09 Jul Former White House CIO On Women In Cybersecurity, Daughters, and Hackers
Theresa Payton explains how she got into tech during high school, and how to get more young people into cyber
– Georgia Reid
Northport, N.Y. – Jul. 9, 2018
Cybercrime Magazine spoke with Theresa Payton, former White House CIO, about women in cybersecurity, how she got interested in cyber, the gender gap in the field, daughters, hackers, and why cyber is a noble profession for women and men alike.
Listen to the Podcast or watch the Video below to hear more about what Theresa had to say about her pro-bono work to stop human trafficking, as well as practical advice for CEOs and individuals for better cybersecurity.
CM: How did you get interested in a career path in cybersecurity?
TP: My family is comprised of a long line of US military and law enforcement professionals. We all have a call to serve, to defend, and to protect the public proactively, by taking preventative security measures, as opposed to a reactive approach. Serving and protecting is in the DNA and fabric of my family on both sides, and also for my husband’s family as well.
The technology that led me to catch the cyber bug came in my early years in school as a military kid, where we had access to school computers. I went to high school at Quantico Marine Corp Base, and a class in computer programming was mandatory. I am so grateful that the US Marine Corp and the Department of Defense saw the value in us learning new technologies, and made this non-negotiable.
From there, I found my love for computer programming, and I went on to do my undergraduate studies at Immaculata University with a double major in economics and business administration, and my school had a certificate program in computer programming. My number one question to myself was “how can I be as employable as possible?” So, I did all of the above.
That led to an MS in Management of Information Systems at the University of Virginia, where I studied artificial intelligence and code generators, always thinking of a career in technology.
CM: Who were some of your mentors and role models when you first started your career?
TP: My boss, Maureen, at Barnett Banks, before it was acquired by Bank of America, who is a female executive in tech and operations.
Maureen hired me, took me under her wing, and had me working on really cutting-edge tech projects. We didn’t call it cybersecurity back then, but that is what we were doing.
CM: What advice would you give young women looking for a mentor in cybersecurity?
TP: I think there needs to be a win-win situation for both mentor and mentee. A mentorship shouldn’t be all work on the part of a mentor.
Also, a good mentor doesn’t have to be a senior executive. They can be a few years ahead of you or even in a peer group. Tell this person that you admire them. Ask, “Can I buy you a cup of coffee and use you as a sounding board?” If people ask me to do that, and not all the work is on me, then that makes for a successful mentor-mentee relationship.
Always send a follow-up note letting them know that the mentorship is helping, what you have learned, and say thank you.
CM: What kind of opportunities do you see in the next few years for women in cyber, and how has the field shifted to include more women in this space?
TP: Thankfully cyber has made a significant change. My company, Fortalice Solutions, employs 42 people (and growing), 40% of them women. Also, fraud prevention and cybersecurity are now converging. And there are a lot of women who are in fraud operations – which was previously paper-based and is now digital – who can come work in cybersecurity.
I used to be the only woman in the room. I learned to stand up for myself and make sure my voice was heard. My technical acumen was often questioned based on the fact that I am a woman. I can say with certainty that grace and tact go a long way in fighting that.
I am seeing more women attending conferences now than ever before. And I don’t mean all women conferences where the events were based around discussing ways to fight the unfair balance of men and women in the cybersecurity space. I see a lot more women at the big cyber conferences. There are a lot more women involved than ever before.
CM: What are some ways you and your peers have been working to attract more young people and young women specifically to the cybersecurity space?
TP: Several years ago, I attended a conference and got to speak with a female cybersecurity executive at Cisco. She and I both have daughters, and we both said we want them to consider a career following in our footsteps. She came up with a great idea and said, “Why don’t we create a cyber camp for students?”
That’s when we founded The InfraGard CyberCamp in North Carolina. This program graduates 30 kids a year from all walks of life — male, female, and economically disadvantaged students included. The camp is held each year at the Microsoft Campus adjacent to the FBI Charlotte Headquarters building. We provide students with security training, security tools training, forensic analysis, and other activities. The hope is that our campers choose cybersecurity as their profession.
I say to high-schoolers, “If you won’t want to carry a gun and wear a badge, then you can do it (serve and protect people) from behind a keyboard.”
Fortalice also started a group called Help A Sister Up on LinkedIn — #hasu. This space is dedicated to advancing women in technology and serving as a rallying point for them and their male advocates. We post job openings, articles, and avenues for discussion. Please join us!
CM: It sounds like there are great opportunities for excellent careers here that maybe some women are not aware of. What do you think could help make this a more attractive career path for women to follow?
