IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Vermont CISO’s New Role Entails Learning from Policymakers

John Toney, the state’s chief information security officer, has been appointed a visiting fellow by the National Security Institute. Through this position, he will learn from cyber execs, building his knowledge to better serve Vermonters.

Person clicks floating "lock" icon among several floating white icons representing security.
Headshot of Vermont CISO John Toney wearing suit over gray gradient background.
Vermont CISO John Toney
State of Vermont
Vermont CISO John Toney will expand his knowledge in a new, supplemental role as a visiting fellow at the George Mason University's Antonin Scalia Law School, joining the National Security Institute (NSI)’s Cyber and Tech Security Council.

Toney was first appointed to the Vermont CISO role in April, following the departure of Scott Carbee who first served as interim CISO before being tapped as the permanent CISO in 2020. The CISO position marks Toney’s first state-level information security role, but prior to this, he accrued nearly two decades of IT experience, from the private sector to the U.S. Secret Service, where he led the Philadelphia Electronic Crimes Task Force.

The Cyber and Tech Security Council addresses emerging cyber threats, policy and the global security landscape; Toney’s role will involve collaboration and information sharing with leading professionals in this area.

According to Toney, he viewed the visiting fellow position as an opportunity to keep growing his skill sets and knowledge as technology — and related policy — evolves. The role offers him a channel through which to hear what policymakers and federal regulators are working on in security, to better prepare and protect the state of Vermont.

“It’s a way for me to give back, and also to learn from people in that room,” Toney said of the new post, emphasizing the opportunity to work with senior cybersecurity executives from the Office of the Director of National Intelligence who are members of NSI. “So, there’s a lot for me to learn, but also, I hope that I can add a practitioner’s view to the theoretical things that they’re bringing to the table.”

He explained that, in contrast to the private sector, public-sector organizations’ budget constraints encourage more creativity and compromise in solutions, such as the dual use of one tool to help solve multiple problems. But collaboration is key, he said, as people in the private sector are often building high-quality tools that can be leveraged in the public sector.

Toney’s experience at the Secret Service enabled a wide range of collaboration with people in the education and private sectors. In his current CISO role, he said a lot of communications with those outside state government involve a sales pitch of some kind. That was the appeal of this role with NSI at George Mason University: It is a not-for-profit organization that is not designed to sell any product.

“My time belongs to the state of Vermont,” Toney said, explaining this new role is a volunteer position with a small time commitment, so it will not hinder his ability to manage his duties as CISO.

Having been in the role for about six months, Toney said his work thus far has been focusing on making the state’s approach to security more proactive.

The CISO is working with the cybersecurity company NuHarbor Security to explore how AI can help the state better defend itself.

The state does have tools in place that use AI for threat detection. As he explained, AI is now largely embedded in all the technologies that vendors are looking to sell to the state, although the extent to which these tools are classified as AI varies. From a security standpoint, Toney emphasized the importance of ensuring the state’s data security when considering working with any vendor that claims to have AI built into their product. To resolve these questions, Toney said he works closely with Vermont Chief Data and Artificial Intelligence Officer Josiah Raiche.

AI’s impact on security is two-sided, Toney said. On one side, AI helps bad actors learn and target organizations more efficiently. The problem, then, is that the speed of threat detection has not increased at the same rate. Toney is looking to find AI-powered automations in other areas, like contract review processes, to free up employee time to detect and address cybersecurity risks like malware, for a more secure Vermont.
Julia Edinger is a staff writer for Government Technology. She has a bachelor's degree in English from the University of Toledo and has since worked in publishing and media. She's currently located in Southern California.