Toney was first appointed to the Vermont CISO role in April, following the departure of Scott Carbee who first served as interim CISO before being tapped as the permanent CISO in 2020. The CISO position marks Toney’s first state-level information security role, but prior to this, he accrued nearly two decades of IT experience, from the private sector to the U.S. Secret Service, where he led the Philadelphia Electronic Crimes Task Force.
The Cyber and Tech Security Council addresses emerging cyber threats, policy and the global security landscape; Toney’s role will involve collaboration and information sharing with leading professionals in this area.
According to Toney, he viewed the visiting fellow position as an opportunity to keep growing his skill sets and knowledge as technology — and related policy — evolves. The role offers him a channel through which to hear what policymakers and federal regulators are working on in security, to better prepare and protect the state of Vermont.
“It’s a way for me to give back, and also to learn from people in that room,” Toney said of the new post, emphasizing the opportunity to work with senior cybersecurity executives from the Office of the Director of National Intelligence who are members of NSI. “So, there’s a lot for me to learn, but also, I hope that I can add a practitioner’s view to the theoretical things that they’re bringing to the table.”
He explained that, in contrast to the private sector, public-sector organizations’ budget constraints encourage more creativity and compromise in solutions, such as the dual use of one tool to help solve multiple problems. But collaboration is key, he said, as people in the private sector are often building high-quality tools that can be leveraged in the public sector.
Toney’s experience at the Secret Service enabled a wide range of collaboration with people in the education and private sectors. In his current CISO role, he said a lot of communications with those outside state government involve a sales pitch of some kind. That was the appeal of this role with NSI at George Mason University: It is a not-for-profit organization that is not designed to sell any product.
“My time belongs to the state of Vermont,” Toney said, explaining this new role is a volunteer position with a small time commitment, so it will not hinder his ability to manage his duties as CISO.
Having been in the role for about six months, Toney said his work thus far has been focusing on making the state’s approach to security more proactive.
The CISO is working with the cybersecurity company NuHarbor Security to explore how AI can help the state better defend itself.
The state does have tools in place that use AI for threat detection. As he explained, AI is now largely embedded in all the technologies that vendors are looking to sell to the state, although the extent to which these tools are classified as AI varies. From a security standpoint, Toney emphasized the importance of ensuring the state’s data security when considering working with any vendor that claims to have AI built into their product. To resolve these questions, Toney said he works closely with Vermont Chief Data and Artificial Intelligence Officer Josiah Raiche.
AI’s impact on security is two-sided, Toney said. On one side, AI helps bad actors learn and target organizations more efficiently. The problem, then, is that the speed of threat detection has not increased at the same rate. Toney is looking to find AI-powered automations in other areas, like contract review processes, to free up employee time to detect and address cybersecurity risks like malware, for a more secure Vermont.