Theresa Payton


Original Interview, February 14, 2023

This interview was conducted by Abby Sonnier, Policy Analyst at Consortium Networks.

An inventor and visionary in the digital world, a U.S. patent holder, and the first female White House CIO, a two-time company founder and CEO, Theresa Payton, was named one of the “Top 50 Women in Tech” by Award Magazine and as one of the “Top 25 Most Influential People in Security” by Security Magazine.
As White House Chief Information Officer (CIO) at the Executive Office of the President from 2006 to 2008, she administered the information technology enterprise for the president and 3,000 staff members. Prior to her time at the White House, Theresa Payton was a Senior Technology Executive in banking, spending 16 years providing banking solutions using emerging technologies. Payton founded Fortalice in 2008 and lends her expertise to government and private sector organizations to help them improve their information technology systems.

What was the moment or problem set that inspired you to go into cybersecurity?

I always say this is a career that found me and that I didn’t even know what I was doing until I was doing it.

I started off in the financial services industry right after earning my MS in Management Information Systems at the University of Virginia doing development on a team called End User Computing. I liked doing the cutting edge stuff for Barnett Bank (now part of Bank of America).

Over the course of my time in the financial services industry in working on these customer facing technologies with a lot of money and client data moving around, we had the responsibility for making sure fraudsters couldn't get in between the customers and the bank and ensure anyone with cyber criminal intent couldn’t access the systems, the data, or the transactions. Cybersecurity was intertwined into everything I was responsible for. Fast forward, I had the opportunity to work for President George W. Bush as the first female Chief Information Officer at the White House. Each president can make decisions about the scope of the role, but I was responsible for technology operations, which included cybersecurity.

That was when I had that first aha moment. I had to think about cybersecurity as it was ingrained within the human story. If you build in security in a way that makes it to where no one can get in, the end user that is supposed to be supported by the technology will be impacted and will find workarounds to get their job done. In doing so, you are not actually providing the service you were supposed to be providing. There is an enormous responsibility to make cybersecurity an enabler; it can’t be in the way of getting the work done because if it’s in the way the you are actually creating unnecessary risks and vulnerabilities.

How have you seen the space change since you entered it, especially considering the new departments and authorities in the White House and throughout the policy space in Congress?

Because I was there from 2006 to 2008, I was there when the first-ever iPhone came out, and that’s really the consumerization of technology. Prior to the iPhone, if you wanted the best internet or search results, you had to do that at the computer in your workplace, not at your house. You suddenly had the ability to message people in a way that wasn’t possible with the two-way text pagers or flip phones. With the advancement in technology, the consumerization of high speed access anytime and anywhere, cyber criminals paid attention and decided they didn’t have to only go after the best funded and guarded government and commercial organizations, they can go after the consumers. Instead of looking for opportunities to bypass strong defenses, they could focus on the working, multitasking, and stretched-thin individuals with a computer in their pocket.

Was it difficult to initiate these conversations around cybersecurity before 2007 when cyber operations were first used as an obvious tool of statecraft in Estonia?

It’s always an evolving conversation with executives. Executives set a strategy with a mission and a vision and they want it enabled– they want it continuous, scalable, resilient, reliable, and safe.

Though security was taken very seriously at the White House, a lot of things that are commonplace now hadn’t happened yet. A lot of times, we were having conversations about protecting and defending based on things that happened that might be classified or on things that might happen. On those occasions, we needed to make a business case for a possibility where money needed to be spent on the security program even though something bad could still happen. That is a hard sell even today and was an even harder one in 2006.

I was very fortunate that my chain of command supported me. That is something that today’s technology and cybersecurity leaders need- executive understanding and support. Be willing to be challenged and willing to let the leadership team know that you will stretch every dollar as far as it can go. Doing so will win you the opportunity to have a seat at the table and get the support you need to do the hard work.

Being a woman at the White House in this role must have been difficult. What are some of the skills you think helped you most in getting your message across, being listened to, and being taken seriously?

I had really great mentors, both male and female, as I was coming up through the ranks in the financial services industry. When I first started working, I had a lot of ideas and would share those ideas, but I didn’t feel like they were being heard. It felt like that trope of a woman saying an idea, then a man saying it louder and everyone thinking it is great.

After a long day of work, I said to my parents that I felt really underestimated and that I was trying to speak up but kept getting talked over or interrupted. I didn’t know why I was having trouble expressing myself or that I needed to work on my presentation or something, and my dad said, “You’re operating in stealth mode and that’s a gift. You’re being underestimated and that’s okay– don’t let it define you or get you down. Instead, use that as your secret weapon. Put your head down, get the work done, and look for opportunities to speak up. They’ll never see it coming. Suddenly they’ll see your incredible idea and you’ll be ready to execute.”

He told me that I would just have to put in the work and the time, but eventually would be noticed and heard, and he was right.

How did you find that opportunity to speak up?

After having that conversation with my dad, I realized that I can’t control how I am treated in a meeting, but I can control my reaction to it. So, I looked for a way to do things differently and after one meeting, I asked somebody if they could take a walk with me to get a cup of coffee at the employee cafeteria. I told them that I had a lot of ideas about what we were talking about at the meeting that day and that I wanted to do a better job. I told them that I was still junior in the role but I wanted to do a better job of presenting my ideas and asked them if I could meet with them and use them as a sounding board before the next meeting and if they could give me some tough feedback after the meeting. They said absolutely.

Going forward, I used that person as a sounding board. I didn’t complain to them. I didn’t say what was going on. I only used them as a sounding board. What was interesting was that when I went into the next meeting and was talked over, that individual stopped them and brought it back to me, saying “wait a minute, Theresa, tell them the part you were telling me about.”

Suddenly, I had sponsorship at the table. Everybody was paying attention to what I had to say because that individual brought me in. Afterward, they said to me, “you know your stuff. We all know you know your stuff. You don’t have to justify why you have an idea or tell us everything in a meeting to get your point across. Give the idea, short and succinct.” I earned the right not to prove that I did my research. At meetings, I needed to just give my idea and wait for them to ask questions rather than try to anticipate any doubts they may have about me.

It was an incredible lesson for me to see this person who I only intended to use as a sounding board take ownership of my success.

Do you have any final thoughts you would like to leave us with?

We need everybody in technology and cybersecurity. To those that don’t think of themselves as technical or don’t want to be a developer or work with hardware or analyze code– that’s okay. We need everything. We need creatives to create art and media about cybersecurity, privacy, and how to catch cyber criminals– those are the things that inspire the next generation.

I would encourage people, whether you’re already many years into your career and think “if I had to do it all over again, I’d be in cybersecurity” or those early in your career thinking you didn’t take the right classes in college, or those still in high school considering if you could be in cybersecurity, there is a role for you here.