Learn how the first woman, Whitehouse CIO, balanced her day and kept her life intact. Stay tuned to learn her simple but effective process.
Guest: Theresa Payton, Chief Advisor and CEO of Fortalice®, LLC [@FortaliceLLC] and former White House Chief Information Officer (CIO) of the Executive Office of the President (EOP) from 2006-2008. She was the first woman to hold this position.
On Twitter | https://twitter.com/TrackerPayton
On LinkedIn | https://www.linkedin.com/in/theresapayton
________________________________
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
Learn how the first woman, Whitehouse CIO, balanced her day and kept her life intact. Stay tuned to learn her simple but effective process.
The role of a CIO or CISO is a global, 24/7 operation, and the work is never-ending. Therefore, it is crucial for these professionals to establish guardrails and not allow the pace to overwhelm them. Real-life examples of how to pace oneself, prioritize effectively, and reimagine the CISO and CIO roles to ensure the well-being and success of these professionals. Plus learn why Theresa didn't initially accept the Whitehouse call!
________________________________
Resources
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soluful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Dr. Rebecca Wynn: [00:00:00] Welcome to the software CXO. I'm your host, Dr. Rebecca Wynn. We are pleased to have us today. Theresa Payton. Theresa is one of the nation's most respected authorities on cybersecurity. A visionary us patent holder and security design. She made history as the first ever female white house, chief information officer. Today she is president and CEO of Ford Elyse solutions. Her many awards include the 2019 woman cybersecurity leader of the year and cybersecurity Crusader of the year. I said, so magazine.
Business insider named or one of the top 50 cybersecurity leaders. And in 2021, she was named one of the top 50 women in tech. By award magazine. Cybersecurity experts named her one of the top 100 most influential people in cybersecurity. She is the author of multiple industry, leading books on it. Strategy and cyber [00:01:00] security, including privacy in the age of big data, recognizing threats, defending your rights and protecting your family. And her book manipulated inside the cyber war to hijack elections and distort the truth. The guardian included on the 2022 list of the top 10 books about cyber crime. She frequently appears in the media and starred in the crime series Hunted. Theresa my friend, welcome to the show.
Theresa Payton: Oh my gosh, Rebecca, I've been looking forward to this. This is like the highlight of my week to spend this time with you. So thanks for inviting me.
Dr. Rebecca Wynn: Great. Theresa. I was thinking about when all of a sudden you get offered the c i o position, the first woman c i o position in the White House. How did you even process that as a leader? How did you even go about processing any of that stuff and then confidence in yourself that you could do that role.
Theresa Payton: Yeah, no, it's a great question. And it's funny, I [00:02:00] remember. So my parents are both my heroes. They're the epitome of servant style leadership in family community, in their faith and at work.
And my mom was a Marine Corps brat. My dad was a Air force and army bratt, my dad's career, Marine and then career law enforcement. They just were incredible examples and I still remember I came home from work one day and my parents called me on the phone to see how I was doing and I was really frustrated and I said, I'm so sick and tired of being underestimated.
I was in a meeting, I'm the youngest one there, and I had all these ideas. I kept trying to share. People talked to over me. I was the only woman in the room. And some people even said my ideas that I said 30 minutes earlier, and I said, I'm just. I'm just frustrated today and my dad said to me and this has stuck with me my whole career, he said, Your greatest gift is being underestimated because you can operate [00:03:00] in stealth mode and nobody will ever see you coming.
So just remember when you're underestimated, turn that into positive energy and just go for it. And so that has stuck with me. And funny you should ask about the White House because it's a phone call. I almost didn't return. I thought I was being socially engineered. I didn't know anybody at the White House.
I'd just come back. From maternity leave with my second kid, and I'm so glad I took that phone call. But I remember in the interview process, Rebecca saying, How am I qualified for this job? And it is a unique interview process because most of the questions you would normally ask, I didn't have a clearance to receive the answer.
So when I would ask things about budget or F T E or the top three initiatives, I didn't have a clearance to be given the answer, so it's an unusual interview process. So I finally just said, how am I even qualified for this job? And what was really fascinating was I had just a [00:04:00] phenomenal leader in the Office of Administration, director John Strub.
