“The best way to have the budget you need to get your job done is you have to be tied to business value,” said Theresa Payton, former White House CIO during the Bush Administration.
Payton is one of America’s most respected authorities on internet security, net crime, fraud mitigation, and technology implementation. As White House chief information officer from 2006 to 2008, she administered the information technology enterprise for the President of the United States and 3,000 staff members. Prior to working in the US federal government, Payton held executive roles in banking technology at Bank of America and Wells Fargo.
As founder of Fortalice Solutions, LLC, a security, risk, and fraud consulting company, Payton now lends her expertise to organisations large and small, helping them improve their information technology systems against emerging, amorphous cyberthreats. In 2010, Security Magazine named her as one of the top 25 ‘Most Influential People in Security’.
She serves as a cyber-expert for the syndicated programme America Now and is co-author of Protecting Your Internet Identity: Are You Naked Online? and Privacy in the Age of Big Data: Recognizing Threats, Defending Your Rights, and Protecting Your Family.
Payton will be in Ireland on 3 October to address the ISACA Ireland GRC 2.0 – Breaking Down the Silos one-day conference, being held in Croke Park, Dublin.
Becoming CIO to the President of the United States, what convinced you to take the job?
It’s funny. When they called me to ask would I consider being a candidate I asked them why they thought I was qualified to do the job. I had been in banking for 16 years at that point. They said: “I think you’d be surprised how much of what you do in banking applies to us here. You are used to a 24 x 7 environment and you are used to being heavily regulated. You are used to fighting criminals online and trying to make sure they can’t get to your customers’ money. You have to think about putting cutting-edge technology in the hands of all your customers while protecting them. I think you are going to find that although there is no job like the White House CIO job in the world, you are going to find a lot of things that banking taught you are going to be a real asset here.”
How did you get to grips with the role of CIO to the most powerful person in the world?
I just went around asking people questions about their day-to-day jobs, who they considered to be their most important technology partner, what was working and what wasn’t. You get a feel for how integrated technology is into the line of business.
People focus on the front things that you can see but one of the things that was interesting was the Usher’s Office. The usher takes care of the first family but the Usher also co-ordinates the functions, the food, the flowers, everything.
Well because all of this comes out of different sources of public money, you have to run a very tight ship. So the Usher’s Office over time, literally, is probably one of the most amazing displays of supply chain management I’ve ever seen.
Everything is barcoded down to the last chicken breast, down to the last flower stem, because it all comes out of different pots of money. Literally, when they go to make chicken they stamp the barcodes and say this chicken was used for that state dinner or the first family, that carnation was in the flower arrangement when the Queen Mum came over to visit.
Literally, it was one of the most fabulous transformations of a group that I’ve ever seen – everybody thinks of the usher’s job as a butler service, like Downton Abbey – but it is highly automated and a great lesson in how to implement supply chain logistics without customers actually knowing what’s going on behind the scenes.
When we see the White House in movies, the technology is very sophisticated. Is that actually the case?
It depends. In some cases it is and in some cases it isn’t. For example, every president has a diarist who sits outside the Oval Office and he or she is there recording everything, including writing “vacate” in diary for when the president is using the restroom. The diarist records everything in an old-fashioned system but he or she is very comfortable with that and so that’s what the diarist wants and sometimes you have to say give them the technology they are asking for even if it is not the cutting-edge latest greatest thing.
We give the latest and greatest technology within the framework that a particular client was comfortable with to do their job.
But at the same time, President Bush was the first president to electronically sign a 100pc digital budget of the United States.
He made the decision at the time that you shouldn’t be automatically printing books and having the president sign the book. We literally transformed that process and said to the department’s agencies and the American public if you want to print the budget you can, this is the link to the website to order a copy but we formatted it to be in digital form on a tablet for President Bush.
Really what we focused on is ensuring the technology is there and if we are spending tax payer dollars we always would ask ourselves, first how does this support the mission? How are we protecting both the people and the communications and information because we had to constantly think about are we putting a homing beacon in everyone’s pocket? Because physically they are a target but then also the digital communications information schedules, photos, all of that we had to protect that, as well. How do we give them the latest and greatest, enable them to do their job, support the mission, protect the people within the mission while at the same being good stewards of the taxpayers’ money and cutting-edge technology doesn’t always have security built in initially.