TP: One of the main issues is the way cybersecurity is branded in the minds of the public. People sometimes lump ethical and unethical hackers together. Hackers used to mean something other than “internet criminal.” However, ethical hackers are good people who prevent BAD PEOPLE from ruining people’s lives and stealing private or government information.
You help people in cybersecurity in many ways, such as setting up a simple firewall, all the way up to complex data architecture, or even sitting down and talking to an AI software engineer, asking questions like, “How do you want those customer service chatbots to work,” just as an example.
I think women want to know that the work they are doing makes a difference in people’s lives.
I can’t think of any more noble cause than to say privacy and reputations matter, and we protect them and our work matters. With my work, I can say, “I can be the first line of defense. I can make a difference.”
There are so many opportunities to protect and defend the privacy of the communications in our lives and to protect identities. It’s such noble work, and if we can get this message out, we would not have a recruiting issue for women.
CM: Would you mind providing an example you can think of about making a difference in someone’s life?
TP: We use our cybersecurity intelligence techniques for individuals and businesses.
We had an athlete who had his reputation ruined online. He was just a working dad and wanted to provide for his son, but someone went about ruining his reputation on the internet. Using cybersecurity techniques, we found the source of the issue and helped him get his online persona and reputation back.
We have also helped victims of revenge porn, human trafficking and romance fraud.
CM: How does your company, Fortalice Solutions, go about hiring such a diverse and talented staff of both men and women?
TP: We can say we have a diverse group of employees. Veterans, people of color, and we are at roughly 40 percent women at our company.
I believe hiring managers in cybersecurity could be more flexible in required qualifications and characteristics of candidates. Being more flexible would open up a much larger pool of talent from which to choose.
We tell our recruiting firms that we want to hire men and women, people with diverse backgrounds, and US veterans. We are also willing to hire individuals with a non-traditional career path, such as those without a college degree, but who have the demonstrated technical skills to complete the work.
CM: What kind of gender gap, if any, do you see within the cybersecurity space when it comes to men and women?
TP: Interestingly, and I don’t know why, I see much more women apply to blue team roles, aka defenders of networks from security breaches, as opposed to red team roles, aka ethical hacking.
I would like to ask the females, “Where are you on the red team?”
CM: Why do you think cybersecurity has traditionally been a more male-dominated field?
TP: We have a compounded problem — females don’t identify with a “hacker” or a cybersecurity brand, so they don’t consider cyber as a career. And additionally, we don’t have a lot of women leaders in cyber yet. There was a survey of women in technology, done in April 2013, where 45 percent of respondents said the lack of female role models is why they are not in technology.
I do think this is changing, however. I am seeing more and more women in the field, and we will have more women staying in the field to become future leaders.
CM: What is something that has happened in your career that you are most proud of?
TP: Most of our cases we cannot talk about, as they are strictly confidential, but one example that I am proud of is a public case — public because the FBI asked us to go public — The USA vs. Huang.
Fortalice was working with a small business in a unique niche in the energy industry. This company was in the middle of doing a joint venture in China. We wanted to protect intellectual property and decided to do a proactive sweep first, before any further actions were taken, to make sure there were no leaks. We found there were indeed indicators of compromise. Someone from inside the company was selling secrets — we did not know who just yet.
We are proud that our work for our client found this individual, identified and gathered forensic evidence, and that this evidence found him guilty.
The US paid for the research that he was trying to steal, and the FBI took this very seriously.
(You can read a news report about the case here)
CM: Finally, what advice would you give to our readers who are interested in learning more about cybersecurity as a profession?
TP: In this field, regardless if you’re a man or woman, we need to be a constant student of our profession.
If you can’t make it to a conference, there are amazing free tools out there — RSA, TED Talks and even YouTube videos — that include speeches from veteran cybersecurity professionals discussing their careers, their advice on how to succeed in the cyber industry, and new skills to keep you competitive in the workplace.
There are also free cybersecurity online courses, excellent security frameworks and guidance available for free online such as the NIST Framework, CIS Critical Security Controls, SSAE 16 and discussions on GDPR. Leverage social media to hear what’s on the minds of security experts.
Unfortunately, it has been more difficult for senior women who are looking for a career change. With the way the job market has been, even in security, it has been a challenge. To these women, I say do not be afraid to explore freelance work if you’re looking to get into the field. And if you already have a full-time job, look for opportunities to serve on volunteer committees or projects.
– Georgia Reid
– Steve Morgan, Founder and CEO of Cybersecurity Ventures, contributed to this article.