He's an incredible leader, very humble, and he said, Theresa, you have responsibility for global operations at the bank. Highly regulated. You're in a fishbowl. Everybody's, the systems that you run are all in the spotlight and you figure out how to make it all work. You know how to fight fraudsters and cyber criminals.
He goes, believe me, the things you don't know we can teach you, but there's a lot that we don't know. And so that gave me that comfort level. I'm also a faith-based person, so I spend a lot of time asking. People to pray for me for discernment and and just really felt like I was being called and led and this was my way to serve.
My husband had been in the military. I did not serve in the military. I was a military spouse. And so I felt if our men and women were having to go to Afghanistan, which they were at the time, I thought I could certainly hop on a plane or hop in the car and go [00:05:00] serve my country.
Dr. Rebecca Wynn: Oh, that's amazing.
You're in rooms with the biggest and the brightest and the best. There must have been like some really cool leadership principles you learned or how to even handle stress, what kind of things could you pass on to us along those lines about handling key situations like that we face day to day as CISOs and CIOs?
Theresa Payton: No, it's great. And it's interesting, there are some enduring principles that I learned during my time in banking and certainly learned during my time at the White House, which is truly this global 24 by seven operation, and those actually applied to each and every one of us you have to pace yourself. The work is never going to stop and don't allow the pace to run you. You have to find ways to put up those guardrails and to say, yes, this is a priority, but everything can't be the number one priority [00:06:00] and spend time force stack ranking of priorities.
The other thing I would say is, A lot of times I hear people say, I'm trying to get a day off, or I'm looking forward to a long weekend so I can finally renew and recharge. Build five to 10 minutes into each workday and look for that opportunity to recharge. You might not get that full day off, I'm sad to say, but if you can find that time to recharge.
And I'll tell you what recharging doesn't include. It does not include doom scrolling on social media or different news websites, right? So if you're taking five minutes, go for a walk. Just look outside. I. I always try to have flowers from the farmer's market in my office, find that bright spot and plan it into every day so that you have that moment to renew and recharge.
I also, Rebecca, you and I talked about this before, I've got this system of the five F, which I [00:07:00] developed as I was heading into the White House. I had some really good mentors say to me you're gonna burn yourself out if you don't pace yourself, and you need a system. I'm very creative, but I like to have creativity be within like a process framework.
So I created a color coded system that works for me and everybody needs to find their own, but it's called my five Fs and I book time on my calendar based on my five Fs. So my five Fs are family. Friends, faith and fellowship in the community. And then the last piece is, what am I fighting for every day at work?
Because we spend so much time at work and then I color code those five F's. And as I look at my calendar at the end of the month, some months it's a little lopsided and I make a commitment to myself. To actually change my allocation for the next 30 days. Everybody has to find the right system that works for them.
But that's something [00:08:00] that has really served me well over the years.
Dr. Rebecca Wynn: You see where leadership and company's not exactly sure where to even put CISOs right now they're just really in fluxx. Do you have any viewpoints on that? On one, how to have companies better select? CIOs and CISOs in the right roles, and also to help people who are like going, I'm not in the right roles for me.
How do I kinda spin out? And then how do I actually get to the heart and core of who I am as an individual and get to a better position for myself?
Theresa Payton: I always caution CIOs and CISOs that, you know, so for the C I O you're looking at. Technical debt, you're looking at transformation and innovation strategies, and then you've gotta run business as usual, right? So that's typically a big part of the C I O job is these three different hats you have to wear.
And part of that for business continuity is resiliency, reliability, recoverability. And the CISO organization also has responsibility for [00:09:00] recoverability resiliency and reliability as well. And I always say when you look at those three Rs and you talk about resiliency, it actually starts with you as the leader.
You are no good to anybody else, and you're gonna be no good to the playbooks. If you're resilient yourself and you can't be resilient. If you use up everything you have, there's nothing left to give. That's where. Holding yourself accountable to some type of a system. Just like you hold if you have to deliver on a compliance framework, or you have to deliver on a certification, right?
You're holding yourself, you're benchmarking yourself, you're holding yourself accountable and giving the systems and the processes and the outcomes of scorecard. You have to start here. You know it like when you get on the airlines, right? I've got three kids and I remember thinking to myself, I can't believe they tell you.
