Editor’s note: Theresa Payton, a keynote speaker at ISACA Conference North America 2026 last month, took the time to answer numerous questions that came in from the ISACA audience during Q&A that she did not have time to address during her session. Below are 10 additional questions and answers from Payton, CEO of Fortalice Solutions and a former White House chief information officer. Learn more about upcoming ISACA conferences here.
What cybersecurity or AI-related metrics do you believe boards should actually pay attention to, versus metrics that just create noise?
Theresa Payton: This is such a great question! Board members are not focused on the thousands of firewall pings your team blocked last Tuesday. They want to know the business itself remains resilient and protected.
In my experience, when we present raw IT operational metrics, we unintentionally emphasize effort rather than outcomes. Instead, I recommend shifting the conversation to metrics that directly influence the balance sheet. Mean Time to Remediate, for instance, answers the critical question: if everything goes sideways today, how quickly can we restore core operations? Pair that with peer-group benchmarking so your board can see whether your investments are delivering competitive value. Gartner predicts that by 2028, 50 percent of CISOs will own disaster recovery alongside incident response. This ties security leadership explicitly to broader business continuity. When you frame security this way, boards stop seeing it as an expensive cost center and start viewing it as a strategic enabler of revenue protection and long-term advantage.
What are your predictions regarding AI workplace surveillance? With the prevalence of AI job terminations in key industries, how far do you suspect we will go?
TP: The headlines absolutely break my heart. I love technology but I love mankind more than technology. Layoffs and efficiency programs are a hard part of work and a reality but there is a way this can be done that’s fair, effective and more human. AI used the right way can remove bottlenecks and roadblocks. AI implemented in various ways can make a job more enjoyable.
AI-driven workplace monitoring has evolved far beyond simple keystroke tracking. Leading platforms now perform real-time sentiment analysis on internal communications such as Slack or Teams, identifying potential attrition risks or productivity shifts. In some high-profile cases, organizations have relied on algorithmic recommendations for layoffs or terminations.
I strongly recommend against using AI as the sole decision-maker for any talent-related action. Algorithms excel at pattern recognition, but they lack the empathy, context and nuance that define human judgment. An employee’s idle time might reflect a family challenge or an offline brainstorming session that yields breakthrough ideas. The most resilient organizations use AI to surface insights while preserving human oversight, workplace trust and psychological safety. These elements ultimately protect culture, retention and legal standing.
As part of your world travels, did you observe how companies are working to upskill their employees? If so, what could you share?
TP: From my conversations with leaders worldwide and my own work at Fortalice Solutions, the organizations pulling ahead have moved beyond traditional compliance training. Annual 20-minute slide decks simply do not build the muscle memory people need to defend the enterprise day in and day out. (P.S., they are also bored and I call that they snooze, you lose training).
Forward-thinking companies are instead deploying AI-powered, adaptive micro-learning platforms that identify each employee’s specific knowledge gaps and deliver concise, contextual training directly within their daily workflow, often in just two-minute bursts. Many are also introducing specialized AI co-pilots that handle repetitive administrative tasks. This frees teams to focus on strategic thinking and creative problem-solving. The goal is not to turn every employee into a coder. It is to establish baseline AI literacy so your workforce can collaborate safely and effectively with these powerful tools.
The SEC’s new cybersecurity disclosure rules require material incident reporting within four days. From an audit perspective, how should organizations be pre-defining materiality thresholds for cyber incidents before one occurs?
TP: The SEC’s four-business-day disclosure requirement for material cybersecurity incidents has sharpened everyone’s focus. What many leaders overlook, however, is that regulators are now scrutinizing not just what you disclose, but the rigor of the process you used to determine materiality in the first place.
In my experience advising boards across industries, waiting until a live ransomware event to debate materiality is no longer viable. The most prepared organizations define clear thresholds in advance, in collaboration with legal, finance, and security teams. I recommend building a formal matrix based on four pillars: financial impact including forensics and litigation costs, operational downtime, data sensitivity and potential reputational harm. Establish an interdisciplinary Materiality Committee and maintain a documented audit trail for every incident evaluation. When examiners review your program, a repeatable, disciplined process is what demonstrates compliance and protects the enterprise.
With the ability of AI to fake so many things, how does one protect the brand? How do you help ensure bad actors don’t create impairments to customer trust? Are there any controls an organization can put in place?
