Theresa Payton made history as the first female to serve as White House Chief Information Officer and currently helps organizations in both the public and private sectors protect their most valuable resources.
Managing cybersecurity risk is what Payton knows and does best. Before overseeing IT operations as CIO for President George W. Bush and his administration, she held executive roles in banking technology for two of the country’s top financial institutions. After serving in the White House, she went on to co-found Dark3, a cybersecurity product company, and Fortalice Solutions, a world-class cybersecurity consulting firm ranked a “Top 5 Most Innovative Cybersecurity Company” in Northern Virginia, Maryland, and DC.
Named one of the “Top 25 Most Influential People in Security” by Security Magazine, Payton was also featured in the book 100 Fascinating Women Fighting Cybercrime and honored as the 2019 Woman Cybersecurity Leader of the Year. She is the author of several publications on IT strategy and cybersecurity, including Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth, released in April of 2020.
Connect with Theresa on Facebook and follow Fortalice on LinkedIn.
Show Transcript
Intro: [00:00:04] Broadcasting live from the Business RadioX studios in Atlanta, Georgia, it’s time for GWBC Radio’s Open for Business. Now, here’s your host.
Lee Kantor: [00:00:18] Lee Kantor here. Another episode of GWBC Open for Business. And this will be an interesting one. Today, I have Theresa Payton, and she is with Fortalice Solutions. Welcome.
Theresa Payton: [00:00:30] Well, thank you for having me.
Lee Kantor: [00:00:32] Well, Theresa, before we get too far into things, tell us about Fortalice. How are you serving folks?
Theresa Payton: [00:00:38] Well, one of the things that we focus on is we serve patients, businesses, and people. And we really feel like preparation is the best strategy to protect your organization, but bad things do happen, unfortunately. So, we’re also there and stand by you to protect you and help you during kind of a worst crisis scenario, which is responding to a cyber crime incident. So, we do both proactive and reactive side.
Lee Kantor: [00:01:11] So, now, how did you get into this line of work?
Theresa Payton: [00:01:15] Well, it’s interesting, I started off in the financial services industry, and I was on the technology side, but coming up through the ranks in banking, I had responsibility, not only for delivering technology that we wanted our banking clients to use, but I had responsibility for making sure fraud losses were low, and making sure that the technology was secure, and protecting our clients’ right to privacy. And so, by having sort of this kind of full-scale responsibility, that really shaped how I thought about security, which was security needs to be something that enables customers, not kind of that last thing you do before you access data like a very complex password.
Theresa Payton: [00:02:02] And I had the opportunity to work for George W. Bush, President George W. Bush at the White House and, again, had sort of that responsibility for technology operations and cyber security. And really sort of that was the genesis behind creating Fortalice and really creating a services company to take care of you as if you were somebody on the White House staff and to service our clients the way I wished I had been taken care of when I was in roles in banking and at the White House.
Lee Kantor: [00:02:38] Now, cyber security touches everybody and in maybe ways that surprise some people. It’s not only just keeping my identity safe or my money safe. It can kind of work into elections and things like that. You recently published a book, Manipulated Inside the Cyber War to Hijack Elections and Distort the Truth. Can you talk about how cyber crimes getting involved in elections?
Theresa Payton: [00:03:05] Yes, sure. Absolutely. One of the honors that we have is actually helping different states and different vendors that play a role in our election ecosystem to make sure that things or processes are strong and that the technology is secure and safe, so that when you vote, your vote is counted the way you intended it to be. But kind of the other piece that people need to be thinking about as it relates to election security is sort of our personal reactions to the issues.
Theresa Payton: [00:03:39] And so, it used to be you could hear candidates talk on an issue, you could look at trusted vetted news sources on the issue, and then talk to your neighbors and make up your own mind. But what I learned in my years of working cybercrime is that nation, states, and also unscrupulous political operatives are leveraging social media to influence you on not just how do you vote on certain issues, but maybe even to disenfranchise you into not even wanting to vote at all.
Theresa Payton: [00:04:15] And so, cyber security for elections works everywhere from whether or not the paper ballot that you requested, that you requested from the right place, and did you mail in your ballot to the right place, to if you go Election Day and you vote on electronic voting equipment, is your vote secure there? But also, how you get information on these election issues and making sure that you’re not a victim of a misinformation or manipulation campaign.
Theresa Payton: [00:04:47] So, cyber criminals now have found their way into every aspect of our electoral process as far as an ecosystem goes. And that’s an area we have a lot of passion in making sure that every voter knows how to vote, knows how to make sure their vote is counted the way it was cast, and also knows how to get information on the issues in a way where they can make up their own mind.
