Montana CISO Shares State Security Actions and Priorities
By Dan Lohrmann, GovTech Magazine
Back in 2014, I first interviewed the technology and security leaders in “Big Sky Country” for this blog.
A lot has changed in the past six years, including the state’s government technology and security leadership. But what hasn’t changed is a focus on excellence and professionalism in public service that continues to surprise observers around the country.
Andy Hanks became the chief information security officer in Montana in January 2018, after spending almost 20 years in a variety of senior roles with IBM, including global security program manager and deputy sector compliance lead.
Mr. Hanks’ LinkedIn profile describes him as a “business-driven cybersecurity executive with 25 years of experience in information technology including 12 years in information security, a Master of Science in Information Systems, and multiple cybersecurity certifications. As Chief Information Security Officer for the State of Montana, Andy is responsible for managing and maturing Montana’s information security and data privacy programs to protect citizen's data and the state's IT assets. He partners with state and federal agencies to identify threats, mitigate vulnerabilities and reduce risks within the state; and he collaborates with cybersecurity leaders across the nation to develop and implement best practice security policies. Andy represents Montana's cybersecurity interests in the state Legislature, State Information Technology Manager’s Council and the State Information Technology Board. He is chair of the Montana Information Security Advisory Council, a member of the Multi-State Information Sharing and Analysis Center Executive Committee, and a member of the State, Local, Tribal and Territorial Government Coordinating Council.”
I first met Andy Hanks at a National Governor’s Association (NGA) event on cybersecurity in Shreveport, La., in 2019, and I was immediately impressed with his knowledge and humble, yet confident, demeanor. His compelling stories, funny answers and overall approach to management are unique and refreshing.
I was thrilled when Andy joined Debbi Blyth, CISO for Colorado, and Maria Thompson, chief risk officer in North Carolina, on a panel that I moderated for the North America International Cyber Summit last month.
On a side note, my family has visited Montana twice for vacations over the past two years, and Andy was very helpful and an advocate for Montana’s beautiful state in ways that others can learn from. (It helps that they have amazing national parks in Montana as well.)
Needless to say, I am delighted to bring you this exclusive interview with a national leader in cybersecurity, Montana CISO Andy Hanks.
Exclusive Interview Between Dan Lohrmann and Montana CISO Andy Hanks
Dan Lohrmann (DL): As a result of COVID-19, what are a few of the top challenges you’ve faced in 2020 in Montana regarding technology and cybersecurity?
Andy Hanks (AH): In 2019, Montana's 66th Legislature approved a $6.3 million cybersecurity investment to enhance the state’s cybersecurity posture. At the time, we were looking to reduce specific risks to the state, and we did not know that funding would prove crucial in securing a rapid transition to a remote workforce supporting digital government services to our citizens. This is a great demonstration of how investment in technology and security can drive additional business benefits, such as adaptability, flexibility and resiliency. The challenges we did have were increased sophistication of phishing emails and scams, rapid adoption of remote collaboration tools, and personally owned computers connecting to the state network.
DL: How did you overcome security issues associated with the pandemic?
AH: We increased our communication to state employees about phishing emails and scams, and we reinforced our processes for reporting these incidents. The low-tech social engineering attacks are always the hardest since they have greater potential to evade technical controls. We also increased our simulated phishing campaigns and security awareness training offerings to empower our front-line defenses: our employees. We started locking down remote collaboration tools at the state level, and ran into some issues supporting public meetings, which need to be open and easy to access. So we pivoted to defaulting to the most secure collaboration tool settings and gave agencies the ability to modify their settings based on meeting the business's need. With the rapid shift to remote work, some employees were using their home computers to connect to the state network with VPN; however, this introduced unnecessary risk to the state, so we implemented device posturing to ensure only devices with specific characteristics and security tools were allowed to connect to the state network with VPN.
DL: How big is the shortage of cyber talent in Montana? Are you finding the right people to fill key vacancies?
AH: The low supply and high demand in the cybersecurity job market makes it difficult to retain and recruit skilled and diverse cybersecurity staff. According to CyberSeek, there are about 600 open cybersecurity positions in Montana and 520,000 open cybersecurity positions in the U.S. I believe these numbers will trend higher each year as more organizations realize that cybersecurity is a business problem, and a strong cybersecurity staff is critical to compete in a global business market and global threat environment. In Montana, the Legislature allocated $2 million to retain and recruit skilled and diverse cybersecurity staff by increasing salaries and training budgets, and implementing flexible work. This has enabled us to retain existing staff and helped us recruit additional staff on the national job market. We still have five more positions to fill and are hopeful we will receive approval to increase salaries to competitively recruit cybersecurity talent on the national job market.
DL: Describe your resource situation. Is funding/budget a significant problem right now?
AH: As important as funding is, the most critical resource is our people. I have an amazing team, led by the Incident Response and Technical Security Bureau Chief James Zito and the Policy and Risk Management Bureau Chief Joe Frohlich. They have been integral in designing strategy and executing initiatives to achieve our goals. What we lack in budget, they make up for in effort. We are in a much better financial position than we were three years ago, but we still have significant challenges with budget. COVID-19 has not helped us; we have taken serious cuts in our budget because of the pandemic and are looking for other funding opportunities to help us achieve our strategic goals.
