Theresa Payton caught the technology bug while still in high school during a stint in computer support at the Quantico Marines Corps Exchange. After graduate school, she held executive roles in banking technology at Bank of America and Wells Fargo.

She founded the cyber-security company Fortalice Solutions, where she's the CEO, a company that provides expertise to government and private sector organizations to help them improve their information technology systems, and is now one of the 50 top influencers in security and fire.

Digital data collection and surveillance has grown increasingly invasive, and a majority of people (myself included) do not know the full extent to which data is collected, stored and used. Should we be concerned, and if not then why not?

Everyone is collecting data on you at every moment -- your phone when it talked to WiFi and cell towers is telling the phone company where you are. When you use apps, the apps know where you are even when you turn location data off -- it knows where you are because it knows the cell phone tower you're talking to. For the most part, the reason behind this is mostly positive. They're trying to understand your behaviors to offer you coupons and deals, and providing Amber Alerts and weather alerts to keep you safe. All of this collection is done for a good purpose.

However, we're still working out the social norms, like what constitutes whether our privacy is being invaded in the digital world. We also haven't spent enough time thinking about the fact that everything is hackable. My team hasn't found a database that they couldn't crack into. We must change the conversation to, “If you're going to collect the data to help me, how are you going to protect that data when you eventually get breached?"

Have privacy laws been able to keep pace with digital technology? As an example, if I'm grilling fish in my backyard can a neighbor “observe" my actions, via a camera drone, without breaking the law?

In my opinion, privacy laws have not been able to keep up with the digital age. Technology, specifically drones, have been a great tool for law enforcement in spotting potential victims and helping rescue those who need help in dangerous conditions. But with the popularity of domestic drones, this is a discussion that as a society we need to have. It's common knowledge that it's not polite to peep through people's windows -- it's illegal. But do we have any laws protecting us from our neighbors protecting us from flying a drone over our backyard? We don't -- at least not yet.

You served as the first female Chief Information Officer at the White House, overseeing IT operations for President George W. Bush and his staff. What was that like?

I thought from my previous work experience that I'd seen it all -- but when I got to the White House, I realized that wasn't the case. The pivotal moment for me that shifted how I design a security strategy started on my first day. It came down to the people who served at 1600 Pennsylvania and across the entire 3000+ person Executive Office of the President. We knew we had to address the hearts and minds of the staff if we wanted to protect their privacy and security.

After all, if solving cybersecurity and privacy issues were as simple as following security best practices, we would all be safe. It's not that simple. Two key questions came to me the first 90 days at the White House that I had to answer or we would have had a major calamity:

  1. null
  2. null

This made me realize that we must critically reexamine how we assess our security technology, procedures, and methodology to fully understand the full scope of risk we bear daily and to determine the best course of action to mitigate this risk.

Theresa Payton speaking at Microsoft CISO. Photo Courtesy of Briana McDougall

What is the future of biometric data? Are we headed toward voice-activated email access, eliminating the need for keystroke passwords?

Biometric data is becoming much bigger because of the collection methods, like cameras, voice recognition and other methods capturing your image and the measurements of your physical form. Law enforcement can use it for identification purposes, and businesses can use it in their favor, as well. For example, banks like to know their customers are who they say they are, which ultimately protects their customers better.

We need to think of biometrics on a continuum -- on one hand, you can take things like your face or your voice which are physical things that we offer. These are very public biometrics. There are also more private biometrics, like how we walk, our hand geometry or the measurement of our eyes. As we move further down the line, it becomes more disconcerting of what people are taking, as they're all biometric measurements that can be made.

As an extension of the previous question, what might happen if this (potentially) promising technology falls into the wrong hands, like cybercriminals, fascists and military dictators?

We've actually already seen this technology fall into the wrong hands. In my book, Privacy in the Age of Big Data, I give the example that cybercriminals can use gummy bears to copy people's fingerprints and machines recognize them as legitimate. Gummy bears! The reality is that this already happens and we must continue to design security systems for the human psyche and continually evolve best practices to stay ahead of cybercriminals.

How can we “adjust" or better manage our digital behaviors in order to safeguard our privacy?

Most people think free wifi is harmless, but would you use a free toothbrush that was just lying on the floor? Of course not -- because you can't guarantee the hygiene of the toothbrush. Similarly, you shouldn't use free wifi because you can't guarantee its hygiene either. Never use free wifi when conducting sensitive and confidential transactions. The alternative is to use a portable hotspot or to use your cell phone as your own WiFi connection.

