Andy Hanks, who filled the Montana CISO position since 2018, has moved onto a new role as senior director of cybersecurity advisory services for the Center for Internet Security, a nonprofit with a mission to help people, businesses and governments protect themselves against cyber threats.
At CIS, Hanks will be leading a new program to provide strategic cybersecurity advisory services for agencies that can’t afford a full-time CISO or third-party advisory service. He’ll be working with small local and tribal governments, election offices and schools.
“Andy comes to us with an impressive track record of building impactful security initiatives as a state CISO, and we look forward to leveraging his expertise for the benefit of the U.S. state, local, tribal and territorial governments and election organizations nationwide,” said Tom Michelli, CIS executive vice president and general manager of operations and security services.
According to a Montana SITSD spokesperson, the CISO position is posted, and an interim CISO is in place to oversee the essential functions of the office.
“Andy Hanks accepted a new position, which is an outstanding opportunity for his career. While we are sad to see him go, we understand and support his decision to pursue this exciting new chapter in his professional journey,” Megan Grotzke, communications director for the Montana Department of Administration, wrote in an email.
Before joining SITSD, Hanks worked in the private sector for nearly 20 years in several senior roles with IBM, including global security program manager. He shared his goals for the future working with small governments through his new position at CIS in a written Q&A with Government Technology.
Government Technology: What lessons have you learned from working in the Montana CISO role that you plan to utilize in your new position to help other states increase their cybersecurity?
Andy Hanks: Coming from the private sector, most of the lessons I learned as a state CISO were taught by limited resources. Though state governments typically have more resources than local governments, these particular lessons scale beautifully. One of the things I learned was how more important strategic planning and governance become when you have limited resources. Strategic planning ensures your security initiatives are aligned with business objectives in the current threat environment. Governance ensures your resources are efficiently and effectively allocated to provide the most value. If you don’t have a lot of resources, then you’d better put them where the business needs them the most.
GT: While working for CIS, you’re going to be working on a program to provide cybersecurity advisory services for underserved state, local, tribal and territorial governments and election offices. What do you think will be your biggest challenges when it comes to transitioning from a single state role to one that covers a broad array of government agencies across the country?
Hanks: The first challenge will be creating an intake process that triages requests for the cybersecurity advisory service and to prioritize those with the most need. Another challenge is that every organization will have their own business, culture and technology environment which will require some tailoring. The final challenge will be to scale the critical infrastructure baseline security program effectively to increase capacity and bandwidth.
GT: How does your experience and knowledge prepare you to work with small local governments?
Hanks: My experience working with local government, clinics and hospitals, K-12 schools, and colleges and universities across Montana for almost six years taught me those with the least resources have the most need for a CISO or an advisory service. A few years ago, my team discovered a post from a local government IT manager on a public forum about a potential security incident. It was his first job in IT, he didn’t have any employees, he didn’t know anything about security, and he didn’t know who to call for help. His desperate plea struck a chord with me and is one of the reasons we are developing this program.
GT: What are you most excited about for this new position and era you’re starting?
Hanks: I am most excited about making a meaningful contribution to our nation’s security posture. I get to partner with my coworkers at the Center for Internet Security; my colleagues at the Cybersecurity and Infrastructure Security Agency; and my network of private-sector CISOs, state and local government CISOs and other security experts across the country to enhance the security and resiliency of our SLTT governments and elections … somebody pinch me.
GT: What highlights from your time in the Montana CISO position would you like to share that might be interesting or inspirational for others in similar roles?
Hanks: One of the first projects we completed after I started as CISO was installing behavior-based antivirus on all of our endpoints. That effort was the cornerstone of our ransomware defense strategy and as a bonus provided security with holistic visibility across the enterprise.
One of the last projects we completed before I finished as CISO was conducting a zero-trust maturity assessment that created the road map for the next three to five years of zero-trust initiatives which will move the state to a data-centric security model. In between, there were many other projects and behind all of them were some of the best people I ever had the pleasure to work with.
