Five state and local chief information security officers reveal how they came to government IT work, the essential traits of an effective CISO and what they’re doing to shore up cyberdefenses in unprecedented times.
When Andy Hanks decided to find a position that would allow him to make a meaningful impact using his technical, security and business experience, he did not have his sights set on the public sector. That said, he has no regrets. “I was not specifically looking for a job in state government, but when I saw the state of Montana CISO job, I knew it was exactly what I wanted to do,” he said.
Hanks, who started programming at 13 years old, began as a mainframe programmer at IBM after earning a computer science degree. In this role, he worked in technology on the Y2K program. But as he constantly saw “security from multiple domain perspectives and leadership levels,” he wanted to transition. After hearing from a hiring manager about cybersecurity, its complexity and its growing importance, he made the move — and advanced professionally.
What attracted Hanks to his current role was the state’s mission: “to protect citizen’s data.”
“As a state employee,” Hanks said, “my customer is my family, my friends and my neighbors. I only need to look around at the people I see in the restaurants, bars and parks to be reminded of the importance of our mission.”
While he enjoys the meaningful contribution he makes to his state and its citizens, he remains knowledgeable about present and future challenges that can affect it. “Cybercriminals ransoming our citizens’ data, nation-states attacking our elections, unfunded mandates stretching tight budgets and emerging technology outpacing our ability to protect,” he said. However, the biggest threat, he explains, is the lack of talent. “The United States currently has a shortage of 500,000 cybersecurity workers,” Hanks noted. “Educating and hiring the next generation of cybersecurity workers should be a priority at the local, state and national levels.”
It is a top priority for Hanks and his team. “In Montana, we are focused on multiple initiatives to retain and recruit highly skilled cybersecurity staff, to increase diversity so we can match the diverse perspectives of our attackers and approach complex problems from multiple viewpoints, to build a workforce talent pipeline by partnering with K-12, college and university education institutions, the military, and the nonsecurity workforce looking to retrain into cybersecurity.”
Altogether, public-sector CISOs must have a background of expertise and experience to handle such challenges. “CISOs don’t need to be experts in business and security and technology,” Hanks said. “They just need to be experts in balancing the perspectives of all three.”