Theresa Payton is a cybersecurity and intelligence operations expert who helps people and companies to strengthen their privacy and information security.
Payton was the first female to serve as White House chief information officer, overseeing IT operations for the President and his staff from 2006 to 2008 during a period of unprecedented technological change and escalating threats. Previously, she held executive roles in banking technology at Bank of America and Wells Fargo.
Payton is now founder, president and CEO of cybersecurity consulting firm Fortalice Solutions, and co-founder of Dark3, a cybersecurity product company.
She has also recently been featured as the deputy director of intelligence operations in the new hit reality CBS show Hunted and collaborated with cybersecurity and privacy attorney Ted Claypoole to author two books focused on helping others learn how to protect their privacy online.
Payton was a keynote speaker at Infosecurity ISACA North America Expo and Conference in New York this week, where she gave a presentation exploring the role new and emerging technologies are playing in the safety and security of data. Infosecurity Magazine spoke to Payton at the event to learn more.
How big an impact are new technologies having on organizations and their information security efforts?
New technologies are improving the bottom line, assisting with better customer service and creating new ways for technology to seamlessly integrate into our lives. We almost do not realize they are there in the background anymore! From voice assistants to smart thermostats, we often have the technology we need at our fingertips.
However, the long-term impact of new technologies on organizations is widely not understood as it relates to the ramifications for information security strategies and ongoing safety, security and resiliency of operations. The majority of organizations that I work with, from those with basic security in place to those with significant investments in security, are still viewing new technologies as a plug-in that needs to be secured at its endpoints. For many security teams already stretched too thin, this is the best they can do in order to keep up with the fast pace of change in their organizations. Looking at the security of new technology is a great place to start but not the end game. Each time a new system or technology is introduced, the ecosystem needs to be reviewed holistically. Many security teams do not have the time, resources or luxury of doing this more than once a year at best.
“The long-term impact of new technologies on organizations is widely not understood as it relates to the ramifications for information security”
How important is it for organizations to ensure security is at the forefront of new technology implementation?
Twenty years ago, most cyber-heists focused on identity theft of credit card data, stealing government and military secrets and theft of intellectual property. The cyber-criminals needed to be fairly savvy, sophisticated and stealthy and often needed some type of a ground game such as money mules or inside knowledge to assist with the digital break-in.
Now, cybercrime has evolved to the point where it is practically like picking up a paint-by-number kit to make a mini-masterpiece. The commoditization of cybercrime, the ability to purchase crime-as-a-service, has elevated cybercrime to one of the most significant systemic risks facing our global economy. Organizations must assume that they will be broken into – they cannot keep cyber-criminals out. If you design your security strategy with that mindset, every new technology should be logically and physically segmented off from the crown jewels. Digital kill switches need to be built in between the systems of a company’s digital ecosystem to ensure that when the worst happens the company can begin to flip kill switches and get shields up to protect and defend the other parts of their infrastructure.
How big a role will new technology play in organizational cybersecurity in the next five to 10 years?
A huge role! I no longer look at new technology as a separate component to protect and defend. I look at new technology as part of the larger ecosystem of our daily lives. It just is there and it is ubiquitous. Cybersecurity teams can no longer afford to be solely relegated to the concerns of responding to audits, compliance checklists and data and network security. We need to completely upend where cybersecurity reports come from and who we put in charge. We need excellent practitioners at the audit, checklist, data, network and technology levels but the leadership and inspiration for the cybersecurity plan and team should stem from innovation efforts. Often cybersecurity is viewed by the board as an operational function, part of business as usual. This will be our undoing if we continue to treat cybersecurity solely as an operational function.
We are already losing the battle: after decades of upskilling talent, spending millions approaching trillions, and installing all types of tools, products and solutions, we still get attacked and we still have outages due to ransomware and DDoS attacks. That does not feel like a winning strategy to me. We should not be ‘doubling down,’ we should be looking for the new plan of attack.
Take for example the rollout of 5G networks. I predict this rollout, widely hailed as essential for economic survival by those that I affectionately call the ‘Internet of Everything Fans and Autonomous of Everything Enthusiasts,’ will rise to become the most vexing issue that the CISO will be faced with. 5G will run almost 1000-times the speed of the current internet - that means cybercrimes will also happen at that same speed. We truly have no idea what this means for our current threat landscape. Remember the headlines of the last couple of years of cities, counties, airports and other entities locked up for days, weeks and sometimes months due to ransomware? Wait until every city becomes a ‘smart city.’