Last time, I had fun speaking with my friend, red team-minded student/teacher Alana Staszczyszyn.
This time, I had the privilege of speaking with cybersecurity and intelligence industry veteran Theresa Payton. She’s always had tons of responsibility. She went from the White House to start her own private sector firm, Fortalice Solutions.
Kim Crawley: Hi, Theresa! Please tell me about what you do.
Theresa Payton: I’m blessed to be the CEO of Fortalice Solutions, which allows me and my team the opportunity to defend our clients (nations, businesses, and people) from behind a keyboard. I’m also a wife, soccer/cross country/basketball/karate mom to three great kids and the proud mom of two wonderful rescue dogs (Great Pyrenees) named King Seamus and Princess Leia.
KC: So, you helped found Fortalice. What led to the birth of your company? What are some major accomplishments your company has achieved so far?
TP: When I left the White House, I was pregnant with my third child and was reflecting upon my time in the federal government. I felt that the country had invested significant time and training in me during my tenure, and I felt called to honor that.
I searched high and low for a security and intelligence operations company that designed first for the human, trained to think like the adversary and tackled offensive security and incident response the way I felt it needed to be done.
My husband and I discussed this calling, and he encouraged me to launch my own company.
We joke at Fortalice that we are professional secret keepers. My team thinks it’s hilarious that our clients often refer to our team and the work that I do as the Olivia Pope of Cyber since we never discuss our clients or projects we’ve worked on without express written permission. So I can’t divulge too much, but this past year was one of our biggest yet. We were fortunate enough to more than double in size and revenue, and we are continuing on that trajectory now. Working pro-bono with law enforcement and organizations on cases ranging from victims of revenge porn and online dating scams to human trafficking and childhood sexual exploitation is so rewarding because we get to see how technology can literally save lives.
KC: How has being a White House veteran given you an advantage in your private sector cybersecurity work?
TP: Great question! I believe that my time at the White House changed how I look at security and discuss it with the clients we work with today. That has assisted me with our work in the private sector. The pivotal moment for me that shifted how I design a security strategy started in my first 90 days at the White House. It really came down to the people who served at 1600 Pennsylvania Ave. We knew we had to address the hearts and minds of the staff if we wanted to protect their privacy and security. After all, if solving cyber security and privacy issues were as simple as following security best practices, we would all be safe. I realized my old way of thinking—that it was mainly a training, education, policy and process issue—was not going to be enough for what we were facing then and now.
I would also add that things have changed tremendously since my time at the White House.
KC: Do you have any advice for women who are considering careers in intelligence or cybersecurity?
TP: When I was CIO, which was from 2006 to 2008, we were right at the beginning of truly harnessing the power of big data analytics, implementing more internet of things devices and witnessing the bloom of still-budding social media scene. Sometimes even I forget that it was just 2007 when Apple released the first-generation iPhone!
As much as things change, the more they stay the same, though. Designs must include options for maintaining operational stability and resiliency even during a major catastrophe where the cause is nature-made or man-made. In an age where cybercrime constantly changes, as does the technology in the hands of people, the security approach needs to evolve and stay creative and dynamic.
A lot of progress has been made to make the field more accessible to women and more attractive as a career choice, but we still have so far to go. First of all, I am so grateful that President Bush and his leadership team at the Executive Office of the President made diversity and inclusion such a high priority during his administration.
It was a true honor to be the first in several roles throughout my career, including as the first female CIO at the White House. There was a wonderful level of professional courtesy and respect, and when you’re working 18-hour days with people, you tend to break down most barriers pretty quickly. And I am very proud of improving the overall technology and security platforms at the White House, as well as being able to recruit really great talent, including women and minorities, into the CIO team at the Executive Office of the President.
Within our own company Fortalice, we do a mentor/protégé programme. When people come in and they haven’t done cyber before, they get assigned somebody in the company that’s their coach and mentor.
First, I would love for women to realize this is not a job where you have to lock yourself in a dark room with a hoodie and hover alone over a computer. Hoodies are very cozy, and I have a closet full of them, but there is much more to the roles you can play then a loner. This truly is a noble cause profession where you can make a huge difference by helping solve crimes, prevent crimes and protect what matters most to organizations and even individuals.
I would encourage them to attend security and intelligence conferences but to try-before-they-buy by talking to colleagues, checking out the conference presentations for free by going online to sites such as Black Hat, RSA, and others and looking at the presentations that were provided at the conference. I would grab a friend or two and go together to share your experience.
There are also a lot of online courses that you can take to dabble in different areas of security. Some of these courses are free. For example, I took a python class online on my own time for free two summers ago, and it was very well done.
For those making career changes or are early on in their careers, look for places to volunteer at the intersection point of your law enforcement groups and the private sector such as some of the excellent programs that I have heard about in Canada and the UK. I have also worked with and on the board for the FBI Infragard in North Carolina.
KC: Do you have any theories about how the cyber threat landscape is evolving?
TP: The threat landscape evolves as we add new technologies that are incorporated into our transactions and how we interact with the internet but also as we find ways to stop the adversary. We will never be able to build security that will stop all bad things from happening because we will always have bad people in the world. It would be a great day if cybercriminals hit a brick wall in trying to hack into a company and they said, “Wow, this is so hard. Maybe I should go be a good person now and bake pies for the sick and the elderly.” They will not do that. They will either move onto the next victim and hope they are more vulnerable, or they will find another way to attack. The adversaries are engaging newer technologies such as AI, machine learning and big data to step up their own evasion capabilities.
For example, we are now seeing malware that is designed to evade most of today’s detection techniques. We see attacks hiding in encrypted communications and traffic.
There’s also a new playbook being used by nation states and cybercriminal groups that Russia perfected during the 2016 U.S. presidential election. That playbook is the evolution of hacking social sentiments and using misinformation campaigns. It was used to create public unrest around the globe and provoke arguments on both sides of issues. In the future, it could be used to defame individuals, industries and organizations.
KC: Do you have anything else to add before we go?
It’s true there is a shortage of women in cybersecurity, but there is not a lack of talented and strong women in this world. Cybersecurity and intelligence require a general shakeup, and perhaps women are the ones to do it. I’m grateful that I have the opportunity to talk about my industry, and I hope more women see this as their first career choice… and that they can even wear their favorite hoodie.
The team at Fortalice created the Help a Sister Up LinkedIn group to serve as a resource to empower women in cyber. If anyone, male or female, wants to promote and support women in cybersecurity, we’d love for them to join. This is a complete safe space to ask fellow infosec and intelligence professionals about industry trends, helpful resources or just to make a personal connection and attract others to a possible career in cyber.
My biggest piece of advice to executives everywhere is to be creative, innovative, open, purposeful and mindful about how a candidate looks beyond their appearance on paper. Hiring managers should look for women, minorities and veterans who may not be the exact “type” of candidate they are looking for, but if they invest the time to train them on the core skills and also be a coach and mentor, they can get them up to speed. You can’t hardwire someone to emotionally want to fight to avenge what’s wrong in the world, but often you can teach them the technical parts. Take a chance on hiring someone who may not fully meet your requirements. This, in turn, creates loyal, creative problem solvers who are more likely to stay at their organization.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.