Theresa Payton on Identity Threats and the Chief ‘Influence’ Security Officer
You’re reading the CyberArk blog (and we thank you for that), so you’re likely familiar with the name Theresa Payton. The cybersecurity visionary, first female White House CIO, best-selling author and founder and CEO of Fortalice Solutions is a powerful industry voice, blending her frontline cybercrime fighting experience with cutting-edge insights to help organizations safely navigate the evolving threat landscape.
Not long ago, I had the honor of speaking with Payton on the CyberArk Trust Issues podcast. We covered so much ground – from revisiting major historic threats to exploring ransomware’s impact and future AI applications – that we dropped two episodes. Give part one and part two a listen and check out these top takes from our conversation.
Yesterday’s Threats are Still Alive and Well
Payton served as CIO in the George W. Bush White House from 2006 to 2008 – a time of significant technological change in the workplace and at home. Among other major happenings, Apple released its first-ever iPhone and social media was starting to take off. Here’s what Payton had to say about the threat landscape during this time and its lasting influence.
Theresa Payton: We didn’t know how good we had it, even though cybercriminals were doing some pretty bad things. Major cybersecurity threats looked like phishing scams, spam emails, botnets. Malware was very quaint and SQL injection attacks were extremely popular. Nation states and syndicates were operating at a different level, mainly focused on the defense industrial base and government organizations. They weren’t going after the small, medium and large enterprises as they certainly do today. Even things like ransomware, which was in its infancy, mostly focused on computers in a network. It wasn’t at the large scale seen today. But what’s interesting to me is that phishing scams and spam email are still alive and well. We can’t seem to get rid of them. Botnets are still used and malware is still built to steal information and conduct other nefarious types of activities. And the fact the SQL injection attacks still work – that’s incredible to me.”
Technology Multiplies Misinformation Campaigns
Fast-forward to present day. The threat landscape continues to grow in size and complexity, and digital advancements bring new twists to age-old misinformation and fraud schemes.
TP: “It’s part of human nature to manipulate and misinform others to get them to see your point of view. Social media gave those with nefarious intents a free stage. All they had to do was understand how search engine optimization and hashtags work to launch their own amplification marketing campaigns. In some regards, I think retailers and other companies would marvel at what misinformation experts can accomplish with very little money. This has led to a rapid spread of misinformation on all types of topics – everything from pump-and-dump schemes for cryptocurrency, health, politics, science and deepfake technology. All of these can be used to create fake news, propaganda and disinformation. Artificial intelligence raises the stakes. We’ve already seen how AI helps botnet masters much more effectively manage their botnets. Having ChatGPT and other deepfake AI tools really just puts more power in the hands of the manipulators and mis/disinformation peddlers. It’s making it really challenging.”
Payton notes that we each play a part in fighting misinformation – by watching out for one another, learning how to spot disinformation campaigns and reporting inauthentic behavior and dangerous disinformation to social media platforms.
Hiring for Open Positions? Beware of ‘Franken-Fraud’ Identity Applicants
The recently published CyberArk 2023 Identity Security Threat Landscape Report finds that 93% of security professionals expect negative cyber impacts from AI tools in 2023 – and with good reason. Payton believes that thanks to AI, it won’t be long before ‘franken-fraud identities’ (also referred to as synthetic identities) enter the workforce.
TP: “Fraudsters and scammers will leverage cutting-edge deepfake AI technology to create personas – by creating images of these new identities, adding voices to them, creating videos, etcetera. In fact, all of this can be done mostly for free today. These ‘persons’ will use AI and big data analytics to test themselves and ensure they look authentic. The next thing you know, you’ve got ‘people’ who can interview for jobs. And since many jobs today are remote, companies may unknowingly hire a deepfake persona because it’s been matched up with a franken-fraud identity. Seriously – it can happen.”