Additionally, call your device manufacturer to ask them how to enable encryption and password protection. Consider implementing two-factor authentication for logins on your devices, and use it for all work and personal apps and email addresses as much as possible. If you have someone steal your credentials, unless they have your smartphone, they will not have that code to get into your accounts.

I, like many motorists, have an E-ZPass device. Can I be monitored beyond the toll area? I cannot help but to appreciate the irony: I'm always toting my smartphone everywhere I go. But I read something about the E-ZPass device being used to determine traffic patterns, primarily in heavily congested areas. Is there any truth to this?

A lot of times when using an E-ZPass, we expect them to know we went through a certain toll because they debit their accounts. But do you expect that when you get away from the toll booth? When you use an electronic toll collection system, like E-ZPass, you also open a door for possible government snooping. For instance, in New Jersey, law enforcement can and will access E-ZPass records for criminal cases, but can only do so with a court order.

But when you're not at the toll booth, transportation authorities can install readers that read the tag on your windshield anywhere and monitor your tag anytime you pass -- not just when you pay for the privilege of driving on the road.

In the San Francisco area, the Metropolitan Transportation Commission tracks and collects information from fast passes. If you know about tracking and want to opt out, they provide a bag of Mylar so you can block signals when you are not using the pass to pay a toll.

This doesn't mean you shouldn't use E-ZPass, you just need to determine where on the continuum you fall between risk and reward.

Does anti-drone clothing exist, and if it does, what is it?

Anti-drone clothing does exist. Even though a lot of the good guys use drones, the bad guys use drones, too. In trying to protect our military, just wearing desert camouflage wasn't doing it anymore, so there are anti-drone clothing, blankets and hoodies, which is also available to consumers, too. These will help blur a heat signature, as well as help blur facial recognition technology.

How safe is my digital information? Am I worse off, in some instances, if my email address is stolen versus my social security number?

We're often focused on protecting information like social security numbers, bank accounts and healthcare information, but as you mention, cybercriminals also steal email addresses, habits and demographic information just as, if not more often. I don't hear many concerns about protecting this data, but it could be more valuable than something like your social security number. Part of it is that adversaries are becoming much more sophisticated when it comes to technology, and they're starting to see more value in many of these other pieces of information about you; knowing where you're going and what you're doing.

Has digital privacy ended?

What people need to realize is that 'delete' is never really 'delete.' It's incredibly difficult to be digitally invisible, but it is possible. What I love about the privacy discussion is we are finally having one. I don't believe people really understand up until recently that every finger swipe, mouse click, ATM visit, etc. is being memorialized, correlated, and categorized for future use. On the surface, this data is collected to be "helpful", but that data in the wrong hands is actually not helpful at all. I do think privacy is a personal decision -- while someone may need to be wide open on social media to further their brand/career, a young teen needs more privacy and protection.

Smart homes technology may be all the rage, (Google purchasedNest for approximately $3 billion, a smoke detector and thermostat company), but what if the wrong people hacked into this technology: home security, might I return from vacation to see that I'd been robbed?

Smart home technology has a ton of components, meaning multiple companies participate in the supply chain of putting together that one item. As the systems become more prevalent, I specifically worry about the do-it-yourself kits making their way onto the market, where consumers merely pull a system out of the box and install it themselves without an expert. If you don't make security a priority, you could run into real trouble -- it's possible for hackers to figure out how to unlock your doors, break into video cameras and see inside your house, even control the thermostat if they truly wanted to. As a user, you must ask about the privacy policy of every system you use. If you're transmitting smart data to reduce costs or create safety, security or comfort, you need to know who else is looking at that data.

How did the Equifax hack occur?

Cybercriminals have nothing but time and motivation on their hands to carry out vicious cyber attacks, so Equifax (which houses hundreds of millions of people's sensitive data) is an understandable target for them. I can't comment on the exact specifics of how they achieved their attack as that information is still being investigated, I can say that data segregation is of utmost importance to any size business. We no longer live in a world where breaches are IFs - breaches are WHENs.

How might we make STEM careers more female-inclusive?

While I haven't been shy to talk about the lack of women in STEM careers, the real problem is the overall lack of diversity in STEM. We desperately need fresh ideas, different perspectives, and creative solutions to our problems and having a diverse, inclusive workforce allows for those ideas to flourish.


Stephen Doyle