If you're traveling with small children, put the oxygen mask on yourself [00:10:00] first before helping others. But then when you really think about it, if you pass out, you're no good to your kids and they won't know what to do. So you have to make sure that resiliency plans start with yourself, and that's healthy sets of patterns and guidelines.
Now, I also think that we need to reimagine the C I O and the CSO roles. We are asking people to do super human. Efforts that are just impossible. And so I really think it's right for transformative thinking. So for example, what if there were co CSO roles or there were shift CSO roles? What if there were ways to a lot of organizations don't wanna have a top heavy management structure.
Maybe that does apply here within CISO and C I O organizations, given the fact that everyone is now a technology company. You just happen to do [00:11:00] something else for your revenue model and everyone is a cybersecurity company. 'cause if you're not, you're gonna get hacked and not be resilient and recoverable.
And so because of that, how do we think about these teams being more of a 24 by seven operation, not just the tools. Not just the technology, but actually the people themselves. And we haven't really addressed it that way. Maybe you have a security operations center where you've got shift work, but you don't really have shift work for the leadership team.
So we've gotta reimagine and transform our thinking there.
Dr. Rebecca Wynn: Those are really great points and time back into a point you had earlier and you talked about prioritization quite a bit. I know that's one thing we do get hit. When you're trying to run global, you're on 24 7, you're getting hit right and left. How do you go about when you get inundated with so many requests, how do you go about trying to figure out what's your first, first, as I like to call them, What do you do to try and [00:12:00] figure that out?
Theresa Payton: Yeah, it's one of the things I love to water ski.
I don't get to do it nearly enough. And I remember when I was first learning to water ski, it was actually my business partner took us out on his boat business partner in banking. So my team supported all of the problem commercial small business. Middle market lending, all of the officers, the loan officers, and the customer relationships.
So we supported all of their technology platforms. It was a very stressful job and if you get something wrong with those platforms, it's really not good for the bank. So our business partner who we supported, he took us out on his boat and I remember him teaching me how to water ski, and one of the first things he said to me was, you always need to have slack because you never know when you're gonna hit awake.
And if your arms are straight out, when you hit that wake, you're going to take a spill. And so he would be yelling at me from the boat. Make sure [00:13:00] you keep slack. Make sure you keep the slack. And that's the same with the workplace. You have to build in open spaces on your work calendar. And that allows you to, when that thing happens and it comes in and you need to deal with it, that allows you to have that time, to have that slack to be able to react.
I can tell you, it seems like the days that I don't practice that and I've got everything in 15 and 30 minute increments, that's the day something happens and it's just like unrecoverable. There's something that just becomes urgent on fire and I had no slack. I. To make room for it and it can be done.
You just have to plan it. I'll give you another example. We decided in the dog, days of summer, we knew to plan for the unplanned. We weren't sure what was gonna happen with incident response with ransomware events, et cetera. And we already had a pretty strenuous level workload of work.[00:14:00]
So I made the decision that unless a client had an ongoing incident, Every Friday for nine Fridays in a July and August. Our employees would be off. There would be no formal meetings, and that Fridays were a day to renew and recharge in case the next Friday you were on an incident response team.
We then moved into, we made a commitment to the employees that September and October. Fridays are called Fun Fridays. There are no internal meetings on Fridays unless it's something fun that you want to work on, like a r and d project or a passion project. If you have to have a meeting with a client because it's incident response, you have to do that.
But if it's not an incident response and it's a regular meeting, get it done between Monday through Thursday, giving people back death time. To give them slack. And so we're trying to, find creative [00:15:00] ways to reimagine the work week and give people that flexibility, just saying, get your work done.
And not giving people guardrails is really too hard on people . And so we thought, isn't it nice to know you have a desk day to finish your work, to do great work for the clients, to do great work by your teammates and to know and look forward to that Friday to like putting a nice bow on things unless of course there's an instant response.
So there's different ways you can do it, not. What's working for my company may not work for everybody else, but those are some examples of how we're trying to make a difference.
Dr. Rebecca Wynn: What do you recommend people do that when you do get that incident?