“So how do you protect against this? For starters, you must understand how to safeguard your executive and employee data. Second, if you do remote hiring, work with an outsourcing firm to bring candidates into a physical office in whatever geography they’re in. Have them present different forms of identification. It’s not going to cost you that much and it’s a way to make sure you’re actually hiring the person you think you’re hiring.”
One Ransomware Trend Theresa Payton Never Saw Coming
Many organizations have benefitted from Payton’s near-prescient ability to predict cybersecurity trends and challenges ahead. She imagines how things will look two to three years out every year, and she’s usually spot on. Yet one recent development caught her completely off guard.
TP: “I love to study human behavior and technology implementations, so I typically have a pretty good handle on where things are headed. But I would’ve never predicted that insurance companies would encourage ransomware victims to pay ransoms. I remember the first time somebody told me that their insurance company said to pay the ransom because it would be cheaper than recovery. I said, ‘Well, that sends a really bad message. It’s like giving the schoolyard bully your lunch money. They’re just gonna come back tomorrow.’ When I looked in a crystal ball, I definitely saw a lot of the trends and patterns coming. But I never saw that one.”
On Double Extortion and Evolving Attacks
Unfortunately, the paying ransom trend only seems to be growing. CyberArk’s latest research found nearly three-quarters of organizations paid ransoms at least once in the last 12 months. Payton acknowledges that attackers are turning up the heat with double extortion but urges organizations to remember who they’re dealing with.
TP: “You are negotiating with a criminal. And even if the person you negotiated with might keep their word as an individual, which is debatable, it’s so distributed and outsourced these days that somebody else in the organization may not honor their word.”
“When we improve the kill chain in our resiliency and our recoverability, cybercriminals don’t say, ‘Wow, this is really hard. I should give this up and become a park ranger or bake pies for my neighbor.’ They just up their A game too. They don’t go away. That’s the great thing about cybercriminals, whether it’s a nation state, lone wolf or a cybercriminal syndicate – their behavior.”
So as organizations improve their ransomware defenses and recovery efforts, where will attackers turn next? Payton offers a rather grim prediction.
TP: “The better we get at shutting down ransomware syndicates on systems and data, malicious cyber actors will move to another place in the kill chain. Ransomware will pivot to the Internet of Things, devices, access control cards, thermostats, TVs, physical buildings controlled by computers – you name it – and hold them for ransom.”
Payton writes in her 2024 cybersecurity predictions that attackers could go as far as “hacking into intelligent buildings, locking them down with people inside and demanding a hostage payment to release individuals.”
Putting the “Influence” in CISO
Chief Information Security Officers (CISOs) have a difficult job that’s constantly changing as technology, workforces and cyber threats evolve. Many CISOs are understaffed and under-resourced. They’re grappling with highly complex IT environments and exponential – but often insecure – identity growth. Payton encourages these cybersecurity leaders to expand and solidify their influence across their organizations to amplify their impact.
TP: “As a CISO, you will never have the full span of control that you probably should have to protect all the digital assets under your organization’s care. You’re never going to have enough tools and budget and people. And you really do need to understand that. Once you do, ask yourself how you can influence your organization to be secure by design.”
“Are you going to sit with the developers the whole time? Are you going to sit with the third-party marketing firm doing internet campaigns with social media platforms? No. So how do you make sure you have influence everywhere within the organization. You can’t do it by being a bottleneck and saying no to everything. You do it by understanding the mission and values of your organization and figuring out the human user stories of your employees, customers and third-party vendors. Then, you focus on where things need to be secure and how to influence the people responsible for those human user stories. That is where CISOs need to go with their thinking. If you don’t wake up every morning thinking about that, in addition to what you’re doing today, you’re going to miss a unique opportunity to have a long-lasting legacy and impact.”
David Puner is a senior editorial manager at CyberArk. He hosts CyberArk’s Trust Issues podcast.
Editor’s note: Remarks have been edited for length and clarity. To listen to the entire Trust Issues interview with Theresa Payton, check out the players below – or find the episodes wherever you get your podcasts.