After holding the title of chief information security officer in Montana for more than five years, Andy Hanks last week departed the role to start this week at the Center for Internet Security, where he’s the senior director of cybersecurity advisory services.
During his tenure as CISO, Hanks oversaw Montana’s security initiatives, strategy and programs for state agencies as part of the State Information Technology Services Division. He also helped to cement the CISO position in state statute with this year’s passage of Senate Bill 50, which expanded the role to include advising school districts and city, county and tribal governments on cyber practices.
In an interview with StateScoop, Hanks reflected on how cybersecurity in Montana evolved during his tenure and how he hopes to boost the cybersecurity of all states through his new role.
Hanks served as the top cyber official in Big Sky Country starting in January 2018, and in that time, there was a lot of change in the cyber field. The biggest change, he said, is the increased prevalence of ransomware that’s led the mass shift to the zero-trust security model within government operations over the last several years.
“You don’t need a lot of technical skills anymore to launch multimillion dollar ransomware attacks,” Hanks said. “And the attacks have become a lot more persistent. Threat actors can be in your network for 287 days before you can detect and contain them — that’s a long time for someone to be in your network.”
The increased persistence and sophistication of these attacks, Hanks said, have also necessitated a need for training the cyber workforce in-house. Under his leadership, the department expanded its training budget for the cybersecurity team, which Hanks said increased workforce retainment.
“There’s a huge shortage of skilled and diverse cybersecurity talent out there right now, and the cybersecurity job market is highly competitive. It’s high demand, low supply,” he said. “So we need to, as a nation, build a skilled and diverse cybersecurity talent pipeline in this country to defend our local businesses from global threats, but to also defend national security and financial security of the country.”
Additionally, Hanks said, creating entry-level cyber positions is important for cultivating and maintaining the workforce, and it’s something he helped to make happen in Montana. As he was leaving the office for the last time on Friday, Hanks said, Montana posted its first entry-level cybersecurity position that does not require any prior experience.
Learning curve
Even though he took on Montana’s CISO role with 25 years of experience in the private sector, including time at IBM as a global security program manager, Hanks told StateScoop there still was a learning curve that came with the office. In fact, he said, he didn’t know what a state CISO did prior to starting the job.
“I thought that I was going to come in there and it was going to be no problem at all, that I’d be able to do a great job with all the experience I had. And I quickly learned that I was in over my head,” Hanks said, adding that he leaned heavily on resources available to him for both support and guidance.
The National Association of State Chief Information Officers was particularly helpful as a resource, Hanks said. He also mentioned Arnold Kishi, a senior adviser to Hawaii’s Office of Enterprise Technology Services and current chair of CIS’s Multi-State Information Sharing and Analysis Center, or MS-ISAC, who served as his mentor.
“The CISO community is strong. They are very close. State CISOs talk to each other almost every day,” Hanks added. “There’s only 52 or 54 people in the world that do what state CISOs do, that know what they know, that understand the stresses and challenges that they face every day. And so that community is part therapy and part information sharing.”
What’s next
In his new role at the Center for Internet Security, Hanks said his main task will be building a program to provide cybersecurity advisory services for underserved state, local, tribal and territorial governments and election offices.
“We’re going to be focusing on providing strategic advisory services to those that can’t afford a full-time CISO and those that can’t afford a third-party advisory service,” Hanks said. “So basically the smallest like K-12, the smallest local governments or tribal governments or the smallest election official offices that have no resources, but that this nation depends on. … It’s going to be very exciting.”
His excitement about the new position would not be possible without the confidence he has in the team he’s leaving behind, he said. With funding secured through this year’s legislative season, Hanks said the Montana cyber team will be executing several enhancement projects to include zero-trust efforts. The most important project, however, will be consolidating cybersecurity for the state’s executive branch agencies.
“I know the team that’s there right now, and I know that they’re going to be successful,” Hanks continued. “As a Montana citizen, I’m very happy that that’s the team that’s protecting my data.”