Not everybody's has really major incidents and the first thing you do is you tense up when your team tenses, You don't hold, have that free thought. What do you guys do and what do you recommend that when people have those situations come and you wanna tense up as a human, how do you work through those first 30 seconds, three minutes, five minutes to really go ahead and be able to tackle those more [00:16:00] mindfully?
Theresa Payton: Yeah, no, it's a great point. I one of the things you can do is practice, rehearse, having to deal with an incident, rehearse, having to deal with. Bad news or system outage. Just, even if it's just a light framework of a playbook of, oh gosh, I hope this never happens, but if it does, let's just practice that.
We can't access slack all day today. What would we do instead? Or let's just practice zoom is down. These are all kind of things that can happen. That are just productivity busters and then there's things that can be a lot worse. I observed when Facebook, Instagram, and WhatsApp were out for about six to six and a half hours, I observed a lot of people saying, for people that we communicate with in Europe, we don't have any other way to get ahold of them.
There were also some small to midsize businesses. They don't have [00:17:00] websites, they Facebook and Instagram is how they actually sell retail products and do customer service with their clients. So be asking yourself now, can I practice having to respond to some type of an incident that would make my day really challenging?
And by practicing, you're gonna get that muscle memory. So that when you hit any type of an incident, even if it's when you didn't practice you'll have your own framework of take a deep breath in. Okay? Don't forget to exhale and breathe back in again. Okay. Now what do we have as a playbook or what can we do?
You're right, Rebecca, it's our world is so fast-paced. At work and at home. Our home lives, there's a lot going on. We're being bombarded with a lot and in some cases some people are still working from home. And so there that separation isn't there like it used to be. And so maybe you like not having the commute, but then again, I.
There's work always calling you , even on [00:18:00] Sunday. So finding those ways to practice that incident, having a response. Also, think about if you know you have emotional triggers to things, have somebody you know and trust that's a colleague. Maybe you have a certain code with them.
And so if they see, maybe you're putting yourself into a danger zone in your response. Maybe it's a simple word. Maybe they scratch their nose when you're getting a certain way and only the two of you know what that is, and that may be just enough to help you step back away from the ledge.
Dr. Rebecca Wynn: What do you look at when you're trying to prioritize budgets and you're trying to get more budgets? A lot of times it's hard for us making that business case to grab that we have a hard time tying that together. And through your years, you've learned how to do that really well.
What's some words or wisdoms you can give our audience on how to make the business case and what do we need in technology?
Theresa Payton: Sure. I. I hope that most [00:19:00] people listening to this, Rebecca, the fact that they're just even listening, tells me that they probably know this already. Playing the, we have to do it otherwise compliance and regulatory, or we have to do it because fear, uncertainty, and doubt that doesn't.
Work as well with the business unit, so you'll get the bare minimum if that is your only strategy. Those are certainly both important, but what I tell CISOs that you need to really do is understand what business problem is your organization trying to solve. What are the human stories? How do humans.
The customers interact with the technology and to interact with your company. How do your employees interact with technology to get their job done? And once you understand the user stories, then have a conversation with the executives who make the decisions on budgets and priorities and say here are the user stories and here's where we need to [00:20:00] inject.
More security to secure the human in the foreground in the background and show how you weave the security into the user story. You're gonna have a much better time helping sell the business case if you relate it into the business story. If you start talking firewalls and multifactor authentication, absent.
Of those user stories, you're gonna lose the business executives. The other piece you can do, it is hard to show return on investment, but one of the things you can do is if you are doing incident response playbooks, you can say, look, based on where our maturity is today, if this incident were to happen, My back of the napkin calculation is this is what the expenses would look like to the organization.
Okay? Now, if I were to have this playbook, but implement either more staff or certain technology solutions, [00:21:00] I believe I could reduce the expense that would be created by this incident. By this amount. So you can actually crosswalk your executives with you playbook by playbook to show them how the investment makes a difference.
Candidly, you can show yourself sometimes I have CISOs, they're so bought into, I gotta have this product and this solution, and I've gotta have one pane of glass and I gotta have all these, and then you add it all up and they're like, people just don't care. I don't know why. And then you sit down and you say, okay, here's your playbook.