We were always having conversations around what’s the best use of technology for this piece of the mission and making a judgment call.
In some areas, the situation room and things like that have cutting edge state-of-the-art technology and the other areas are based on the budget we have.
From a security perspective, the President of the United States must be the most besieged individual on the planet. How did you go about protecting the president online?
We would send teams in advance of the president or vice-president and the 3,000 staff that would be travelling on behalf of the US government. We would go out in advance of them like White House ninjas and basically you’ve got the physical security and the military and they would be looking for all potential points of compromise. What are the issues? My team would go and say we’re going to set up communications and see if anyone is tracking our comms and get everything set up so that when the president or vice-president or key staff or cabinet members arrived everything was there.
Then we would stay after they left to see if we were compromised while we were there, who was trying to attack our communications, what we know about them and then we would pack up and roll on to the next gig.
Once we were sitting down talking to these global ISPs and I was reading them the Riot Act on a couple of things. One of them said, “do you know that at certain times of the year you are the most attacked website on the planet?”
There’s that element of constantly fighting against groups that are unfriendly to the US or trying to attack the White House. Every day it was an honour to serve and every day was unique and different.
In terms of managing IT budgets, what are your key thoughts on how CIOs/heads of technology should achieve their goals?
The best way to have the budget you need to get your job done is you have to be tied to business value.
The key mistakes that CIOs make is they get caught up – if they can’t figure out the business value they’ll do this cost avoidance. If you are not regulatory compliant, that is awful, or if you get breached, that is awful. You have to invest the money because this calamity might happen; you are playing the odds at Vegas.
I always tell people, that used to work in the year 2000 but that dog don’t hunt any more. The threat of regulatory lack of compliance, fines or you are going to be hacked, it’s embarrassing, it’s almost as if the C-suite and the boards have said, “yeah, we are just hoping the day never comes”. But that’s not compelling enough to get the budget.
So how do you get the business value? You listen to the business. You look at the core goals and you find unique ways to tie what you need to get done to enabling those goals. That’s how you will get the money.
Bank of America knew they wanted to improve the security of the online banking website. They came up with Site Key, which allows Bank of America customers to associate a pass phrase with a picture and Bank of America taught the customers your picture does not come up, you are not on the Bank of America website. They suddenly made consumers so much more comfortable with online banking that the adoption rate went up. The money was available to do other security projects and it wasn’t a huge leap in improving security, but because you got the customer adoption where it needed to be it freed up dollars to do additional security projects. If you can listen to the business, understand the business goals, prove direct business value, you’re going to get the money that you need.
The second key tenet is you have to be seen. That doesn’t include being at meetings. Being a CIO it is so challenging and difficult, you are so busy and you want to be connected to the business and your management team. You end up being in meetings all day. You have to be seen. Walking the floors where the business partners are, walking the halls where your technology team is. You literally have to work with your executive assistant, you literally have to schedule time to be seen and be available and have a casual conversation. That’s where the real business is going to get done.
The third tenet is be fearless. A lot of times be honest but be fearless. So you know the right thing to do, you are not in the job because you don’t know what you are doing. You are in the job because somebody saw something in you and said this is the right person for the job and there are going to be times where you are going to have to step out on a limb and you may actually be unsuccessful in a project, an initiative or something you tried to do.
But if you hold back and you don’t do it, you are not going to transform the business so you’re not doing your job anyway. So what do you have to lose. Be fearless.
The fourth tenet is being a servant leader. I have to say some of my best transformational changes at the White House and in banking and even today, the ideas came from lower-level staff. They just needed an outlet and a venue and a place to be comfortable to actually share the idea and give the idea some legs.
That would be from a servant leader perspective, ask people what you need from me to do your job better. What are the ideas you’ve been sitting on for awhile and can’t figure out how to make it a priority? What would make this this group work more effectively together?
Women Invent Tomorrow is Silicon Republic’s campaign to champion the role of women in science, technology, engineering and maths. It has been running since March 2013, and is kindly supported by Accenture Ireland, Intel, the Irish Research Council, ESB, Twitter, CoderDojo and Science Foundation Ireland.
Buy your tickets now!