TP: The barrier for malicious actors has essentially vanished. With minimal resources, anyone can generate convincing deepfake audio or video of a CEO that could erode customer confidence or move markets within minutes.
In my experience, I advise treating digital identity with the same discipline we apply to network security: trust nothing, verify everything. Start by reviewing and planning to adopt cryptographic provenance standards such as C2PA to digitally sign official corporate communications. Implement out-of-band verification protocols – for example, pre-shared cryptographic keys or rotating passphrases, for urgent requests involving financial transfers or sensitive actions. Finally, maintain continuous AI-powered brand monitoring to detect and remediate fake domains or impersonations before they reach your customers.
How do we convince boards to invest in protecting data today against the quantum threats of tomorrow?
TP: Quantum computing can sound like science fiction to many boards, but the risk is immediate and pragmatic. Nation-state adversaries are already conducting harvest now, decrypt later operations. They are stealing encrypted proprietary data, financial records and intellectual property today, with the intent of decrypting it once quantum capabilities mature.
In my work with boards across industries, I position quantum readiness as proactive management of a significant long-tail liability. If your organization holds data with a long shelf life, such as medical records or trade secrets spanning 10, 20, or 30 years, that information is already exposed. The immediate priority is not a full rip-and-replace. It is building cryptographic agility through a comprehensive inventory of current encryption usage and a phased migration of critical assets to post-quantum standards.
How can you convince auditors, in particular, that failure isn’t always the opposite of success? In fact, it’s often the first step toward achieving success.
TP: Auditors are trained to evaluate compliance in clear, binary terms: policy followed or policy violated. In today’s rapid, AI-accelerated environment, however, treating every deviation as a failure can stifle innovation and push experimentation into the shadows.
In my experience, the solution lies in evolving audit practices to embrace blameless post-mortems. Instead of simply noting that an incident occurred, examine how quickly the team detected it, how transparently it was documented and how effectively the organization hardened systems to prevent recurrence. When a team isolates a failure, extracts lessons, and strengthens defenses with speed and discipline, that outcome deserves recognition as a demonstration of corporate resilience and agility.
As AI agents begin making autonomous decisions at machine speed, what becomes the new foundation of trust when identities, voices and even human behavior can be synthetically replicated?
TP: We are entering an era where autonomous AI agents will interact with one another at machine speed to execute decisions, procure resources and manage workflows, while human identities can be synthetically replicated with near-perfect fidelity. In this environment, trust can no longer rely on what we see or hear.
As CEO of Fortalice Solutions, I believe the new foundation of trust must rest on continuous behavioral provenance. Every human, machine and AI agent should maintain a cryptographically verifiable footprint on immutable, decentralized ledgers. I know that was easier to say than to implement but we must have these conversations now. This requires mature Zero Trust architectures that move beyond static credentials or facial recognition to ongoing analysis of context, behavior and interaction history. In a synthetic world, trust becomes verifiable mathematics rather than subjective perception.
What’s your stance on ‘If you don't embrace AI you are going to be behind’ versus ‘Let’s develop a risk framework and adopt it as we have business use cases?’
Leaders today often feel caught between two powerful forces: the fear of falling behind competitors in AI adoption and the very real risks of data exposure, third and fourth party risks, and regulatory penalties. The good news is that you do not have to choose between speed and safety.
In my advisory work with technology and cybersecurity executives, the most effective organizations implement a tiered risk framework for AI and other technologies. Low-risk, high-value use cases, such as using an enterprise-secured AI sandbox for document summarization or email drafting, can be enabled quickly with appropriate guardrails. Higher-risk initiatives, like deploying customer-facing AI agents that handle sensitive financial data or autonomous decision-making, receive the full, structured evaluation they require. This approach lets you move fast where risks are contained and deliberately where stakes are highest.
What is the best part of your job and why do you enjoy it?
TP: Honestly, the best part of my job as CEO of Fortalice Solutions is I love our team and our clients. I also have the opportunity to demystify this rapidly evolving landscape with leaders like all of you and the team at ISACA. Technology can feel overwhelming, and it is completely understandable for teams to experience moments of uncertainty or concern. My goal is always to translate complexity into clear, actionable strategies that strengthen both security and business performance so everyone feels energized, equipped, confident and ready to lead.