How much do you think it would cost without it? Okay, so you wanna spend a gazillion dollars. How much more money are you gonna save? Not much. I don't know about you, but if it was your checkbook, is that, would that be a winning business case for you? So part of it is it gets you bought into what you're asking for as well, and that can be a great way to get closer to some type of a return on investment for your executives.
Dr. Rebecca Wynn: I thought those are great points. I talked [00:22:00] quite a bit about the return on the efficiency and return on the investment. That's really what they want, even though that's not what they're saying. And then tying it into the enterprise risk management. I'd be a miss though if I did not talk about women in security, women in CIOs, CTOs and positions and we're still not quite getting there. And I know that you do a lot in stem and things along those lines.
What's your viewpoint on what's going on and women's trying to make a headway on getting some of these top positions and having our voices heard.
Theresa Payton: Sure. For starters, we still continue to have an ongoing brands problem. I'll ask people if somebody says, Cyber crime what's the first image people typically think of?
And it's usually a man in a hoodie. It's probably bluish green with ones and zeros. And I understand it's but it's one of those things where it's hard for, from a diversity and inclusion standpoint, for underrepresented [00:23:00] groups, including females, to really say I see myself there. Although I've got Half of my closet is hoodies.
Who doesn't love a great hoodie the idea of somebody alone in the dark and it's gloomy and zoomy looking is just unappealing. I would say the other thing too is diversity and inclusion isn't just, Who you hire to be your employees, it's also who do you hire as your consultants and your services providers?
And so there continues to be a real challenge where there's a bias towards the big names or a bias towards only certain types of organizations and. I get a little disheartened when I see the leadership teams on the websites, and it's rare to see a truly DEI looking leadership team.
And it's not just looks, it's background. Where did they go to school? Did they [00:24:00] skip college because they did something else instead and went straight into the workforce? And so to me, diversity, inclusion, there's gender, but there's also your walk of life. There's your cultural background, your ethnicity it all makes up for a very rich tapestry.
And if we're going to solve the cyber criminal problem and the rising tide of cyber crime, it's going to take. New and innovative and creative thinking, which means it's going to take a very rich tapestry of all walks of life, including gender inclusion. So I highly encourage women to seek out.
Both male and female mentors, but I also say don't give up. So if you find culturally things are not rewarding and satisfying for you, reach out to other colleagues in the industry and make sure you align your passions and you're working at the right culture for you. Don't give up. On the [00:25:00] career in stem, just because you didn't find the right place.
Just keep searching and keep networking and reaching out. You will eventually find your calling and your passion in the right place for you where you can thrive.
Dr. Rebecca Wynn: Theresa, as we start to wrap up here how do people get ahold of you and your company if they want your services or you personally, if they like to go ahead and engage you in speaking engagements, what's the best way to do you know both of those?
Theresa Payton: Sure. Thank you for that, Rebecca. We have company accounts. On LinkedIn, Instagram, Twitter, we have a group. It's for both men and women, A safe space to promote more women in stem on LinkedIn called Help A Sister Up that you can Join, and we tell people, we've seen all kinds of amazing organic things happen there.
We've seen people become mentors, become mentees, get jobs, post jobs, share research and information that can be a very organic, authentic place. We don't. Overly [00:26:00] manage it. We allow people to join the group and then we let the group have its own life there. If you wanna reach out to the company Watchman@FortaliceSolutions.com on Twitter, I'm @TrackerPayton.
That's probably the place I'm the most active as far as social media goes. Certainly, I'll accept your invite on LinkedIn, but I'm not always Johnny on the spot on LinkedIn every day. If you want to book a portal list, employee as a speaker, you can email. Watchmen at Borderless Solutions. If you want to book me, I'm booked through Keppler Speakers Bureau and you can call them or email them and they'll they manage my calendar and make sure I go from point A to point B on time.
Dr. Rebecca Wynn: Theresa, it's been an absolute pleasure to have you on the show. You are a Soulful CXO.
Theresa Payton: Rebecca, back at you and keep up the great work you do so much to give back to the community and the greater good. So I'm really proud of you. I'm proud to know you, Rebecca.