Getting Your Priorities Straight: Advice from Theresa Payton, CEO of Fortalice

Phil Quade, Fortinet’s CISO, led a number of top security executives in an important exercise drawn from national security. The “100 Coins” exercise is a fascinating way to get insight into how business and security leaders view their priorities in cybersecurity. The exercise asks each participant to imagine they have 100 coins and then asks them to allocate those to a variety of cybersecurity areas based on what they think is most important.  

Recently, I had the opportunity to speak with Theresa Payton, the former CIO of the White House under President George W. Bush. Payton is the CEO of Fortalice. To say she is a cybersecurity expert is an understatement. She completed the 100 Coins exercise and I was excited to hear her perspective on it, as it offers some good strategies and insights for others in cybersecurity.  

It’s Not Enough To Have A Firm Foundation

Like other cybersecurity leaders I have spoken with, Payton emphasized the necessity of having foundational building blocks in place as part of any security portfolio and she pointed out that in many businesses, such foundational elements of cybersecurity are often missing. But she also pointed out that the basics aren’t enough. 

“If you’re only focused on the basics, you’re going to miss out on the opportunity to take a team that is most likely understaffed and under-resourced, both from a technology investment and a skillset standpoint, and take advantage of some of the new solutions and capabilities that are available,” she said. “That was the “aha moment” for me [with the 100 Coins exercise] — you can’t just say, ‘Let’s invest in all the things on the industry best practices framework.’ You have to make sure some of the basic building blocks are in place while at the same time not missing out on key opportunities to innovate and do things a little bit differently, with some of the newer technologies that are out there, like machine learning, or being able to segment your network.”

To create this balance of cutting-edge and foundational technologies, Payton pointed out that CIOs and CISOs will have to weigh the different biases of the units they oversee. “Every unit will have their own bias,” she said. “If you think about a red team person who’s doing advanced threat hunting, their perspective is going to be unencumbered by day-to-day operational reality. They’ll be focused on how to do advanced threat hunting and think ‘It is ridiculous that this software has these vulnerabilities. This should never be allowed to happen.’  Their perspective is almost pristine, unencumbered by the realities of having a business to run, a margin to hit, having to be first to market or a fast follower. When you don’t have that, you’re going to have a bias toward some of these very technical capabilities that are focused on this offensive strategy. Whereas when you’re under the operational side, you’re going to have an unconscious bias toward having to balance it all.” 

Finding the right balance means squaring the wants of the business unit, the customer, and regulators, with the fact that in reality, as with the 100 Coins exercise, companies and CIOs only have so much money to spend. According to Payton, sometimes that means that as much as you would like to embrace new technology, you realize that you can’t afford the time,  money, resources, or sacrifice on the user experience, to be on offense. “If that’s the case, I’m just going to have to be on defense,” she said.  

This tension led Payton to draw an apt analogy about how CIOs should view the 100 Coins exercise in particular and cybersecurity portfolio building in general. Payton said she views herself as a “translator.” And like a foreign language translator, she said her responsibility is to “understand the nuances of everybody’s language, everybody’s bias and everybody’s focus, and to see the competing conflicts and priorities, even though we’re all trying to accomplish the same goal.” Ultimately, that does mean tradeoffs. As she pointed out, a company may want a high profit margin and amazing security, but often, those things are not perfectly compatible. 

What does that look like in practice? For Payton, the unique priorities of the individual business will mean that the answers to the 100 Coins exercise will and should differ from company to company. But she advised CISOs to start with the worst case scenario to identify where the prime resources should be devoted. “I would focus on, What is the worst digital disaster that I can think of? And can I actually mitigate that disaster, either through technology or a process?” she said. It’s a way to map out resource allocation with cybersecurity spending. “It’s a cycle of identifying, What matters most? What’s the business risk associated with this digital asset? What’s our risk appetite?”

She recommended that companies start cybersecurity conversations by assigning weighted scores to the value of the digital asset to the overall operation of the business. If the asset is the company’s secret sauce intellectual property, protecting it has to be paramount and resources have to be allocated proportionally. If it’s less important, then fewer resources can be used. 

To this end, Payton echoed something that I’ve heard in a number of other interviews with cybersecurity experts — that no company can be a leader in every facet of cybersecurity, and so you have to prioritize where it’s most important for the business to be great and where it can be just okay.

“It makes sense for almost everybody to say, “Instead of being platinum everywhere on my basic food groups, because of the structure of my cybersecurity risk profile, I’m going to be maybe gold or silver, so that I can use that money to be advanced in certain areas where I’m going to get a lot of benefit,’” she said. 

But she also advised that companies keep in mind operational friendliness, even when it comes to protecting their crown jewels. If the security becomes onerous, users will find ways to avoid it. “Given where we are in our maturity cycle on technologies that we can use for security, sometimes adding more security to areas where we cannot accept a lot of risk, around the assets that matter most, creates operational unfriendliness. And when you have operational unfriendliness, that’s when end users work around you,” she warned. 

Finally, Payton said that while there are no areas of cybersecurity products that companies should completely avoid, businesses should ensure they have the in-house resources, both in terms of time and staff, to fully utilize the products they adopt. Companies should not swing above their weight, as too often, especially when it comes to threat intelligence, companies buy a product but then don’t have an efficient way to generate an ROI from it. “The process to turn threat intelligence it into actionable information is a massive undertaking. Only larger, more sophisticated security teams at the Fortune 100 really get ROI based on how raw the intelligence is presented today,” she said.