Vermont has a new permanent chief information security officer in Scott Carbee, who has served as the state’s interim CISO twice over a span of two years.
Vermont CIO John Quinn announced Friday that Carbee, who worked in cybersecurity for the Vermont Army National Guard before entering the public sector in 2015, would be promoted, thus marking the end of Carbee’s second stint as interim CISO. Carbee’s second tenure in that position began in August when Nicholas Andersen left Vermont to join the Trump administration.
Carbee’s experience in Vermont’s Agency of Digital Services (ADS) made him a logical appointment for the “critical post” of state CISO, Quinn stated in a press release.
Carbee told Government Technology that he is uniquely suited for the role, understanding that the influence that leaders in Vermont can have on general security awareness is an important nuance of the job, which is nested within a centralized IT structure.
“Knowing who the influencers are and how to talk to them to make sure that they are sort of on the same sheet of music as you are is something you can’t just walk in the door and pick up,” Carbee said.
A state CISO must constantly balance what is going on behind the scenes and what is being done out front. Carbee said this balance involves matching the state’s “pace of innovation,” which can create anxiety in staff and technical users alike, with “equal measures of usability and security.”
One way that Vermont attempts to achieve this balance is with its security operations center. The center was established last year as part of a partnership between ADS and Norwich University, Carbee’s alma mater.
Carbee said the center helps the two organizations better understand their respective expertise in cybersecurity. ADS brings operations and frontline experience to the table, while the university offers academic research, knowledge of methods that ADS may not know about and a pool of students with the latest education under their belts.
“Our two organizations make a stronger program that also helps us produce the next generation of state security personnel,” Carbee said.
Vermont has also made strides with its statewide cybersecurity strategy, Carbee said. Gov. Phil Scott ordered the creation of a team that includes advisers from different realms, such as critical infrastructure and health information. The team is lean at 10 members so that strategic principles for the state can be generated efficiently.
Much has changed in cybersecurity since Carbee entered the field decades ago. While today most cybersecurity programs “are or should be” driven by policy, there wasn’t a lot of direction about organizational risk or educating users about their responsibilities back when Carbee was learning the intricacies of the field. The key to managing security in a modern world, where cyberattacks on governments are more common, is identifying a clear picture of an organization’s cybersecurity strategy and revising it accordingly.
“When I first took classes in the discipline … they were much more interested in the minutiae of system configuration and access control,” Carbee said.