1. How does your legal background help you in your role?
Legal education has given me an ability to look at every issue from a research perspective. Research and analysis are some of the greatest skills you get from law school and practice. Those skills have allowed me to take a deep dive into understanding the regulatory environment for different data classifications and for understanding what federal and state regulators or audit bodies are looking for.
As an antitrust lawyer, I also understand the nuances of the vendor community. We rely so heavily on our security partners, and we have a robust third-party risk program. Being able to delve deeper into those details as well has been inspired by my legal background.
2. How is Massachusetts reducing its known exploitable vulnerabilities?
A little over a year and a half ago, we started to focus on investing our time, resources and people in what I call bending the curve of vulnerabilities — specifically critical and high vulnerabilities that pose the greatest threats to the applications and infrastructure we manage. The governor’s cabinet and all the cabinet secretaries reinforced their messaging about how important it is for their technology teams to work with our office on this. We were really able to formulate an organized approach to reducing critical vulnerabilities across the enterprise.
Our Secretary [of the Executive Office of Technology Services and Security] and CIO Jason Snyder really set the tone at the top. We took a whole-of-state approach, incorporating the legislative and judicial branches as well. Then we created a CISO Council populated by risk- and security-minded professionals across the state government landscape, as well as quasi-government agencies. We wanted to open the door to get as many people that are doing this work together to think it through, talk about it, and advance our strategy to reduce risk and critical vulnerabilities.
3. Do you work with local and county governments?
What we did with our CISO Council across the executive branch we also did region-ally with a body we call the Municipal CISO Council. It brings together all of the security- and risk-minded professionals in our state at the local levels, and they meet on a fairly regular basis. We’ve also started holding annual — and possibly now even biannual — conferences that bring together municipalities to focus on success stories, threat intelligence and where we think proper cyber investments need to be made over the coming years.
4. What new threats are states facing?
There are now more AI-enabled threats. There’s an internal risk, and that is employees that are downloading any kind of AI tools without those tools having been approved for their use, despite our best efforts to provide guidance and policies around that practice. There’s a risk of government data being used or collected by these third-party AI tools that may not have been approved by an organization’s leadership.
The other AI-enabled threats are on the external side. It’s becoming easier for threat actors to utilize ChatGPT, for example, and to develop some type of campaign that gives a step-by-step road map on what to do to try to exploit a victim organization. That information is getting into the wrong people’s hands, and it’s becoming more accessible. And then, certainly, we’re looking around the corner to how quantum computing can escalate cybersecurity threats.
This story originally appeared in the Spring 2025 issue of Government Technology magazine. Click here to view the full issue online.