Lee Kantor: [00:05:11] Now, let’s talk about, for our listener, that’s the business owner, is there anything actionable that you can recommend in order to stay safe for whether it’s their business or them as individuals?
Theresa Payton: [00:05:25] Sure, there’s a couple of things, especially during COVID-19 and sort of post-pandemic thinking about your planning. For starters, the remote worker to be thinking about making sure that any of your remote access has multifactor authentication turned on. In other words, they can’t just log in using a user ID and password. Like, for example, a text code or some type of an image is sent to their cellphone, and they need to use that additional step to get into remote access to your system.
Theresa Payton: [00:06:02] Pay special attention to the phishing – P-H-I-S-H, phishing – emails that are coming in. I just saw a report from Google that said two things: [1], that they’re blocking 18 million scam messages a day dedicated to something around coronavirus; and [2], the security industry has now said that COVID-19 and the topics surrounding the coronavirus are the most used in cyber crime scams ever in the history of internet and internet scams.
Theresa Payton: [00:06:42] So, that is the new normal to be dealing with. So, make sure that your e-mail system, that it’s secure, that you’re thinking about maybe more aggressively, actually, blocking emails that talk about CDC, that talk about WHO, that talk about COVID-19, and having a more manual process for deciding whether or not those mail items are actually legitimate. Be thinking about different approaches where your employees may not have to actually click on a link or open an attachment. Find a way to scan those before they do that to prevent your company from becoming a victim of cyber criminals syndicate.
Lee Kantor: [00:07:24] So, now, what do you do when you get an email that you’re like, “Well, that could be a phishing attempt,” or what are some of the clues you’re looking for when you’re seeing an e-mail because they’re pretty clever in the way that they look, and a lot of smart people have been fooled?
Theresa Payton: [00:07:43] Yes, no, you’re right. So, it’s interesting. We have some pretty sophisticated rules and processes in place at my company to block things before they go into our in-basket. But here’s an interesting one that actually got past all of this security software tools that we have in place, and the email was set up from a domain name that looks very similar to our company domain name, and it went to one of my employees, and it said it was from me. So, just a hint, my employees know I hate email, so I don’t email them because I don’t need anymore e-mails because if I e-mail you, you’re going to e-mail me back. And so, I try to avoid emails much as I can. So, that was like one clue. I never email my own employees. Like, we have an internal messaging platform we use.
Theresa Payton: [00:08:31] The second thing was it asked him to act quickly on my behalf. I would just pick up the phone. And then, the third thing was I was asking him in this email to buy gift cards for the employees, but to text me the gift card information. So, if you think about that, right, like if it’s a behavior from an executive is not what you’re not normally used to seeing, that’s a red flag. Asking you to act quickly, another red flag. And then, the third is some type of, “Buy something electronically, and then tell me what it is electronically.” And so, you notice there is no video conferencing there. There was no phone calling there. It was all electronic.
Theresa Payton: [00:09:16] And then, the other dead giveaway was they actually gave him a cellphone to text the information to. They made the comment that it was another cellphone that I was using. Well, it wasn’t my cellphone number. So, all of those things can be red flags. And it was very well done. I mean, we all commented. Like somebody had done enough of research to figure out Paul worked for me, and that maybe I would reach out to Paul on something like that.
Theresa Payton: [00:09:43] So, the other thing that you can do when you get emails besides that trust but verify, he reached out to me immediately. The other thing you can do, it’s not 100% foolproof, but you can take a link or an attachment in an email, and you can go to a free product called virustotal.com ,and cut and paste the attachment or the email, and it’ll tell you whether or not somebody else has reported across like 60 different sources whether or not that is a malicious link or attachment. So, that can also be sort of an extra way to do a trust but verify on emails that you get.
Lee Kantor: [00:10:22] Now, let’s talk a little bit about your relationship with GWBC. How has that organization impacted your business?
Theresa Payton: [00:10:30] Well, I mean, it’s been wonderful. I’ve had different people who have learned about our company. So, not only is it rare to find a woman who is in cybersecurity, but it’s even more rare to have kind of a woman-owned business that’s a pure-play cyber security company. And so, it’s been a great way to network. But also, we have had both private sector companies and government organizations who have a commitment to diversity. And as part of their commitment to diversity, they want to mentor women-owned businesses, and they want to buy from women-owned businesses. And having that certification helps give them some assurances. But here’s the other thing, they also know a third party from the outside is staking their reputation on that certification. And so, that gives them additional peace of mind as well.
Lee Kantor: [00:11:30] Now, in your business, has this virus, other than create maybe opportunities, like depleting phishing scams around it, but has the virus impacted your business on how you do business or are most of your workers remote workers?
