Preparing for Tomorrow’s Cyberthreats: Lessons from Theresa Payton

In today’s work-from-anywhere era, employees are increasingly the targets of fraudsters and cybercriminals, and organizations face heightened risks due to the interconnected nature of operating systems and cloud platforms. While chief information officers (CIOs) often push for strict security measures, other company leaders may advocate for greater tech accessibility to maximize operational efficiency. Can a balance between security and efficiency be achieved—or is this a compromise no company can afford to get wrong?

On a recent episode of Tomorrowist, Theresa Payton, CEO of Fortalice Solutions, explained that organizations can achieve this balance by studying their human user story. “We can figure out through people, process, and technology how to build security so it’s a safety net,” she said. “That’s how we create seamless security experiences.”

Payton—the first woman to serve as White House CIO under President George W. Bush—discussed the ever-evolving cybersecurity landscape, her predictions for 2025, and the responsibilities leaders must shoulder as data security breaches and cyberattacks become more imminent. Her message to leaders is this: Breaches are not a matter of if, but when.  

Breaches Are Imminent, and It’s Time to Prepare for Them

Payton urges executives to be proactive in their approach to minimize damage and maintain operational resilience when they are breached. “You can’t stop a hurricane or earthquake from happening,” she noted, “but you can prepare for it.” Payton likens cybersecurity preparedness to fortifying a building against natural disasters, while also emphasizing the importance of having a clear, well-rehearsed playbook for recovery.

Whether they face data theft, an imminent attack, or a combination of ransomware and extortion, leaders should prepare detailed recovery plans for different scenarios. This includes a process for handling disclosures to customers and stakeholders when data is compromised or an attack is expected. “Being proactive makes a huge difference in your recovery,” said Payton, explaining that preparedness allows companies to minimize damages, downtime, and penalties—and maintain their reputations.  

Cybersecurity Meets Physical Security

Payton warns of future threats involving company buildings, predicting that cybercriminals may begin to digitally attack office spaces and trap employees for ransom. “If you have any buildings that are smart buildings that have lots of internet-of-things devices installed, my prediction is by the end of 2025, ransomware syndicates are going to move to buildings,” she said. “[They could] lock people in and hold them for ransom and not let them out until you pay the ransom.”

Payton added that physical cyberattacks could range from toilets constantly flushing and flooding areas, to cooling systems being remotely deactivated and intentionally overheating equipment. Cybercriminals could think, “I’ll turn off the heat or I’ll turn off the AC. I’ll turn off the electricity,” among other disruptions, she said.

This One Security Measure Is Your Best Defense

Hackers can range from lone individuals to sophisticated nation-state actors. But regardless of their background, Payton said most hackers follow predictable patterns. Like anyone else, they want the easiest path to a payout. “They go to the data dumps of all past data breaches,” she explained. “They pull the passwords out, they pull the emails out, they pull the usernames out and the account access out.”

To gain the advantage over hackers, Payton believes an organization’s best safeguard is two-factor authentication. “I know it’s clunky. I know people don’t like it,” she said. Payton explained that while it may be irritating, two-factor or other multi-factor authentication prevents 90% of credential-stuffing attacks (in which hackers use stolen account credentials, often obtained from a data breach, to attempt to log into user accounts on other systems). “If you can only do one thing,” said Payton, “demand multi-factor authentication everywhere.”

How CIOs and Executives Can Work Together  

Too often, security measures are implemented without considering the day-to-day needs of various departments, leading to workarounds and security gaps. At times, leaders may resent IT for making them resort to workarounds and plug-ins that bypass firewalls. “You had to do a workaround to do what? To get your job done. Not because you were trying to have a side hustle or trying to put the company at risk. You were trying to get your job done,” said Payton.

To combat this frustration, Payton calls for a more user-centered approach from technology teams. For optimal operational efficiency, IT and other departments, such as operations and marketing, must be aligned on departmental objectives and organizationwide security priorities. “What I would say is, ask your technology and security partner: ‘Can we spend some time talking about the human user story? I need you to really understand what I do before I engage technology,’ ” said Payton.

“If we spent more time understanding that human user story, then on the technology and security side, we can identify those thin spaces.”

Watch or listen to the full Tomorrowist episode.