief advisor of Fortalice, a cybersecurity consulting firm. She is also the coauthor of Privacy in the Age of Big Data: Recognizing the Threats, Defending Your Rights, and Protecting Your Family. “This is the next area where our privacy and security could be put at risk,” she says. The purpose of the book is to inform, engage, and empower individuals and businesses to take back their data privacy. “If all I did was scare you, I only did half of the job,” she says.
Tell us about being CIO of the White House. How did it come about?
It was an incredible honor to be able to serve the country that way. I come from a long line of people serving their country—my grandfathers, my husband, his dad, my uncles were all in the military. I was just back from maternity leave with my second child, and I got a call out of the blue. The administration was making a concerted effort to bring in new people with new perspectives and new ideas, and I just happened to be on somebody’s list.
The process takes almost a year by the time you interview with everyone and do background checks. It’s a political appointee job, and you serve at their pleasure. Your job could end at any day. I commuted every week [from Charlotte, N.C.]. At the end of [the presidential] administration, I would come home. Then I found out I was pregnant with my third child, and the commute and the hours were not really conducive, so I accelerated my transition plan.
What would surprise us most about being CIO of the White House?
2006 was a long way away from a new presidential cycle. I came in with two-and-a-half years to go, and asked, “What’s on our top five list?” and they said “The transition.” We had more digital records than the administrations before us. We needed to start planning to make sure we preserved everything, according to the Presidential Records Act and the Federal Records Management Act. We also had to preserve things in a way so it would be easy for the presidential library and archives to make them available to citizens.
While the new president is being sworn in, the systems that run the White House are shut down— those records are considered the records of the presidency—then you flip the switch and turn them back on and start a new presidency. So there has to be clarity between the records of the two presidencies
It was something really interesting to be undertaking. For example, take photographs. With President Clinton, the first part of his presidency was film and then digital. With President George W. Bush, his entire presidency was digital. I was doing a back-of-the-napkin estimate for the National Archives and they were asking how many gigabytes it would be. I said, “Gigabytes? I think we’ll be talking zettabytes.” I don’t think people realize how incredible the amount of data is that’s collected as a normal part of doing business.
The other thing that was important was thinking through the next wave of technology that would be hitting the White House. How do we make sure we have the platform to support the technology? The second piece was cybersecurity. It wasn’t an afterthought—it has to be #1. We were always looking at that technology in terms of a risk vs. reward discussion. Nobody wants it under their watch for people to be compromised because you didn’t think through different outcomes.
What does your company do and what advice can you offer to businesses?
We work with businesses and government organizations and help them think through cybersecurity threats targeted at them and help them make good decisions about where to plug holes and make investments. We may also come in after a disaster to help them get online.
You don’t have enough money and time to fix everything, so you have to focus on where to spend the time and the resources on fighting the bad guys.
There’s no shortage of advice out there on cybersecurity. It can be overwhelming. We cut through the noise and say, “You need to understand the threats that are going to take your personal life or your business life and compromise it.” For example, in the White House, we couldn’t fix everything we knew was wrong. You never have enough staff to fix every vulnerability. You have to think differently about the threats targeting you and react accordingly.
In the business world, if a company spends all its funding on security and not on marketing, the company is protected—and out of business. Not all vulnerabilities are equal. If you’re a manufacturing company, I want you to go after the malware that goes into system controls.
What I tell businesses is, we have an insatiable appetite for data and we do a lousy job of protecting it. Instead of having it in one treasure chest, we have to think differently about our digital assets. In the White House, our top two important assets were the President and the Vice President. That’s not to say we weren’t concerned about the 3,000 staffers, but we had to ask, were we ever compromising the President or the Vice President or the mission they were on?
This is as opposed to our security culture, which currently says, “Build this big moat, with antivirus, antimalware, and intrusion detection.” Executives hit a saturation level and, in their mind, they’re done. But all they did was create rings, so if people can get in, they can take everything.
Instead, we have to focus around specific protection strategies. Where is your data stored? Does vendor access create a weak link? If the data is sold or posted on the web or on the front page, would it put you out of business? Companies need strategies around those assets.