DL: What are your top cyberproject priorities for 2021?
AH: We are looking to optimize the information security management program by enhancing our existing capabilities and deploying new capabilities to protect citizens' data. We are implementing an enterprise GRC solution to enable security and technology leaders in every agency to get a real-time, holistic view of their risks and compliance status. This will automate much of our security assessment process, reducing effort and errors.
We are also enhancing our offensive security capabilities by increasing threat intelligence collection and analysis, and by hiring positions dedicated to pen testing and threat hunting. We are also focused on workforce development initiatives to ensure all public and private organizations in Montana have access to the skilled and diverse cybersecurity workforce they need to ensure the security, resiliency and prosperity of their businesses in an evolving global threat environment and a highly competitive cybersecurity job market.
Another focus is marketing the whole-of-state cybersecurity approach to enhance cybersecurity across Montana. I am looking for opportunities to partner with local government to demonstrate the value of state and local partnerships, that we are “stronger together.” This includes standing up a group called Montana CAREs, composed of the fusion center (the Montana Analysis and Technical Information Center), the National Guard and my team, which will offer communication, assessment, response and enhancement services to K-12 and other public institutions in Montana to help them strengthen their cybersecurity postures and to respond to cyberevents.
DL: How can security and technology vendors provide better help to Montana government and state and local governments around the country? Where are their blind spots?
AH: We cannot be successful without our vendors. We need more vendors to become our strategic partners. This means offering better licensing agreements that align with our biennial budget, offering finer granularity of their solutions, better integration with our existing technologies, and utilizing open source or standard data models.
The “everything but the kitchen sink” model does not work for us most of the time; we need finer granularity of solutions to integrate with our existing security tools. Vendors should use other states as their references, since states talk to each other all the time about their products and services. Before I make a purchase, I talk to multiple states about their satisfaction with the product or service, as well as their experience with the vendor after the purchase. I weigh another state’s reference more than anything else.
DL: You come from an interesting background. What led to you becoming the Montana CISO?
AH: I got into programming in 6th grade and wrote programs for friends and neighbors; but I hadn't considered programming as a career choice until years later. I wrote a programs for retail store I was working at and it got to the corporate office, someone from the IT department came out to the store to visit me and recommended that I go to college for computer science. I went to Delaware Technical Community College for an associate degree and then went to Drexel University for a bachelor degree. Drexel has a world-class co-op program, and that is where IBM hired me to code Y2K fixes on the mainframe.
Not a lot of the co-ops they were interviewing had mainframe experience, so my 30-minute interview turned into a four-hour interview with multiple managers, a job offer and a $20 parking ticket. The hiring manager told me it would be worth it, and he was right. IBM let me change jobs every two or three years, so I got to work in different technical fields, with many customers, in multiple industries.
During that time, I got to see security from various perspectives and the more I learned about it, the more I wanted to try it. The best transition point for me into IBM’s Security, Audit, and Risk Management organization was as an information system auditor, but that meant taking a demotion. The hiring manager again told me it would be worth it, and he was again right. I learned a lot working at IBM, but eventually I became so comfortable in my role that it no longer challenged me enough to grow. I started looking for a challenge outside of IBM, somewhere I could go to make a meaningful contribution.
My wife had lived in Montana previously, and got her doctorate from Montana State University, and we had vacationed there and loved it; so I applied to the CISO position as soon as I saw it. It has been a great experience and I enjoy public service more than anything I have ever done before. I get to leave my office every day knowing that I have made a difference for my fellow citizens.
DL: Any career stories that you can share about lessons learned as a government leader?
AH: The most important lesson I have learned in state government is that I will always be learning lessons in state government.
One of my favorite stories is the day I interviewed for the CISO position. After my interview, the CIO invited me to the CTO’s house for a work party, and I got a chance to talk to some of the employees and their spouses. I spent a lot of time with Ed Sivils, the data center facilities supervisor, and his wife. Ed told me that they just had an audit in the data center, and one of the auditors commented that the new locks they had just installed on the server cabinets were nice, but there were better, more secure locks available. Ed replaced the locks as soon as he could with the more secure locks.
I knew at that moment that security in the state of Montana was a shared responsibility, that every employee thought about how they could do their part to enhance security. That is something all CISOs want to see, and I called my wife on the way back to the hotel that night and told her I wanted the job.
DL: Thank you Andy for sharing your interesting stories from Montana and IBM and for your wider insights on cybersecurity nationwide. Greatly appreciated!
You can learn more about Andy Hanks’ team here. The website also includes contact information and a listing of the members in his excellent team.
Note to readers: In the upcoming year, I plan to do more CISO interviews with top infrastructure cyberleaders from state governments, large cities and counties. While I have several already planned, interested government CISOs, CTOs and CIOs can reach out to me via LinkedIn for a discussion.