Theresa Payton: [00:11:43] Well, it’s interesting. There’s a big part of what we do that we can do remotely. And then, there’s another part of it that does require sort of that in-person. It’s really hard to collaborate on video conferences. Technology is nice, but it doesn’t replace the opportunity to get in front of a whiteboard together, and really draw in kind of real time, and then go grab a bite to eat together, and sort of the different parts of an in-person relationship that you can develop. That’s really hard to replicate remote.
Theresa Payton: [00:12:20] But we’ve sent everybody very early on, we sent everybody home. We started the kind of the early days in February telling staff that if they were uncomfortable coming into the office, also telling them if they weren’t feeling well to just work from home, and it would be a judgment-free zone, but better to have an abundance of caution than to put themselves and their coworkers at risk. And so, we went to that model pretty early, and we went to a flexible shift model as well.
Theresa Payton: [00:12:54] The other thing that we’re doing as a company is many of our clients are under stress and duress based on their vertical industry, where they typically get their revenue from entertainment, sports. I mean, you name it. Almost every industry has had some type of an impact. And so, what we’ve been doing is, I call it reimagining and pivoting to be where our customers are going to need us to be most.
Theresa Payton: [00:13:22] So, for example, one of the services that was incredibly popular and high demand before COVID-19 was to do red team,to act like an adversary and to really show if we were a cyber criminal, how we would attack a network. This isn’t really the best time to be doing something like that while people are working from home. So, instead, what we’ve been doing is pivoting and saying to our client, “Red teaming can be a very disruptive take your eye off the ball type of operation. Let’s instead do something called threat hunting, which is something where you can look for potential indicators of compromise. You can also look to see, has the company been scanned by the outside world in a way that looks like somebody has nefarious intent with that type of scanning that’s been conducted?”
Theresa Payton: [00:14:16] So, we can actually look to see sort of like, has somebody been peeking in your windows just doing some surveillance on you? And that doesn’t require having your employees or your team sort of take the eye off the ball of trying to make sure that you’re a resilient organization during COVID but, also, as we go into post-pandemic mode, you need to focus on what makes your business profitable. So, we need to pivot and sort of be where you are and be where you need us most.
Lee Kantor: [00:14:46] Yeah, it’s an interesting time where a real virus is kind of making cyber viruses more available. There’ll be more of those floating around. I guess, a lot of people. Because the people, the bad actors, this is what they do for a living. This isn’t the young kid that’s in the basement eating Cheetos and drinking Red Bull. These are people, countries, businesses that this is their job 24/7 is to penetrate these organizations.
Theresa Payton: [00:15:22] Yeah. No, you’re right about that. As a matter of fact, having studied these cyber criminal syndicates and nation states for decades now, what a lot of people need to realize is, I mean, cyber criminals are everywhere. I mean, America has them. Every country has them. But some of the best and the brightest to pull off some of the biggest heists, they live in economies that are not very good. So, this is one way for them to … I know it sounds crazy, but in their minds, they really have a mindset that this is a noble calling because they’re providing for their family and their communities.
Theresa Payton: [00:16:04] And it kind of turns sort of the compass of morals, for them, are turned on their head because in their mind, they’re stealing from wealthy economies who aren’t going to really miss the pennies on the dollar. They don’t really see us as human beings running a business, and you’re stealing our livelihood, and you’re impacting our reputation, and you’re impacting a business’s resiliency, and reliability, and their reputation. They see it as, “You’re not going to miss it much. And this will really help me out a lot.”
Theresa Payton: [00:16:38] And it’s a real crazy kind of moral code that these cyber criminal syndicates follow, but it’s a real and present danger because as you mentioned, they’re at this 24/7. They don’t follow any rule book. So, where we have to, as businesses, have insurance, we have to go through certifications, we have to get a business license, background check. Like we have to do a lot of things that are the right things to do to be an ethical, well-run company. They don’t have to follow any of those rules. And it’s all show up, do your job, and you’ll get paid. So, it’s very tough because we’re not playing from the same playing field. It’s not just a matter of, are they smarter than us or better than that? They’re not. They just don’t have any rules they have to follow, and they’re doing this all day long.
Lee Kantor: [00:17:32] Right. And they don’t have to be right all the time. They just have to figure it out once.
Theresa Payton: [00:17:37] No.
Lee Kantor: [00:17:37] And then, once they’re in there, then they’ll get what they get. And then, if you stop them, then they’ll work on another and work around. I mean, they’re working as hard, if not harder, than our side.
