We are excited to welcome Theresa Payton, one of the nation’s leading experts in cybersecurity and first female White House CIO, as our guest keynote at Evolution18. Don’t miss the chance to meet her in person at our annual conference, April 9-11, in San Francisco. It’s not too late to register and attend!
Before she takes center stage, we asked Theresa to share her thoughts on the state of the security space and how it has evolved since her time as White House CIO. In Part One of our interview, she talks about the evolution of security threats, social media data privacy and enterprise cybersecurity blind spots.
Code42: How have security threats evolved since your time in the White House? Are there any new threats that you didn’t anticipate?
Theresa Payton: Many of the challenges companies face today are similar to the security challenges at the White House. The pivotal moment for me that shifted how I design a security strategy started at the Executive Office of the President, in the White House. The security at the White House could not be just about boxes, servers, oppressive end-user policies and blinking lights in the Security Operations Center. Security at the White House came down to the people who served at 1600 Pennsylvania Avenue, across America and abroad. We knew we had to address the hearts and minds of the staff if we wanted to protect their privacy and security. After all, if solving cybersecurity and privacy issues was as simple as following security best practices, we would all be safe. It’s not that simple.
The cybercrime threats to organizations change every day and move all over the globe. The biggest change is the larger hit to an operation’s systems, especially in the cases where the victim has been hit by ransomware. That’s why companies need to make strategic investments to protect themselves.
The attacks that make the news typically have complex motivations that are both economic and political; but the vast majority of attacks, many unreported, are simply about the money.
As far as any threats that I didn’t anticipate, not so far; but I can say that regarding my predictions, I wish I were wrong.
C42: Based on your time in the government, do you see a law like GDPR ever being passed in the U.S.?
TP: It is possible we will see Congress one day pass a consumer bill of rights for the Internet, digital safety and privacy; but I think we are several years away from that.
Privacy laws, the court systems and law enforcement’s ability to source cases are lagging with the digital age. Technology, specifically drones, have been a great tool for law enforcement in spotting potential victims and helping rescue those who need help in dangerous conditions. But with the popularity of domestic drones, we now have flying spies in our neighborhoods. This is a discussion that as a society we need to have. It’s common knowledge that it’s not polite to peep through people’s windows—it’s illegal.
But do we have any laws protecting us from social media companies collecting and selling our data, credit bureaus from aggregating our spending habits and selling our information, and our neighbors’ surveillance cameras or overhead drones from gathering our data? We don’t—at least not yet.
C42: What are enterprises missing when they think about data security?
TP: It’s very challenging for companies to get their arms around their data architecture. When companies have highly regulated data elements such as HIPAA, PII, PCI-DSS and others, we also see “data haves” and “data have nots” as far as security in those companies. I would ask your business team and your data architects a few questions to see what might be missing from your data security plan.
The first one is to ask, “Have we actually had a company discussion on what our top two or three most critical assets are? And do we agree?” I think a very simple way to do that is you get in a staff meeting. Tell everybody no peeking. Pass out index cards and have everybody write down their list. Ask a facilitator to help you force rank each list until all agree on a company list.
The next question you should ask is, “What is our worst digital-disaster nightmare?” Name it and define it. Practice (dealing with) that nightmare. Learn what capabilities you have and don’t have. Discover where you need new partners to assist you. And then figure out what you can’t mitigate on your own through partners, through process, through technology—that’s what you want to go get cyber liability insurance to cover.
The other thing that I think companies overlook is that you can increase your security and reliability and also your resiliency if you pick the right cloud-services provider. If you are holding on to some legacy mail platforms and things like that, it may be time to reintroduce making a strategic decision around the cloud. That could save you money and it could, if you pick the right provider, create a whole new set of security protections and protocols you don’t have in-house.
More about Theresa: A pioneering technology leader
Theresa Payton is one of the nation’s leading experts in cybersecurity and IT strategy. She is currently CEO of Fortalice Solutions, an industry-leading security consulting company; and co-founder of Dark Cubed, a cybersecurity product company.
Theresa began her career in financial services, and after executive roles at Bank of America and Wachovia, she served as the first female chief information officer at the White House, overseeing IT operations for President George W. Bush and his staff.