The Race for Real Cybersecurity

An Interview with Theresa Payton, Former White House Chief Information Officer


The threats to organizational cybersecurity change every day and move all over the globe. That’s why companies need to make strategic investments to protect themselves, Theresa Payton, former White House Chief Information Officer under US President George W. Bush, cautioned during her recent discussion with BCG’s Ketil Gjerstad.

Theresa, thanks for joining us this afternoon to talk about what I know is your favorite topic: cybersecurity. Will you start by highlighting how to define cybersecurity, what it means, and how to think about it?

The old-school way of looking at cybersecurity was thinking about a company and the company's networks and then putting firewalls around the networks. But cybercriminals have changed their tactics so much.

So the way I would describe cybersecurity to a digital immigrant is protecting your cyberfootprint. You leave a cyberfootprint in your personal life and you leave one in your work life. That cyberfootprint is the little details and clues and the tracks you leave behind based on how you conduct business or conduct your personal life. Those are the items that have to be protected because if they're not, they can be taken advantage of by the cybercriminals.  

How can you get cybersecurity on the agenda of executives? How can you approach the problem? And how can you structure the defense?

No company is perfect. It's not a technology issue. It's a creativity issue and an issue of business risks. We have to really try to understand what risks we are willing to take and which ones are non-negotiable business risks.

What you see in safer companies are the executives taking this very seriously. You often see a governance board, which could be different executives from around the company—so you may see [executives from] marketing, customer service, legal, finance, and risk.

Often, finance is assuming the role of getting that group together because finance is also thinking about the business strategy, business enablement, and new things coming down the pike for the company. Spending that time to talk upfront at the executive level about security as it relates to the most critical assets is vital to making sure that the issue actually permeates through the whole rest of the company.

I would assume that given that much of [the problem] is related to human mistakes in the first place, how do you implement cultural and other changes related to cybersecurity?

Culture is so important. When I was working in financial services, my perspective at the time was, "If we could just train everybody better, have more clearly written policies and procedures, and just remind people, then we'd all be safer." I realize now I was wrong.

And I realized when I got to the White House, "These threats change every day. They're moving all over the globe. If I'm going to chase more than 3,000 people down to tell them what they need to worry about that day, they're not going to be able to do their jobs—and I'm going to fail at mine."

It dawned on me, "Why in spite of all of these hours of absolutely boring computer-based training on security, which we all have to take, why do people still click on links?" It's literally because the technology was never built with them in mind.

Often, when you see the data breach and the fact that a human was the creator of it, [the error] was that person actually trying to get something done for the company. So they actually meant well. They weren't being negligent.

How do you get into the hearts and minds of the employees so they pause and take a deep breath before they click on that link or open that attachment?

Some of it is training and some of it is culture, coming from the top. Some of the best practices I've seen include actually holding contests. For example, some will do social engineering training. [Hackers use social engineering approaches like phishing to get information that enables them to bypass computer security systems.] They'll tell all the employees they're going to do a contest, and the team that doesn't fall prey to the social engineering [attempts to trick employees into sharing security information] gets a pizza party or something like that.

Now I've also seen in other cultures where the [names of the] people who clicked on links went [into a virtual] hall of shame—basically highlighting that they put the company at risk. It has to be what works for your culture.

How would you frame cybersecurity to establish a good strategy?

Well, for starters, I'd ask, “What is that we're been doing wrong here?” We've been talking about training the human, telling them not to click on links for, I don't know, 10 years, and they still do. So why do we think that this year, if we just train them more, we're going to get a different result?

So I would actually ask the questions, "What have we not tried? Do we think it will actually make a difference? How do we do something different?" Because the computer-based training is not working. Let's try something new.

Get creative and get innovative with it because the cybercriminals change their tactics all the time. It used to be it was very easy to spot a social engineering email. And most people know not to pick up a thumb drive in the parking lot at work and then plug it into a desktop.

So why do they still get in? Because they get more and more creative. So every year, we have to change and we have to up our game too.

Is it possible to measure the return on investments in cybersecurity?

It is. It's not easy, but if anybody can do it in the organization, it's going to be the CFO. The way I would look at that is there's no perfect formula, but we like to look at the expected cost if a data breach were to happen.

You don't want to start creating some ridiculous number. But pick those one, two, or three most critical assets that are vital to your organization—the ones that [if something happened to them] you'd basically cease to exist as a company.

Then look at the cost of investment [in protecting those] and look at the difference between the two. That helps you understand whether or not there's a true return on investment there.

The other thing I would ask the CFO to do is to challenge the technology and the security and compliance group. Not everything has to be automated.

What is a typical budget or what should a budget for cybersecurity be in a normal corporation?

I've seen studies all over the place. I'd like people to think about their budget as it relates to the inherent risk and the cost associated if something bad were to happen, and then allocate your budget based on that. Just spending 10% of the IT budget may not make sense at all. It may need to be 2% depending on what you're doing, or it may need to be 15%.

 What’s the two or three things anyone should be doing next Monday?

The first one is to ask, "Have we actually had a company discussion on what our top two or three most critical assets are? And do we agree?"

I think a very simple way to do that is you get in a staff meeting. Tell everybody no peeking. Pass out little index cards and have everybody write [down those assets]. Then have somebody facilitate [group deliberations] until you get your list. You might end up with a top 10 list [at first], but at least you can force-rank them.

The next thing to do is to ask, "What is our worst digital-disaster nightmare?" Name it and define it. Practice [dealing with] that nightmare. Learn what capabilities you have and don't have. Discover where you need new partners, and go and get those new partners. And then figure out what you can't mitigate on your own through partners, through process, through technology—that's what you want to go get cyberliability insurance to cover.

The other thing that I think companies overlook is that you can increase your security and reliability and also your resiliency if you pick the right cloud-services provider. If you are holding on to some legacy mail platforms and things like that, it may be time to reintroduce making a strategic decision around the cloud. That could save you money and it could, if you pick the right provider, create a whole new set of security protections and protocols you don't have in-house.

Theresa, thank you so much for being with us and for sharing your thoughts on cybersecurity.

Thank you very much. You asked fabulous questions. Those are all questions that every business should ask.