Theresa Payton: [00:17:51] Yeah, in some cases. And they have specialties as well. So, for example, a lot of people don’t realize that ransomware, it’s not like some elite team, and it’s a team of five people. They’re all orchestrated with great clarity. Oftentimes, it’s multiple groups that come together to pull off the ransomware. It’s almost like a pyramid scheme, how they all get paid to do what they do. So, some of them will have, like they build the ransomware. Another group may actually house and deploy it. Another group will actually have the keys and show up with the keys. Another group will actually provide technical support. So, if you don’t know how to get cryptocurrency, you don’t know how to pay them, you don’t know where to find the keys. They’ll actually walk you through all the steps. And they all basically participate in the ransomware syndicate, and they may not ever meet each other, know each other, they don’t work for like a boss, but they all come together and they all make money out of that process.
Lee Kantor: [00:18:59] Crazy stuff. Well, thank you so much for sharing your story and kind of warning us about what’s out there. If somebody wanted to learn more and have more substantive conversation with you or somebody on your team, what’s the website?
Theresa Payton: [00:19:14] Sure. It’s www.fortalicesolutions.com. And if anybody is a big LinkedIn user, we actually have a group that the women of our companies set up called Help a Sister up on LinkedIn, which is a safe place for both men and women to promote more women in STEM, especially cyber security. So, if you are trying to hire people, if you’re trying to find people, be a mentor, looking for a mentee, feel free. We’re always looking for new members to join that group and participate, share research. It’s a really fun way to get connected to an amazing global group of men and women who are very passionate about promoting more women in STEM and helping a sister up.
Lee Kantor: [00:20:02] Well, thank you again for being part of this. And again, the website is Fortalicesolutions.com. It looks like Fortalicesolutions.com, but it sounds like Fortalicesolutuons.com. Is that right, Theresa?
Theresa Payton: [00:20:16] Yes, that’s exactly right. Yes. And you can also find us on Instagram. We’re @FortaliceSolutions. We’re @FortaliceLLC on Twitter. And I’m at @trackerpayton. We’re on LinkedIn, and we’re also on Facebook.
Lee Kantor: [00:20:32] All right. This is Lee Kantor. We will see him next time on GWBC Open for Business.
About Your Host
Roz Lewis is President & CEO – Greater Women’s Business Council (GWBC®), a regional partner organization of the Women’s Business Enterprise National Council (WBENC) and a member of the WBENC Board of Directors.
Previous career roles at Delta Air Lines included Flight Attendant, In-Flight Supervisor and Program Manager, Corporate Supplier Diversity.
During her career she has received numerous awards and accolades. Most notable: Atlanta Business Chronicle’s 2018 Diversity & Inclusion award; 2017 inducted into the WBE Hall of Fame by the American Institute of Diversity and Commerce and 2010 – Women Out Front Award from Georgia Tech University.
She has written and been featured in articles on GWBC® and supplier diversity for Forbes Magazine SE, Minority Business Enterprise, The Atlanta Tribune, WE- USA, Minorities and Women in Business magazines. Her quotes are published in The Girls Guide to Building a Million Dollar Business book by Susan Wilson Solovic and Guide Coaching by Ellen M. Dotts, Monique A. Honaman and Stacy L. Sollenberger. Recently, she appeared on Atlanta Business Chronicle’s BIZ on 11Alive, WXIA to talk about the importance of mentoring for women.
In 2010, Lewis was invited to the White House for Council on Women and Girls Entrepreneur Conference for the announcement of the Small Business Administration (SBA) new Women Owned Small Business Rule approved by Congress. In 2014, she was invited to the White House to participate in sessions on small business priorities and the Affordable Care Act.
Roz Lewis received her BS degree from Florida International University, Miami, FL and has the following training/certifications: Certified Purchasing Managers (CPM); Certified Professional in Supplier Diversity (CPSD), Institute for Supply Management (ISM)of Supplier Diversity and Procurement: Diversity Leadership Academy of Atlanta (DLAA), Negotiations, Supply Management Strategies and Analytical Purchasing.
Connect with Roz on LinkedIn.
About GWBC
The Greater Women’s Business Council (GWBC®) is at the forefront of redefining women business enterprises (WBEs). An increasing focus on supplier diversity means major corporations are viewing our WBEs as innovative, flexible and competitive solutions. The number of women-owned businesses is rising to reflect an increasingly diverse consumer base of women making a majority of buying decision for herself, her family and her business. 
GWBC® has partnered with dozens of major companies who are committed to providing a sustainable foundation through our guiding principles to bring education, training and the standardization of national certification to women businesses in Georgia, North Carolina and South Carolina
